From dab7541cc946a4d3c960a610f32a4b33908f58cc Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Tue, 31 Oct 2023 17:25:40 -0500 Subject: [PATCH] update: rbac (#36) --- clusters/default/kustomization.yaml | 2 +- .../base/99-master-ssh-machineconfig.yaml | 0 .../base/99-worker-ssh-machineconfig.yaml | 0 .../machine-config/base/kustomization.yaml | 6 ++ .../hugepages-1g/hugepages-1g-mcp.yml | 0 .../hugepages-1g/hugepages-1g-ms.yml | 0 .../hugepages-1g-tuned-boottime.yml | 0 .../hugepages-2m/hugepages-2m-mc-50.yml | 0 .../hugepages-2m/hugepages-2m-mcp.yml | 0 .../hugepages-2m/hugepages-2m-ms.yml | 0 .../hugepages-2m-tuned-boottime.yml | 0 .../overlays/default/exclude-ssh-master.yaml | 5 ++ .../overlays/default/exclude-ssh-worker.yaml | 5 ++ .../overlays/default/kustomization.yaml | 9 ++ .../overlays/ssh-example/kustomization.yaml | 19 +++++ .../overlays/ssh-example}/patch-ssh.yaml | 0 .../namespace-cleanup/base/cleanup-cj.yaml | 85 +++++++++++++++++++ .../base/cleanup-rb.yaml} | 9 +- .../base/cleanup-sa.yaml} | 3 +- .../namespace-cleanup/base/kustomization.yaml | 7 ++ .../overlays/sandbox/kustomization.yaml | 39 +++++++++ .../namespaces/base/kustomization.yaml | 1 - .../instance/registry/rolebinding-edit.yaml | 2 +- .../instance/sandbox/group-admin.yaml | 6 -- .../instance/sandbox/kustomization.yaml | 1 - .../default-limited/kustomization.yaml | 7 -- .../cluster-admins-rolebinding-default.yaml} | 9 +- .../rbac/base/cluster-admins-rolebinding.yaml | 3 +- .../base/cluster-readers-rolebinding.yaml | 3 +- .../cluster/rbac/base/kustomization.yaml | 11 ++- .../self-provisioner-clusterrolebinding.yaml | 0 .../default/cluster-admins-custom-group.yaml | 7 -- .../cluster-admins-custom-rolebinding.yaml | 12 --- .../default/cluster-readers-custom-group.yaml | 6 -- .../cluster-readers-custom-rolebinding.yaml | 12 --- .../default/exclude-self-provisioner.yaml | 5 ++ .../rbac/overlays/default/kustomization.yaml | 13 +-- .../rhdp/cluster-admins-custom-group.yaml | 7 -- .../rhdp/cluster-readers-custom-group.yaml | 8 -- .../cluster-readers-custom-rolebinding.yaml | 12 --- .../rbac/overlays/rhdp/kustomization.yaml | 9 -- .../rbac/overlays/workshop/kustomization.yaml | 16 ++++ .../workshop}/workshop-admins-group.yaml | 0 .../workshop}/workshop-users-group.yaml | 0 .../sandbox-cleanup/kustomization.yaml | 7 -- .../sandbox-cleanup/sandbox-cleanup-cj.yaml | 58 ------------- 46 files changed, 221 insertions(+), 183 deletions(-) rename components/configs/cluster/{rbac => machine-config}/base/99-master-ssh-machineconfig.yaml (100%) rename components/configs/cluster/{rbac => machine-config}/base/99-worker-ssh-machineconfig.yaml (100%) create mode 100644 components/configs/cluster/machine-config/base/kustomization.yaml rename components/configs/cluster/machine-config/{ => dump}/hugepages-1g/hugepages-1g-mcp.yml (100%) rename components/configs/cluster/machine-config/{ => dump}/hugepages-1g/hugepages-1g-ms.yml (100%) rename components/configs/cluster/machine-config/{ => dump}/hugepages-1g/hugepages-1g-tuned-boottime.yml (100%) rename components/configs/cluster/machine-config/{ => dump}/hugepages-2m/hugepages-2m-mc-50.yml (100%) rename components/configs/cluster/machine-config/{ => dump}/hugepages-2m/hugepages-2m-mcp.yml (100%) rename components/configs/cluster/machine-config/{ => dump}/hugepages-2m/hugepages-2m-ms.yml (100%) rename components/configs/cluster/machine-config/{ => dump}/hugepages-2m/hugepages-2m-tuned-boottime.yml (100%) create mode 100644 components/configs/cluster/machine-config/overlays/default/exclude-ssh-master.yaml create mode 100644 components/configs/cluster/machine-config/overlays/default/exclude-ssh-worker.yaml create mode 100644 components/configs/cluster/machine-config/overlays/default/kustomization.yaml create mode 100644 components/configs/cluster/machine-config/overlays/ssh-example/kustomization.yaml