-
Notifications
You must be signed in to change notification settings - Fork 163
/
sync_clusterroles.go
77 lines (65 loc) · 2.02 KB
/
sync_clusterroles.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
// Copyright (C) 2021 ScyllaDB
package nodeconfig
import (
"context"
"fmt"
"github.com/scylladb/scylla-operator/pkg/resourceapply"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
)
func (ncc *Controller) makeClusterRoles() []*rbacv1.ClusterRole {
clusterRoles := []*rbacv1.ClusterRole{
NodeConfigClusterRole(),
}
return clusterRoles
}
func (ncc *Controller) pruneClusterRoles(ctx context.Context, requiredClusterRoles []*rbacv1.ClusterRole, clusterRoles map[string]*rbacv1.ClusterRole) error {
var errs []error
for _, cr := range clusterRoles {
if cr.DeletionTimestamp != nil {
continue
}
isRequired := false
for _, req := range requiredClusterRoles {
if cr.Name == req.Name {
isRequired = true
break
}
}
if isRequired {
continue
}
propagationPolicy := metav1.DeletePropagationBackground
err := ncc.kubeClient.RbacV1().ClusterRoles().Delete(ctx, cr.Name, metav1.DeleteOptions{
Preconditions: &metav1.Preconditions{
UID: &cr.UID,
},
PropagationPolicy: &propagationPolicy,
})
if err != nil {
errs = append(errs, err)
continue
}
}
return utilerrors.NewAggregate(errs)
}
func (ncc *Controller) syncClusterRoles(ctx context.Context, clusterRoles map[string]*rbacv1.ClusterRole) error {
requiredClusterRoles := ncc.makeClusterRoles()
// Delete any excessive ClusterRoles.
// Delete has to be the first action to avoid getting stuck on quota.
if err := ncc.pruneClusterRoles(ctx, requiredClusterRoles, clusterRoles); err != nil {
return fmt.Errorf("can't delete ClusterRole(s): %w", err)
}
var errs []error
for _, cr := range requiredClusterRoles {
_, _, err := resourceapply.ApplyClusterRole(ctx, ncc.kubeClient.RbacV1(), ncc.clusterRoleLister, ncc.eventRecorder, cr, resourceapply.ApplyOptions{
AllowMissingControllerRef: true,
})
if err != nil {
errs = append(errs, fmt.Errorf("can't create missing clusterrole: %w", err))
continue
}
}
return utilerrors.NewAggregate(errs)
}