Merge pull request #554 from Disper/do_not_delete_service_accounts

Kim should not delete existing service accounts
kyma-project · Dec 5, 2024 · 0172347 · 0172347
2 parents ea07e92 + d0b08e2
commit 0172347
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/internal/controller/runtime/fsm/runtime_fsm_apply_clusterrolebindings.go b/internal/controller/runtime/fsm/runtime_fsm_apply_clusterrolebindings.go
@@ -111,6 +111,12 @@ func isRBACUserKindOneOf(names []string) func(rbacv1.Subject) bool {
 	}
 }
 
+func isRBACServiceAccountKind() func(rbacv1.Subject) bool {
+	return func(s rbacv1.Subject) bool {
+		return s.Kind == rbacv1.ServiceAccountKind
+	}
+}
+
 func getRemoved(crbs []rbacv1.ClusterRoleBinding, admins []string) (removed []rbacv1.ClusterRoleBinding) {
 	// iterate over cluster role bindings to find out removed administrators
 	for _, crb := range crbs {
@@ -129,6 +135,12 @@ func getRemoved(crbs []rbacv1.ClusterRoleBinding, admins []string) (removed []rb
 			continue
 		}
 
+		index = slices.IndexFunc(crb.Subjects, isRBACServiceAccountKind())
+		if index >= 0 {
+			// cluster role binding does not contain serviceaccount subject
+			continue
+		}
+
 		// administrator was removed
 		removed = append(removed, crb)
 	}

diff --git a/internal/controller/runtime/fsm/runtime_fsm_apply_crb_test.go b/internal/controller/runtime/fsm/runtime_fsm_apply_crb_test.go
@@ -110,6 +110,14 @@ var _ = Describe(`runtime_fsm_apply_crb`, Label("applyCRB"), func() {
 			},
 			expected: nil,
 		}),
+		Entry("should not remove Service account CRB not managed by reconciler or KIM", tcCRBData{
+			admins: []string{"test1", "test2"},
+			crbs: []rbacv1.ClusterRoleBinding{
+				toServiceAccountClusterRoleBinding("test3-should-stay"),
+				toServiceAccountClusterRoleBinding("test4-should-stay"),
+			},
+			expected: nil,
+		}),
 		Entry("should remove CRB managed by reconciler or KIM, that are not in the admin list", tcCRBData{
 			admins: []string{"test4", "test5"},
 			crbs: []rbacv1.ClusterRoleBinding{
@@ -285,3 +293,22 @@ func toManagedClusterRoleBinding(name, managedBy string) rbacv1.ClusterRoleBindi
 	}
 	return clusterRoleBinding
 }
+
+func toServiceAccountClusterRoleBinding(name string) rbacv1.ClusterRoleBinding {
+	return rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Subjects: []rbacv1.Subject{{
+			Kind:      rbacv1.ServiceAccountKind,
+			Name:      "cluster-admin",
+			Namespace: "cicdnamespace",
+			APIGroup:  rbacv1.GroupName,
+		}},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: rbacv1.GroupName,
+			Kind:     "ClusterRole",
+			Name:     "cluster-admin",
+		},
+	}
+}