rename components/configs/cluster/{rbac/overlays/default => machine-config/overlays/ssh-example}/patch-ssh.yaml (100%) create mode 100644 components/configs/cluster/namespace-cleanup/base/cleanup-cj.yaml rename components/configs/cluster/{sandbox-cleanup/sandbox-cleanup-rb.yaml => namespace-cleanup/base/cleanup-rb.yaml} (64%) rename components/configs/cluster/{sandbox-cleanup/sandbox-cleanup-sa.yaml => namespace-cleanup/base/cleanup-sa.yaml} (67%) create mode 100644 components/configs/cluster/namespace-cleanup/base/kustomization.yaml create mode 100644 components/configs/cluster/namespace-cleanup/overlays/sandbox/kustomization.yaml delete mode 100644 components/configs/cluster/namespaces/instance/sandbox/group-admin.yaml rename components/configs/cluster/rbac/{overlays/rhdp/cluster-admins-custom-rolebinding.yaml => base/cluster-admins-rolebinding-default.yaml} (52%) rename components/configs/cluster/{namespaces => rbac}/base/self-provisioner-clusterrolebinding.yaml (100%) delete mode 100644 components/configs/cluster/rbac/overlays/default/cluster-admins-custom-group.yaml delete mode 100644 components/configs/cluster/rbac/overlays/default/cluster-admins-custom-rolebinding.yaml delete mode 100644 components/configs/cluster/rbac/overlays/default/cluster-readers-custom-group.yaml delete mode 100644 components/configs/cluster/rbac/overlays/default/cluster-readers-custom-rolebinding.yaml create mode 100644 components/configs/cluster/rbac/overlays/default/exclude-self-provisioner.yaml delete mode 100644 components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-group.yaml delete mode 100644 components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-group.yaml delete mode 100644 components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-rolebinding.yaml delete mode 100644 components/configs/cluster/rbac/overlays/rhdp/kustomization.yaml create mode 100644 components/configs/cluster/rbac/overlays/workshop/kustomization.yaml rename components/configs/cluster/rbac/{base => overlays/workshop}/workshop-admins-group.yaml (100%) rename components/configs/cluster/rbac/{base => overlays/workshop}/workshop-users-group.yaml (100%) delete mode 100644 components/configs/cluster/sandbox-cleanup/kustomization.yaml delete mode 100644 components/configs/cluster/sandbox-cleanup/sandbox-cleanup-cj.yaml diff --git a/clusters/default/kustomization.yaml b/clusters/default/kustomization.yaml index 35020171..a7dfef3c 100644 --- a/clusters/default/kustomization.yaml +++ b/clusters/default/kustomization.yaml @@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ../../components/configs/cluster/sandbox-cleanup - ../../components/operators/web-terminal/operator/overlays/fast - ../../components/configs/cluster/web-terminal/overlays/enhanced +- ../../components/configs/cluster/namespace-cleanup/overlays/sandbox - ../../components/configs/cluster/namespaces/overlays/default - ../../components/configs/cluster/console/overlays/default - ../../components/configs/cluster/rbac/overlays/default diff --git a/components/configs/cluster/rbac/base/99-master-ssh-machineconfig.yaml b/components/configs/cluster/machine-config/base/99-master-ssh-machineconfig.yaml similarity index 100% rename from components/configs/cluster/rbac/base/99-master-ssh-machineconfig.yaml rename to components/configs/cluster/machine-config/base/99-master-ssh-machineconfig.yaml diff --git a/components/configs/cluster/rbac/base/99-worker-ssh-machineconfig.yaml b/components/configs/cluster/machine-config/base/99-worker-ssh-machineconfig.yaml similarity index 100% rename from components/configs/cluster/rbac/base/99-worker-ssh-machineconfig.yaml rename to components/configs/cluster/machine-config/base/99-worker-ssh-machineconfig.yaml diff --git a/components/configs/cluster/machine-config/base/kustomization.yaml b/components/configs/cluster/machine-config/base/kustomization.yaml