forked from kubernetes/kubernetes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
unjoin.go
333 lines (287 loc) · 11.7 KB
/
unjoin.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubefed
import (
"fmt"
"io"
"net/url"
"strings"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
federationapi "k8s.io/kubernetes/federation/apis/federation/v1beta1"
"k8s.io/kubernetes/federation/pkg/kubefed/util"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/kubectl"
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
"k8s.io/kubernetes/pkg/kubectl/resource"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
)
var (
unjoin_long = templates.LongDesc(`
Unjoin a cluster from a federation.
Current context is assumed to be a federation endpoint.
Please use the --context flag otherwise.`)
unjoin_example = templates.Examples(`
# Unjoin the specified cluster from a federation.
# Federation control plane's host cluster context name
# must be specified via the --host-cluster-context flag
# to properly cleanup the credentials.
kubectl unjoin foo --host-cluster-context=bar --cluster-context=baz`)
)
type unjoinFederation struct {
commonOptions util.SubcommandOptions
options unjoinFederationOptions
}
type unjoinFederationOptions struct {
clusterContext string
}
func (o *unjoinFederationOptions) Bind(flags *pflag.FlagSet) {
flags.StringVar(&o.clusterContext, "cluster-context", "", "Name of the cluster's context in the local kubeconfig. Defaults to cluster name if unspecified.")
}
// NewCmdUnjoin defines the `unjoin` command that removes a cluster
// from a federation.
func NewCmdUnjoin(f cmdutil.Factory, cmdOut, cmdErr io.Writer, config util.AdminConfig) *cobra.Command {
opts := &unjoinFederation{}
cmd := &cobra.Command{
Use: "unjoin CLUSTER_NAME --host-cluster-context=HOST_CONTEXT",
Short: "Unjoin a cluster from a federation",
Long: unjoin_long,
Example: unjoin_example,
Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(opts.commonOptions.SetName(cmd, args))
cmdutil.CheckErr(opts.Run(f, cmdOut, cmdErr, config))
},
}
flags := cmd.Flags()
opts.commonOptions.Bind(flags)
opts.options.Bind(flags)
return cmd
}
// unjoinFederation is the implementation of the `unjoin` command.
func (u *unjoinFederation) Run(f cmdutil.Factory, cmdOut, cmdErr io.Writer, config util.AdminConfig) error {
if u.options.clusterContext == "" {
u.options.clusterContext = u.commonOptions.Name
}
cluster, err := popCluster(f, u.commonOptions.Name)
if err != nil {
return err
}
if cluster == nil {
fmt.Fprintf(cmdErr, "WARNING: cluster %q not found in federation, so its credentials' secret couldn't be deleted", u.commonOptions.Name)
return nil
}
// We want a separate client factory to communicate with the
// federation host cluster. See join_federation.go for details.
hostFactory := config.ClusterFactory(u.commonOptions.Host, u.commonOptions.Kubeconfig)
hostClientset, err := hostFactory.ClientSet()
if err != nil {
return err
}
secretName := cluster.Spec.SecretRef.Name
secret, err := hostClientset.Core().Secrets(u.commonOptions.FederationSystemNamespace).Get(secretName, metav1.GetOptions{})
if isNotFound(err) {
// If this is the case, we cannot get the cluster clientset to delete the
// config map from that cluster and obviously cannot delete the not existing secret.
