01d9e61f |
package reaper
import (
"time"
"github.com/golang/glog"
kapi "k8s.io/kubernetes/pkg/api"
kerrors "k8s.io/kubernetes/pkg/api/errors" |
97e6f1de |
kcoreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/unversioned" |
01d9e61f |
"k8s.io/kubernetes/pkg/kubectl"
"github.com/openshift/origin/pkg/client"
)
func NewGroupReaper(
groupClient client.GroupsInterface,
clusterBindingClient client.ClusterRoleBindingsInterface,
bindingClient client.RoleBindingsNamespacer, |
97e6f1de |
sccClient kcoreclient.SecurityContextConstraintsGetter, |
01d9e61f |
) kubectl.Reaper {
return &GroupReaper{
groupClient: groupClient,
clusterBindingClient: clusterBindingClient,
bindingClient: bindingClient,
sccClient: sccClient,
}
}
type GroupReaper struct {
groupClient client.GroupsInterface
clusterBindingClient client.ClusterRoleBindingsInterface
bindingClient client.RoleBindingsNamespacer |
97e6f1de |
sccClient kcoreclient.SecurityContextConstraintsGetter |
01d9e61f |
}
// Stop on a reaper is actually used for deletion. In this case, we'll delete referencing identities, clusterBindings, and bindings,
// then delete the group |
f638b86d |
func (r *GroupReaper) Stop(namespace, name string, timeout time.Duration, gracePeriod *kapi.DeleteOptions) error { |
01d9e61f |
removedSubject := kapi.ObjectReference{Kind: "Group", Name: name}
if err := reapClusterBindings(removedSubject, r.clusterBindingClient); err != nil { |
f638b86d |
return err |
01d9e61f |
}
if err := reapNamespacedBindings(removedSubject, r.bindingClient); err != nil { |
f638b86d |
return err |
01d9e61f |
}
// Remove the group from sccs |
f638b86d |
sccs, err := r.sccClient.SecurityContextConstraints().List(kapi.ListOptions{}) |
01d9e61f |
if err != nil { |
f638b86d |
return err |
01d9e61f |
}
for _, scc := range sccs.Items {
retainedGroups := []string{}
for _, group := range scc.Groups {
if group != name {
retainedGroups = append(retainedGroups, group)
}
}
if len(retainedGroups) != len(scc.Groups) {
updatedSCC := scc
updatedSCC.Groups = retainedGroups
if _, err := r.sccClient.SecurityContextConstraints().Update(&updatedSCC); err != nil && !kerrors.IsNotFound(err) {
glog.Infof("Cannot update scc/%s: %v", scc.Name, err)
}
}
}
// Remove the group
if err := r.groupClient.Groups().Delete(name); err != nil && !kerrors.IsNotFound(err) { |
f638b86d |
return err |
01d9e61f |
}
|
f638b86d |
return nil |
01d9e61f |
} |