new file mode 100644 index 00000000..9ab56c59 --- /dev/null +++ b/components/configs/cluster/machine-config/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - 99-master-ssh-machineconfig.yaml + - 99-worker-ssh-machineconfig.yaml diff --git a/components/configs/cluster/machine-config/hugepages-1g/hugepages-1g-mcp.yml b/components/configs/cluster/machine-config/dump/hugepages-1g/hugepages-1g-mcp.yml similarity index 100% rename from components/configs/cluster/machine-config/hugepages-1g/hugepages-1g-mcp.yml rename to components/configs/cluster/machine-config/dump/hugepages-1g/hugepages-1g-mcp.yml diff --git a/components/configs/cluster/machine-config/hugepages-1g/hugepages-1g-ms.yml b/components/configs/cluster/machine-config/dump/hugepages-1g/hugepages-1g-ms.yml similarity index 100% rename from components/configs/cluster/machine-config/hugepages-1g/hugepages-1g-ms.yml rename to components/configs/cluster/machine-config/dump/hugepages-1g/hugepages-1g-ms.yml diff --git a/components/configs/cluster/machine-config/hugepages-1g/hugepages-1g-tuned-boottime.yml b/components/configs/cluster/machine-config/dump/hugepages-1g/hugepages-1g-tuned-boottime.yml similarity index 100% rename from components/configs/cluster/machine-config/hugepages-1g/hugepages-1g-tuned-boottime.yml rename to components/configs/cluster/machine-config/dump/hugepages-1g/hugepages-1g-tuned-boottime.yml diff --git a/components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-mc-50.yml b/components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-mc-50.yml similarity index 100% rename from components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-mc-50.yml rename to components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-mc-50.yml diff --git a/components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-mcp.yml b/components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-mcp.yml similarity index 100% rename from components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-mcp.yml rename to components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-mcp.yml diff --git a/components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-ms.yml b/components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-ms.yml similarity index 100% rename from components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-ms.yml rename to components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-ms.yml diff --git a/components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-tuned-boottime.yml b/components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-tuned-boottime.yml similarity index 100% rename from components/configs/cluster/machine-config/hugepages-2m/hugepages-2m-tuned-boottime.yml rename to components/configs/cluster/machine-config/dump/hugepages-2m/hugepages-2m-tuned-boottime.yml diff --git a/components/configs/cluster/machine-config/overlays/default/exclude-ssh-master.yaml b/components/configs/cluster/machine-config/overlays/default/exclude-ssh-master.yaml new file mode 100644 index 00000000..66af934a --- /dev/null +++ b/components/configs/cluster/machine-config/overlays/default/exclude-ssh-master.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + name: 99-master-ssh diff --git a/components/configs/cluster/machine-config/overlays/default/exclude-ssh-worker.yaml b/components/configs/cluster/machine-config/overlays/default/exclude-ssh-worker.yaml new file mode 100644 index 00000000..1bd581e9 --- /dev/null +++ b/components/configs/cluster/machine-config/overlays/default/exclude-ssh-worker.