Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement CRB cleanup #576

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Implement CRB cleanup #576

wants to merge 17 commits into from

Conversation

VOID404
Copy link
Contributor

@VOID404 VOID404 commented Dec 19, 2024

Description

Changes proposed in this pull request:

  • ...
  • ...
  • ...

Related issue(s)

@kyma-bot kyma-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cla: yes Indicates the PR's author has signed the CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 19, 2024
@kyma-bot kyma-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 8, 2025
@VOID404 VOID404 changed the title [WIP] Implement CRB cleanup Implement CRB cleanup Jan 8, 2025
@VOID404 VOID404 marked this pull request as ready for review January 8, 2025 09:13
@VOID404 VOID404 requested a review from a team as a code owner January 8, 2025 09:13
@kyma-bot kyma-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 8, 2025
@VOID404
Copy link
Contributor Author

VOID404 commented Jan 8, 2025

File output might be a problem for running this in a loop on all shoots.
Option for prefixing files (eg with shoot name) could solve this.

@VOID404 VOID404 requested a review from a team as a code owner January 9, 2025 15:17
flag.StringVar(&cfg.OldLabel, "oldLabel", LabelSelectorOld, "Label marking old CRBs")
flag.StringVar(&cfg.NewLabel, "newLabel", LabelSelectorNew, "Label marking new CRBs")
flag.StringVar(&cfg.Output, "output", "", "Output folder for created files. Can also contain file prefix, if it doesn't end with `/` (can be a folder, eg ./foo/)")
flag.BoolVar(&cfg.DryRun, "dry-run", false, "Don't remove CRBs, write what would be removed to ./removed.json")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think true is a better default for the dry-run flag.

@@ -0,0 +1,48 @@
# CRB Cleanup script

This script is used to clean up old ClusterRoleBindings (CRBs) after migration.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This tool has one particular use case: matching CRBs created by Provisioner with those created with KIM. It doesn't need to be generic, however, I think we can leave it as it is.

if len(compared.missing) != 0 {
slog.Warn("Old CRBs not found in new CRBs", "crbs", compared.missing)
if unmatched != nil {
err := json.NewEncoder(unmatched).Encode(compared.missing)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We store whole CRB objects in the output files. Actually the names of the objects would be sufficient, but I think we can leave it as it is.

Comment on lines 56 to 57
failures, err := ProcessCRBs(fetcher, cleaner, missingFile, cfg)
if err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two observations:

  • The ticket mentions that if there is no matching crb for the one created by the Provisioner we should lookup into the Runtime CR. The code doesn't do that, but the case is detected by the tool so that I think it is acceptable.
  • Once some crbs that doesn't have a counterpart are detected the application stops processing. It could remove the crbs that match, but now everything needs to be done manually.

I don't consider those as defects.

compared := Compare(ctx, oldCRBs, newCRBs)

if len(compared.additional) != 0 {
slog.Info("New CRBs not found in old CRBs", "crbs", compared.additional)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be more readable if we would print the names of the crbs, not the whole objects.

slog.Info("New CRBs not found in old CRBs", "crbs", compared.additional)
}
if len(compared.missing) != 0 {
slog.Warn("Old CRBs not found in new CRBs", "crbs", compared.missing)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be more readable if we would print the names of the crbs, not the whole objects.

@@ -0,0 +1,106 @@
package main
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the tool should be more kcp taskrun friendly.
There are two use cases:

  1. I just want to see what will be removed, and where are the problems that require manual intervention
  2. I want to do actual remove and learn what needs manual intervention

Exemplary run:

kcp taskrun --target plan=aws -- go run ./cmd/crb-cleanup -output=./run-aws/ -dry-run=true

The above call invokes crb-cleanup for all AWS clusters.

Problems:

  • run_aws folder contains only three files (failures.json, missing.json, removed.json) ; what I would expect is to have many files (set of files for each runtime)
  • The tool prints the following message: "New CRBs not found in old CRBs" ; it happens in case there are crbs for particular subject that exist for KIM but didn't exist for Provisioner - the information is completely redundant, as we don't want to be notified about new CRBs that were added by the user (we want to learn when there is no counterpart and some manual intervention is required)
  • I'm now convinced that the tool should not use old and new words. It should be more specific (old=Provisioner, new=Kim)
  • output json files are created before we know if there will be anything to write ; I need to open the file to see if it actually contains anything

What would make it more friendly:

  • output should be stored for each runtime separately ; there are two options:
    • files are prefixed with shoot name and stored in the output folder
    • there is one folder with shoot name where all the files are stored
  • I'm wondering whether in case it was detected that there are some Provisioner crbs that doesn't have KIM counterpart we should exit with error
  • printing some "completed" message ; it would be easier to grep the output, and see what runtimes are sound

flag.StringVar(&cfg.Output, "output", "", "Output folder for created files. Can also contain file prefix, if it doesn't end with `/` (can be a folder, eg ./foo/)")
flag.BoolVar(&cfg.DryRun, "dry-run", false, "Don't remove CRBs, write what would be removed to ./removed.json")
flag.BoolVar(&cfg.Verbose, "verbose", false, "Increase the log level to debug (default: info)")
flag.BoolVar(&cfg.Force, "force", false, "Force remove CRBs without checking migration status")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced to have this force option. IMO it's risky.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was specifically listed in requirements by @tobiscr, IIRC

}

// Failures implements Filer.
func (j JSONFiler) Failures(failures []Failure) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small thing: the Failures, Missing, and Removed functions are almost identical we could have a helper function called in all those three functions.


All of the log files will be created either way.

### prefixing logs based on env
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would express that it is about running with kcp tool

@kyma-bot kyma-bot added the lgtm Looks good to me! label Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes Indicates the PR's author has signed the CLA. lgtm Looks good to me! size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants