From c6758c94b33fd1f2f23b9b27ed2b2b84a39dc1f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Golicz?= Date: Wed, 11 Dec 2024 18:06:36 +0100 Subject: [PATCH] RBAC Migration code updates --- hack/runtime-migrator/cmd/migration.go | 1 - .../internal/runtime/migrator.go | 24 +++++++++++++++---- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index 9de9e56a..3226cbec 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -47,7 +47,6 @@ func NewMigration(migratorConfig config2.Config, converterConfig config.Converte } func (m Migration) Do(ctx context.Context, runtimeIDs []string) error { - listCtx, cancel := context.WithTimeout(ctx, timeoutK8sOperation) defer cancel() diff --git a/hack/runtime-migrator/internal/runtime/migrator.go b/hack/runtime-migrator/internal/runtime/migrator.go index 8f61b651..5b008f52 100644 --- a/hack/runtime-migrator/internal/runtime/migrator.go +++ b/hack/runtime-migrator/internal/runtime/migrator.go @@ -3,13 +3,13 @@ package runtime import ( "context" "fmt" - "github.com/gardener/gardener/pkg/apis/core/v1beta1" v1 "github.com/kyma-project/infrastructure-manager/api/v1" migrator "github.com/kyma-project/infrastructure-manager/hack/runtime-migrator-app/internal/config" "github.com/kyma-project/infrastructure-manager/pkg/config" "github.com/kyma-project/infrastructure-manager/pkg/gardener/kubeconfig" "github.com/pkg/errors" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes" @@ -145,10 +145,26 @@ func getAdministratorsList(ctx context.Context, provider kubeconfig.Provider, sh }) subjects := make([]string, 0) - for _, clusterRoleBinding := range clusterRoleBindings.Items { - for _, subject := range clusterRoleBinding.Subjects { - subjects = append(subjects, subject.Name) + // We are interested only in cluster-admin role + if clusterRoleBinding.RoleRef.Kind == "ClusterRole" && clusterRoleBinding.RoleRef.Name == "cluster-admin" { + willMigrate := false + for _, subject := range clusterRoleBinding.Subjects { + // We are interested only in users + if subject.Kind == rbacv1.UserKind { + subjects = append(subjects, subject.Name) + willMigrate = true + } + } + + if willMigrate { + clusterRoleBinding.ObjectMeta.Labels["kyma-project.io/deprecation"] = "this ClusterRoleBinding is deprecated and will be removed in next days" + _, err := clientset.RbacV1().ClusterRoleBindings().Update(ctx, &clusterRoleBinding, metav1.UpdateOptions{}) + + if err != nil { + return []string{}, errors.Wrap(err, fmt.Sprintf("Failed to update ClusterRoleBinding with deprecation label %s", clusterRoleBinding.Name)) + } + } } }