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + name: 99-worker-ssh diff --git a/components/configs/cluster/machine-config/overlays/default/kustomization.yaml b/components/configs/cluster/machine-config/overlays/default/kustomization.yaml new file mode 100644 index 00000000..34ebb3df --- /dev/null +++ b/components/configs/cluster/machine-config/overlays/default/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - path: exclude-ssh-master.yaml + - path: exclude-ssh-worker.yaml diff --git a/components/configs/cluster/machine-config/overlays/ssh-example/kustomization.yaml b/components/configs/cluster/machine-config/overlays/ssh-example/kustomization.yaml new file mode 100644 index 00000000..45a5961b --- /dev/null +++ b/components/configs/cluster/machine-config/overlays/ssh-example/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + group: machineconfiguration.openshift.io + version: v1 + kind: MachineConfig + name: 99-master-ssh + path: patch-ssh.yaml + - target: + group: machineconfiguration.openshift.io + version: v1 + kind: MachineConfig + name: 99-worker-ssh + path: patch-ssh.yaml diff --git a/components/configs/cluster/rbac/overlays/default/patch-ssh.yaml b/components/configs/cluster/machine-config/overlays/ssh-example/patch-ssh.yaml similarity index 100% rename from components/configs/cluster/rbac/overlays/default/patch-ssh.yaml rename to components/configs/cluster/machine-config/overlays/ssh-example/patch-ssh.yaml diff --git a/components/configs/cluster/namespace-cleanup/base/cleanup-cj.yaml b/components/configs/cluster/namespace-cleanup/base/cleanup-cj.yaml new file mode 100644 index 00000000..bf304963 --- /dev/null +++ b/components/configs/cluster/namespace-cleanup/base/cleanup-cj.yaml @@ -0,0 +1,85 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: namespace-cleanup + namespace: openshift-config +spec: + schedule: "0 12 * * 6" + successfulJobsHistoryLimit: 3 # Remove after successful completion + failedJobsHistoryLimit: 1 # Retain failed so that we see it + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + serviceAccountName: namespace-cleanup + containers: + - name: namespace-cleanup + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + env: + - name: OBJECTS + value: all,cm,secret,pvc,dw,pipeline,el + - name: TARGET_NS + value: sandbox + command: + - bash + - -c + - | + #!/bin/sh + + k8s_null_finalizers(){ + OBJ=${1} + [ -z ${OBJ+x} ] && return 1 + + NAMESPACE=${NAMESPACE:-$(oc project -q)} + + kubectl \ + patch "${OBJ}" \ + -n "${NAMESPACE}" \ + --type=merge \ + -p '{"metadata":{"finalizers":null}}' + } + + k8s_get_most_api_resources(){ + kubectl api-resources \ + --verbs=list \ + --namespaced \ + -o name | \ + grep -v "events.events.k8s.io" | \ + grep -v "events" | \ + grep -v "packagemanifests" | \ + grep -v "operator.openshift.io" | \ + grep -v "operators.coreos.com" | \ + grep -v "authorization.openshift.io" | \ + grep -v "serviceaccount" | \ + grep -v "rbac" | \ + sort | uniq + } + + k8s_null_finalizers_for_all_resource_instances(){ + RESOURCE=${1} + [ -z ${RESOURCE+x} ] && return 1 + + NAMESPACE=${NAMESPACE:-$(oc project -q)} + + for OBJ in $(oc -n "${NAMESPACE}" get "${RESOURCE}" -o name) + do + k8s_null_finalizers "${OBJ}" + done + } + + k8s_ns_delete_most_resources_force(){ + NAMESPACE=${1:-sandbox} + + for i in $(k8s_get_most_api_resources) + do + echo "Resource:" "${i}" + k8s_null_finalizers_for_all_resource_instances "${i}" + kubectl -n "${NAMESPACE}" \ + delete "${i}" \ + --all + done + } + + k8s_ns_delete_most_resources_force "${TARGET_NS}" diff --git a/components/configs/cluster/sandbox-cleanup/sandbox-cleanup-rb.yaml b/components/configs/cluster/namespace-cleanup/base/cleanup-rb.yaml similarity index 64% rename from components/configs/cluster/sandbox-cleanup/sandbox-cleanup-rb.yaml rename to components/configs/cluster/namespace-cleanup/base/cleanup-rb.yaml index 55758e6a..37a6ca31 100644 --- a/components/configs/cluster/sandbox-cleanup/sandbox-cleanup-rb.yaml +++ b/components/configs/cluster/namespace-cleanup/base/cleanup-rb.yaml @@ -1,12 +1,11 @@ -kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: - name: sandbox-cleanup - namespace: sandbox + name: namespace-cleanup subjects: - kind: ServiceAccount - name: sandbox-cleanup - namespace: openshift-gitops + name: namespace-cleanup + namespace: openshift-config roleRef: kind: ClusterRole name: edit diff --git a/components/configs/cluster/sandbox-cleanup/sandbox-cleanup-sa.yaml b/components/configs/cluster/namespace-cleanup/base/cleanup-sa.yaml similarity index 67% rename from components/configs/cluster/sandbox-cleanup/sandbox-cleanup-sa.yaml rename to components/configs/cluster/namespace-cleanup/base/cleanup-sa.yaml index 26494302..87a30bdb 100644 --- a/components/configs/cluster/sandbox-cleanup/sandbox-cleanup-sa.yaml +++ b/components/configs/cluster/namespace-cleanup/base/cleanup-sa.yaml @@ -3,4 +3,5 @@ kind: ServiceAccount metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous - name: sandbox-cleanup + name: namespace-cleanup + namespace: openshift-config diff --git a/components/configs/cluster/namespace-cleanup/base/kustomization.yaml b/components/configs/cluster/namespace-cleanup/base/kustomization.yaml new file mode 100644 index 00000000..85741c25 --- /dev/null +++ b/components/configs/cluster/namespace-cleanup/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - cleanup-cj.yaml + - cleanup-rb.yaml + - cleanup-sa.yaml diff --git a/components/configs/cluster/namespace-cleanup/overlays/sandbox/kustomization.yaml b/components/configs/cluster/namespace-cleanup/overlays/sandbox/kustomization.yaml new file mode 100644 index 00000000..4efc1a32 --- /dev/null +++ b/components/configs/cluster/namespace-cleanup/overlays/sandbox/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +commonLabels: + cleanup: sandbox + +resources: + - ../../base + +patches: + - target: + group: batch + kind: CronJob + patch: | + - op: replace + path: /metadata/name + value: sandbox-cleanup + - op: replace + path: /spec/jobTemplate/spec/template/spec/serviceAccountName + value: sandbox-cleanup + - target: + group: rbac.authorization.k8s.io + kind: RoleBinding + patch: | + - op: replace + path: /metadata/name + value: sandbox-cleanup + - op: replace + path: /metadata/namespace + value: sandbox + - op: replace + path: /subjects/0/name + value: sandbox-cleanup + - target: + kind: ServiceAccount + patch: | + - op: replace + path: /metadata/name + value: sandbox-cleanup diff --git a/components/configs/cluster/namespaces/base/kustomization.yaml b/components/configs/cluster/namespaces/base/kustomization.yaml index 1031c744..e296ff36 100644 --- a/components/configs/cluster/namespaces/base/kustomization.yaml +++ b/components/configs/cluster/namespaces/base/kustomization.yaml @@ -4,4 +4,3 @@ kind: Kustomization resources: - cluster-config-project.yaml - project-request-template.yaml - - self-provisioner-clusterrolebinding.yaml diff --git a/components/configs/cluster/namespaces/instance/registry/rolebinding-edit.yaml b/components/configs/cluster/namespaces/instance/registry/rolebinding-edit.yaml index 8aa9efd0..ef099945 100644 --- a/components/configs/cluster/namespaces/instance/registry/rolebinding-edit.yaml +++ b/components/configs/cluster/namespaces/instance/registry/rolebinding-edit.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: lab-cluster-readers + name: workshop-admins diff --git a/components/configs/cluster/namespaces/instance/sandbox/group-admin.yaml b/components/configs/cluster/namespaces/instance/sandbox/group-admin.yaml deleted file mode 100644 index faf5a7d6..00000000 --- a/components/configs/cluster/namespaces/instance/sandbox/group-admin.yaml +++ /dev/null @@ -1,6 +0,0 @@ -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: sandbox-admins -users: - - codekow diff --git a/components/configs/cluster/namespaces/instance/sandbox/kustomization.yaml b/components/configs/cluster/namespaces/instance/sandbox/kustomization.yaml index e1446b76..79156305 100644 --- a/components/configs/cluster/namespaces/instance/sandbox/kustomization.yaml +++ b/components/configs/cluster/namespaces/instance/sandbox/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: sandbox resources: - # - group-admin.yaml - limit-range.yaml - namespace.yaml - quota.yaml diff --git a/components/configs/cluster/namespaces/overlays/default-limited/kustomization.yaml b/components/configs/cluster/namespaces/overlays/default-limited/kustomization.yaml index 782c5bd6..89f5a146 100644 --- a/components/configs/cluster/namespaces/overlays/default-limited/kustomization.yaml +++ b/components/configs/cluster/namespaces/overlays/default-limited/kustomization.yaml @@ -5,13 +5,6 @@ resources: - ../default patches: - - target: - kind: ClusterRoleBinding - name: self-provisioners - patch: | - - op: replace - path: /subjects - value: - target: kind: LimitRange name: limit-range diff --git a/components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-rolebinding.yaml b/components/configs/cluster/rbac/base/cluster-admins-rolebinding-default.yaml similarity index 52% rename from components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-rolebinding.yaml rename to components/configs/cluster/rbac/base/cluster-admins-rolebinding-default.yaml index d8295a8e..30e7761e 100644 --- a/components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-rolebinding.yaml +++ b/components/configs/cluster/rbac/base/cluster-admins-rolebinding-default.yaml @@ -1,11 +1,16 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cluster-admins-custom + name: cluster-admins + annotations: + rbac.authorization.kubernetes.io/autoupdate: 'true' subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: cluster-admins-custom + name: 'system:cluster-admins' + - kind: User + apiGroup: rbac.authorization.k8s.io + name: 'system:admin' roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/components/configs/cluster/rbac/base/cluster-admins-rolebinding.yaml b/components/configs/cluster/rbac/base/cluster-admins-rolebinding.yaml index 02ec78e6..04dfbf92 100644 --- a/components/configs/cluster/rbac/base/cluster-admins-rolebinding.yaml +++ b/components/configs/cluster/rbac/base/cluster-admins-rolebinding.yaml @@ -1,7 +1,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cluster-admins + # added `-group` to name to avoid collision with default + name: cluster-admins-group subjects: - kind: Group apiGroup: rbac.authorization.k8s.io diff --git a/components/configs/cluster/rbac/base/cluster-readers-rolebinding.yaml b/components/configs/cluster/rbac/base/cluster-readers-rolebinding.yaml index edc44d27..7c088f5d 100644 --- a/components/configs/cluster/rbac/base/cluster-readers-rolebinding.yaml +++ b/components/configs/cluster/rbac/base/cluster-readers-rolebinding.yaml @@ -1,7 +1,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cluster-readers + # added `-group` to name to be consistent with cluster-admins + name: cluster-readers-group subjects: - kind: Group apiGroup: rbac.authorization.k8s.io diff --git a/components/configs/cluster/rbac/base/kustomization.yaml b/components/configs/cluster/rbac/base/kustomization.yaml index e09f5eb2..befdaed7 100644 --- a/components/configs/cluster/rbac/base/kustomization.yaml +++ b/components/configs/cluster/rbac/base/kustomization.yaml @@ -2,9 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - 99-master-ssh-machineconfig.yaml - - 99-worker-ssh-machineconfig.yaml - - workshop-admins-group.yaml - - workshop-users-group.yaml - # see components/configs/namespaces/base - # - self-provisioner-clusterrolebinding.yaml + - cluster-admins-group.yaml + - cluster-admins-rolebinding.yaml + - cluster-readers-group.yaml + - cluster-readers-rolebinding.yaml + - self-provisioner-clusterrolebinding.yaml diff --git a/components/configs/cluster/namespaces/base/self-provisioner-clusterrolebinding.yaml b/components/configs/cluster/rbac/base/self-provisioner-clusterrolebinding.yaml similarity index 100% rename from components/configs/cluster/namespaces/base/self-provisioner-clusterrolebinding.yaml rename to components/configs/cluster/rbac/base/self-provisioner-clusterrolebinding.yaml diff --git a/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-group.yaml b/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-group.yaml deleted file mode 100644 index 59c56f23..00000000 --- a/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-group.