-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy path061-cluster-access-policies-resync.sh
More file actions
executable file
·72 lines (57 loc) · 2.76 KB
/
061-cluster-access-policies-resync.sh
File metadata and controls
executable file
·72 lines (57 loc) · 2.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#! /bin/bash
source utils/common.sh
source utils/kubeconfig.sh
register_last_words "Resync rolebindings on clusters and namespaces"
TMC_NAMESPACE="vmware-system-tmc"
DATA_DIR="data"
SRC_DIR="$DATA_DIR/policies/iam"
TEMP_DIR="$PWD/$SRC_DIR/$(date +%s)"
TEMPKUBECONFIG="$TEMP_DIR/kubeconfig"
# Create temp directory
mkdir -p "$TEMP_DIR"
export KUBECONFIG=$TEMPKUBECONFIG
log "************************************************************************"
log "* Resync Rolebindings on Clusters and Namespaces ..."
log "************************************************************************"
if [[ -z "$ONBOARDED_CLUSTER_INDEX_FILE" ]]; then
log error "ONBOARDED_CLUSTER_INDEX_FILE is not set"
exit 1
elif [[ ! -f "$ONBOARDED_CLUSTER_INDEX_FILE" ]]; then
log error "$ONBOARDED_CLUSTER_INDEX_FILE doesn't exist"
exit 1
fi
while IFS="." read -r mgmt prvn cls; do
log info "Connecting to the cluster $mgmt/$prvn/$cls..."
if ! get_kubeconfig ${cls} ${prvn} ${mgmt} ${TEMPKUBECONFIG}; then
log error "Failed to get kubeconfig for cluster $mgmt/$prvn/$cls, skip resyncing access policies for this cluster"
continue
fi
# Verify cluster connection
if ! kubectl cluster-info >/dev/null 2>&1; then
log error "Failed to connect to cluster $mgmt/$prvn/$cls, skip resyncing access policies for this cluster"
continue
fi
log info "Delete stale custom cluster roles for $mgmt/$prvn/$cls ..."
kubectl get customrole --no-headers -o custom-columns=":metadata.name" | while read -r role; do
kubectl delete clusterrole $role
done
org_id=$(kubectl -n $TMC_NAMESPACE get cm stack-config -o jsonpath='{.data.org_id}' 2>/dev/null)
if [[ -z "$org_id" ]]; then
log error "Failed to get org_id for the cluster $mgmt/$prvn/$cls, skip resyncing access policies for this cluster"
continue
fi
log info "Delete stale cluster rolebindings on $mgmt/$prvn/$cls ..."
kubectl get clusterrolebinding --no-headers -o custom-columns=":metadata.name" -A | while read -r binding; do
if [[ $binding =~ org-.*-rbac.authorization.k8s.io ]] && [[ ! $binding =~ $org_id ]]; then
kubectl delete clusterrolebinding $binding
fi
done
log info "Delete stale rolebindings for $mgmt/$prvn/$cls ..."
kubectl get rolebinding --no-headers -o custom-columns=":metadata.name,:metadata.namespace" | while read -r binding namespace; do
if [[ $binding =~ org-.*-rbac.authorization.k8s.io ]] && [[ ! $binding =~ $org_id ]]; then
kubectl delete rolebinding $binding -n $namespace
fi
done
log info "Restart policy sync extension to resync access policies ..."
kubectl rollout restart deployment policy-sync-extension -n $TMC_NAMESPACE
done < $ONBOARDED_CLUSTER_INDEX_FILE