// We just publish the warning as cluster has already been removed from federation.
fmt.Fprintf(cmdErr, "WARNING: secret %q not found in the host cluster, so it couldn't be deleted. Cluster has already been removed from the federation.", secretName)
return nil
} else if err != nil {
fmt.Fprintf(cmdErr, "WARNING: Error retrieving secret from the base cluster")
return err
}
unjoiningClusterFactory := config.ClusterFactory(u.options.clusterContext, u.commonOptions.Kubeconfig)
unjoiningClusterClientset, err := unjoiningClusterFactory.ClientSet()
outerErr := err
if err != nil {
// Attempt to get a clientset using information from the cluster.
unjoiningClusterClientset, err = getClientsetFromCluster(secret, cluster)
if err != nil {
return fmt.Errorf("unable to get clientset from kubeconfig or cluster: %v, %v", outerErr, err)
}
}
err = deleteSecret(hostClientset, cluster.Spec.SecretRef.Name, u.commonOptions.FederationSystemNamespace)
if err != nil {
fmt.Fprintf(cmdErr, "WARNING: secret %q could not be deleted: %v", secretName, err)
// We anyways continue to try and delete the config map but with above warning
}
// We need to ensure updating the config map created in the deregistered cluster
// This configmap was created/updated when the cluster joined this federation to aid
// the kube-dns of that cluster to aid service discovery.
err = updateConfigMapFromCluster(hostClientset, unjoiningClusterClientset, u.commonOptions.FederationSystemNamespace)
if err != nil {
fmt.Fprintf(cmdErr, "WARNING: Encountered error in deleting kube-dns configmap: %v", err)
// We anyways continue to print success message but with above warning
}
// Delete the service account in the unjoining cluster.
err = deleteServiceAccountFromCluster(unjoiningClusterClientset, cluster, u.commonOptions.FederationSystemNamespace)
if err != nil {
fmt.Fprintf(cmdErr, "WARNING: Encountered error in deleting service account: %v", err)
return err
}
// Delete the cluster role and role binding in the unjoining cluster.
err = deleteClusterRoleBindingFromCluster(unjoiningClusterClientset, cluster)
if err != nil {
fmt.Fprintf(cmdErr, "WARNING: Encountered error in deleting cluster role bindings: %v", err)
return err
}
_, err = fmt.Fprintf(cmdOut, "Successfully removed cluster %q from federation\n", u.commonOptions.Name)
return err
}
// popCluster fetches the cluster object with the given name, deletes
// it and returns the deleted cluster object.
func popCluster(f cmdutil.Factory, name string) (*federationapi.Cluster, error) {
mapper, typer := f.Object()
gvks, _, err := typer.ObjectKinds(&federationapi.Cluster{})
if err != nil {
return nil, err
}
gvk := gvks[0]
mapping, err := mapper.RESTMapping(schema.GroupKind{Group: gvk.Group, Kind: gvk.Kind}, gvk.Version)
if err != nil {
return nil, err
}
client, err := f.ClientForMapping(mapping)
if err != nil {
return nil, err
}
rh := resource.NewHelper(client, mapping)
obj, err := rh.Get("", name, false)
if isNotFound(err) {
// Cluster isn't registered, there isn't anything to be done here.
return nil, nil
} else if err != nil {
return nil, err
}
cluster, ok := obj.(*federationapi.Cluster)
if !ok {
return nil, fmt.Errorf("unexpected object type: expected \"federation/v1beta1.Cluster\", got %T: obj: %#v", obj, obj)
}
// Remove the cluster resource in the federation API server by
// calling rh.Delete()
return cluster, rh.Delete("", name)
}
func updateConfigMapFromCluster(hostClientset, unjoiningClusterClientset internalclientset.Interface, fedSystemNamespace string) error {
cmDep, err := getCMDeployment(hostClientset, fedSystemNamespace)
if err != nil {
return err
}
domainMap, ok := cmDep.Annotations[util.FedDomainMapKey]
if !ok {
return fmt.Errorf("kube-dns config map data missing from controller manager annotations")
}
configMap, err := unjoiningClusterClientset.Core().ConfigMaps(metav1.NamespaceSystem).Get(util.KubeDnsConfigmapName, metav1.GetOptions{})
if err != nil {
return err
}
needUpdate := false
if _, ok := configMap.Data[util.FedDomainMapKey]; ok {
configMap.Data[util.FedDomainMapKey] = removeConfigMapString(configMap.Data[util.FedDomainMapKey], domainMap)
needUpdate = true
}
if _, ok := configMap.Data[util.KubeDnsStubDomains]; ok {
delete(configMap.Data, util.KubeDnsStubDomains)
needUpdate = true
}
if needUpdate {
_, err = unjoiningClusterClientset.Core().ConfigMaps(metav1.NamespaceSystem).Update(configMap)
}
return err
}
// deleteSecret deletes the secret with the given name from the host
// cluster.