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: cluster-admins-custom -users: - - opentlc-mgr - - admin diff --git a/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-rolebinding.yaml b/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-rolebinding.yaml deleted file mode 100644 index d8295a8e..00000000 --- a/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cluster-admins-custom -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: cluster-admins-custom -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin diff --git a/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-group.yaml b/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-group.yaml deleted file mode 100644 index de1fcf4a..00000000 --- a/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-group.yaml +++ /dev/null @@ -1,6 +0,0 @@ -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: cluster-readers-custom -users: - - codekow diff --git a/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-rolebinding.yaml b/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-rolebinding.yaml deleted file mode 100644 index 6528bf81..00000000 --- a/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cluster-readers-custom -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: cluster-readers-custom -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reader diff --git a/components/configs/cluster/rbac/overlays/default/exclude-self-provisioner.yaml b/components/configs/cluster/rbac/overlays/default/exclude-self-provisioner.yaml new file mode 100644 index 00000000..f148a776 --- /dev/null +++ b/components/configs/cluster/rbac/overlays/default/exclude-self-provisioner.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: self-provisioners diff --git a/components/configs/cluster/rbac/overlays/default/kustomization.yaml b/components/configs/cluster/rbac/overlays/default/kustomization.yaml index f7aa9d6f..f11fab8b 100644 --- a/components/configs/cluster/rbac/overlays/default/kustomization.yaml +++ b/components/configs/cluster/rbac/overlays/default/kustomization.yaml @@ -5,15 +5,4 @@ resources: - ../../base patches: - - target: - group: machineconfiguration.openshift.io - version: v1 - kind: MachineConfig - name: 99-master-ssh - path: patch-ssh.yaml - - target: - group: machineconfiguration.openshift.io - version: v1 - kind: MachineConfig - name: 99-worker-ssh - path: patch-ssh.yaml \ No newline at end of file + - path: exclude-self-provisioner.yaml diff --git a/components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-group.yaml b/components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-group.yaml deleted file mode 100644 index 59c56f23..00000000 --- a/components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-group.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: cluster-admins-custom -users: - - opentlc-mgr - - admin diff --git a/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-group.yaml b/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-group.yaml deleted file mode 100644 index da4318fd..00000000 --- a/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-group.yaml +++ /dev/null @@ -1,8 +0,0 @@ -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: cluster-readers-custom -users: - - codekow - - davwhite - - troyer diff --git a/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-rolebinding.yaml