-
Notifications
You must be signed in to change notification settings - Fork 163
/
sync_clusterrolebindings.go
79 lines (68 loc) · 2.21 KB
/
sync_clusterrolebindings.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
// Copyright (C) 2021 ScyllaDB
package nodeconfig
import (
"context"
"fmt"
"github.com/scylladb/scylla-operator/pkg/resourceapply"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
)
func (ncc *Controller) makeClusterRoleBindings() []*rbacv1.ClusterRoleBinding {
clusterRoleBindings := []*rbacv1.ClusterRoleBinding{
makeNodeConfigClusterRoleBinding(),
}
return clusterRoleBindings
}
func (ncc *Controller) pruneClusterRoleBindings(ctx context.Context, requiredClusterRoleBindings []*rbacv1.ClusterRoleBinding, clusterRoleBindings map[string]*rbacv1.ClusterRoleBinding) error {
var errs []error
for _, cr := range clusterRoleBindings {
if cr.DeletionTimestamp != nil {
continue
}
isRequired := false
for _, req := range requiredClusterRoleBindings {
if cr.Name == req.Name {
isRequired = true
break
}
}
if isRequired {
continue
}
propagationPolicy := metav1.DeletePropagationBackground
err := ncc.kubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, cr.Name, metav1.DeleteOptions{
Preconditions: &metav1.Preconditions{
UID: &cr.UID,
},
PropagationPolicy: &propagationPolicy,
})
if err != nil {
errs = append(errs, err)
continue
}
}
return utilerrors.NewAggregate(errs)
}
func (ncc *Controller) syncClusterRoleBindings(
ctx context.Context,
clusterRoleBindings map[string]*rbacv1.ClusterRoleBinding,
) error {
requiredClusterRoleBindings := ncc.makeClusterRoleBindings()
// Delete any excessive ClusterRoleBindings.
// Delete has to be the first action to avoid getting stuck on quota.
if err := ncc.pruneClusterRoleBindings(ctx, requiredClusterRoleBindings, clusterRoleBindings); err != nil {
return fmt.Errorf("can't delete ClusterRoleBinding(s): %w", err)
}
var errs []error
for _, crb := range requiredClusterRoleBindings {
_, _, err := resourceapply.ApplyClusterRoleBinding(ctx, ncc.kubeClient.RbacV1(), ncc.clusterRoleBindingLister, ncc.eventRecorder, crb, resourceapply.ApplyOptions{
AllowMissingControllerRef: true,
})
if err != nil {
errs = append(errs, fmt.Errorf("can't create missing clusterrole: %w", err))
continue
}
}
return utilerrors.NewAggregate(errs)
}