func deleteSecret(clientset internalclientset.Interface, name, namespace string) error {
orphanDependents := false
return clientset.Core().Secrets(namespace).Delete(name, &metav1.DeleteOptions{OrphanDependents: &orphanDependents})
}
// isNotFound checks if the given error is a NotFound status error.
func isNotFound(err error) bool {
statusErr := err
if urlErr, ok := err.(*url.Error); ok {
statusErr = urlErr.Err
}
return errors.IsNotFound(statusErr)
}
func getClientsetFromCluster(secret *api.Secret, cluster *federationapi.Cluster) (*internalclientset.Clientset, error) {
serverAddress, err := util.GetServerAddress(cluster)
if err != nil {
return nil, err
}
if serverAddress == "" {
return nil, fmt.Errorf("failed to get server address for the cluster: %s", cluster.Name)
}
clientset, err := util.GetClientsetFromSecret(secret, serverAddress)
if err != nil {
return nil, err
}
if clientset == nil {
// There is a possibility that the clientset is nil without any error reported
return nil, fmt.Errorf("failed for get client to access cluster: %s", cluster.Name)
}
return clientset, nil
}
// removeConfigMapString returns an empty string if last value is removed
// or returns the remaining comma separated strings minus the one to be removed
func removeConfigMapString(str string, toRemove string) string {
if str == "" {
return ""
}
values := strings.Split(str, ",")
if len(values) == 1 {
if values[0] == toRemove {
return ""
} else {
// Somehow our federation string is not here
// Dont do anything further
return values[0]
}
}
for i, v := range values {
if v == toRemove {
values = append(values[:i], values[i+1:]...)
break
}
}
return strings.Join(values, ",")
}
// deleteServiceAccountFromCluster removes the service account that the federation control plane uses
// to access the cluster from the cluster that is leaving the federation.
func deleteServiceAccountFromCluster(unjoiningClusterClientset internalclientset.Interface, cluster *federationapi.Cluster, fedSystemNamespace string) error {
serviceAccountName, ok := cluster.ObjectMeta.Annotations[kubectl.ServiceAccountNameAnnotation]
if !ok {
// If there is no service account name annotation, assume that this cluster does not have a federation control plane service account.
return nil
}
return unjoiningClusterClientset.Core().ServiceAccounts(fedSystemNamespace).Delete(serviceAccountName, &metav1.DeleteOptions{})
}
// deleteClusterRoleBindingFromCluster deletes the ClusterRole and ClusterRoleBinding from the
// cluster that is leaving the federation.
func deleteClusterRoleBindingFromCluster(unjoiningClusterClientset internalclientset.Interface, cluster *federationapi.Cluster) error {
clusterRoleName, ok := cluster.ObjectMeta.Annotations[kubectl.ClusterRoleNameAnnotation]
if !ok {
// If there is no cluster role name annotation, assume that this cluster does not have cluster role bindings.
return nil
}
err := unjoiningClusterClientset.Rbac().ClusterRoleBindings().Delete(clusterRoleName, &metav1.DeleteOptions{})
if err != nil && !errors.IsMethodNotSupported(err) && !errors.IsNotFound(err) {
return err
}
err = unjoiningClusterClientset.Rbac().ClusterRoles().Delete(clusterRoleName, &metav1.DeleteOptions{})
if err != nil && !errors.IsMethodNotSupported(err) && !errors.IsNotFound(err) {
return err
}
return nil
}