b/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-rolebinding.yaml deleted file mode 100644 index 6528bf81..00000000 --- a/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cluster-readers-custom -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: cluster-readers-custom -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reader diff --git a/components/configs/cluster/rbac/overlays/rhdp/kustomization.yaml b/components/configs/cluster/rbac/overlays/rhdp/kustomization.yaml deleted file mode 100644 index 0166df58..00000000 --- a/components/configs/cluster/rbac/overlays/rhdp/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - ../../base - - cluster-admins-custom-group.yaml - - cluster-admins-custom-rolebinding.yaml - - cluster-readers-custom-group.yaml - - cluster-readers-custom-rolebinding.yaml diff --git a/components/configs/cluster/rbac/overlays/workshop/kustomization.yaml b/components/configs/cluster/rbac/overlays/workshop/kustomization.yaml new file mode 100644 index 00000000..68e72145 --- /dev/null +++ b/components/configs/cluster/rbac/overlays/workshop/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + - workshop-admins-group.yaml + - workshop-users-group.yaml + +patches: + - target: + kind: ClusterRoleBinding + name: self-provisioners + patch: | + - op: replace + path: /subjects + value: diff --git a/components/configs/cluster/rbac/base/workshop-admins-group.yaml b/components/configs/cluster/rbac/overlays/workshop/workshop-admins-group.yaml similarity index 100% rename from components/configs/cluster/rbac/base/workshop-admins-group.yaml rename to components/configs/cluster/rbac/overlays/workshop/workshop-admins-group.yaml diff --git a/components/configs/cluster/rbac/base/workshop-users-group.yaml b/components/configs/cluster/rbac/overlays/workshop/workshop-users-group.yaml similarity index 100% rename from components/configs/cluster/rbac/base/workshop-users-group.yaml rename to components/configs/cluster/rbac/overlays/workshop/workshop-users-group.yaml diff --git a/components/configs/cluster/sandbox-cleanup/kustomization.yaml b/components/configs/cluster/sandbox-cleanup/kustomization.yaml deleted file mode 100644 index 67a038e3..00000000 --- a/components/configs/cluster/sandbox-cleanup/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - sandbox-cleanup-cj.yaml - - sandbox-cleanup-rb.yaml - - sandbox-cleanup-sa.yaml \ No newline at end of file diff --git a/components/configs/cluster/sandbox-cleanup/sandbox-cleanup-cj.yaml b/components/configs/cluster/sandbox-cleanup/sandbox-cleanup-cj.yaml deleted file mode 100644 index 550157f0..00000000 --- a/components/configs/cluster/sandbox-cleanup/sandbox-cleanup-cj.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: sandbox-cleanup -spec: - schedule: "0 12 * * 6" - successfulJobsHistoryLimit: 3 # Remove after successful completion - failedJobsHistoryLimit: 1 # Retain failed so that we see it - concurrencyPolicy: Forbid - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - serviceAccountName: sandbox-cleanup - containers: - - name: sandbox-cleanup - image: image-registry.openshift-image-registry.svc:5000/openshift/cli - env: - - name: OBJECTS - value: all,cm,secret,pvc,dw,pipeline,el - command: - - bash - - -c - - | - #!/bin/sh - - get_most_api_resources(){ - oc api-resources \ - --verbs=list \ - --namespaced \ - -o name | \ - grep -v "events.events.k8s.io" | \ - grep -v "events" | \ - grep -v "packagemanifests" | \ - grep -v "operator.openshift.io" | \ - grep -v "operators.coreos.com" | \ - grep -v "authorization.openshift.io" | \ - grep -v "serviceaccount" | \ - grep -v "rbac" | \ - sort | uniq - } - - oc_delete_most(){ - NAMESPACE=${1:-sandbox} - echo ${NAMESPACE} - sleep 3 - - for i in $(get_most_api_resources) - do - echo "Resource:" $i - oc -n ${NAMESPACE} \ - delete ${i} \ - --all - done - } - - oc_delete_most sandbox