Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Risk Mitigation] Create cleanup script for removing redundant ClusterRoleBinding which were previously labeled with managed-by: reconciler #558

Open
4 tasks
tobiscr opened this issue Dec 6, 2024 · 0 comments
Assignees
Labels
area/control-plane Related to all activities around Kyma Control Plane kind/feature Categorizes issue or PR as related to a new feature.

Comments

@tobiscr
Copy link
Contributor

tobiscr commented Dec 6, 2024

Description

After migration from provisioner to KIM is completed, we have to remove redundant ClusterRoleBindings which were initially managed by reconciler (marked by the managed-by: provisioner label).

This is the follow-up action of #556 to remove replaced ClusterRoleBindings.

Before the deletion of a ClusterRoleBinding happens, following conditions have to be fulfilled:

  1. Check if an equivalent ClusterRoleBinding exists which is managed by KIM:
    • if YES -> delete CRB and we are done
    • if NO -> go ahead with step 2
  2. If no ClusterRoleBinding exists which is managed by KIM, check in RuntimeCR if the referenced User in CRB is still member of the administrator list.
    • If NO -> delete CRB and we are done
    • if YES -> should never happen! FAILURE case, report error to @kyma-project/framefrog team.

AC:

  • the script is able to detect if a CRB which was created by Provisioner does not exist in the CRBs created by KIM
    • in such cases, the script is NOT deleting the CRB (created by Provisioner) and reporting an error - a manual check has to happen to verify why we have different amount of CRBs between KIM and Provisioner
    • the script offers an option to disable this behaviour: after a manual change, we can "enforce" the deletion of CRBs even if they are different (this allows the synchronisation of CRBs after a manual review happened)
  • redundant / outdated ClusterRoleBinding with label managed-by: provisioner are removed from SKR if one of the conditions is fulfilled:
    • the same ClusterRoleBinding is provided by KIM
    • the referenced User in the CRB is no longer an administrator (not member of administrator list in RuntimeCR)

Reasons

Remove redundant ClusterRoleBindings from SKRs.

Attachments

@tobiscr tobiscr added kind/feature Categorizes issue or PR as related to a new feature. area/control-plane Related to all activities around Kyma Control Plane labels Dec 6, 2024
@VOID404 VOID404 self-assigned this Dec 12, 2024
@Disper Disper assigned akgalwas and unassigned koala7659 Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/control-plane Related to all activities around Kyma Control Plane kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

4 participants