diff --git a/internal/controller/runtime/fsm/runtime_fsm_apply_clusterrolebindings.go b/internal/controller/runtime/fsm/runtime_fsm_apply_clusterrolebindings.go index 49c6d3e6..42342ebc 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_apply_clusterrolebindings.go +++ b/internal/controller/runtime/fsm/runtime_fsm_apply_clusterrolebindings.go @@ -21,10 +21,6 @@ var ( labelsManagedByKIM = map[string]string{ "reconciler.kyma-project.io/managed-by": "infrastructure-manager", } - //nolint:gochecknoglobals - labelsManagedByReconciler = map[string]string{ - "reconciler.kyma-project.io/managed-by": "reconciler", - } ) func sFnApplyClusterRoleBindings(ctx context.Context, m *fsm, s *systemState) (stateFn, *ctrl.Result, error) { @@ -104,16 +100,15 @@ func getKubeconfigSecret(ctx context.Context, cnt client.Client, runtimeID, name return kubeconfigSecret, nil } -func isRBACUserKindOneOf(names []string) func(rbacv1.Subject) bool { +func isRBACUserKind() func(rbacv1.Subject) bool { return func(s rbacv1.Subject) bool { - return s.Kind == rbacv1.UserKind && - slices.Contains(names, s.Name) + return s.Kind == rbacv1.UserKind } } -func isRBACServiceAccountKind() func(rbacv1.Subject) bool { +func isRBACUserKindOneOf(names []string) func(rbacv1.Subject) bool { return func(s rbacv1.Subject) bool { - return s.Kind == rbacv1.ServiceAccountKind + return slices.Contains(names, s.Name) } } @@ -126,18 +121,17 @@ func getRemoved(crbs []rbacv1.ClusterRoleBinding, admins []string) (removed []rb } if crb.RoleRef.Kind != "ClusterRole" && crb.RoleRef.Name != "cluster-admin" { + // cluster role binding is not admin continue } - index := slices.IndexFunc(crb.Subjects, isRBACUserKindOneOf(admins)) - if index >= 0 { - // cluster role binding does not contain user subject + if !slices.ContainsFunc(crb.Subjects, isRBACUserKind()) { + // cluster role binding does not contain serviceaccount subject continue } - index = slices.IndexFunc(crb.Subjects, isRBACServiceAccountKind()) - if index >= 0 { - // cluster role binding does not contain serviceaccount subject + if slices.ContainsFunc(crb.Subjects, isRBACUserKindOneOf(admins)) { + // cluster role binding does not contain user subject continue } @@ -149,11 +143,9 @@ func getRemoved(crbs []rbacv1.ClusterRoleBinding, admins []string) (removed []rb } func managedByKIM(crb rbacv1.ClusterRoleBinding) bool { - selector := labels.Set(crb.Labels).AsSelector() - isManagedByKIM := selector.Matches(labels.Set(labelsManagedByKIM)) - isManagedByReconciler := selector.Matches(labels.Set(labelsManagedByReconciler)) - // Provisioner managed CRBs with label managed-by=reconciler, we have to manage them as well - return isManagedByKIM || isManagedByReconciler + selector := labels.Set(labelsManagedByKIM).AsSelector() + isManagedByKIM := selector.Matches(labels.Set(crb.Labels)) + return isManagedByKIM } //nolint:gochecknoglobals diff --git a/internal/controller/runtime/fsm/runtime_fsm_apply_crb_test.go b/internal/controller/runtime/fsm/runtime_fsm_apply_crb_test.go index af233c8e..54b22f9a 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_apply_crb_test.go +++ b/internal/controller/runtime/fsm/runtime_fsm_apply_crb_test.go @@ -46,7 +46,7 @@ var _ = Describe(`runtime_fsm_apply_crb`, Label("applyCRB"), func() { admins: []string{"test1", "test2", "test3"}, crbs: []rbacv1.ClusterRoleBinding{ toAdminClusterRoleBinding("test1"), - toManagedClusterRoleBinding("test2", "reconciler"), + toManagedClusterRoleBinding("test2", "infrastructure-manager"), toManagedClusterRoleBinding("test3", "infrastructure-manager"), }, expected: nil, @@ -129,7 +129,6 @@ var _ = Describe(`runtime_fsm_apply_crb`, Label("applyCRB"), func() { }, expected: []rbacv1.ClusterRoleBinding{ toManagedClusterRoleBinding("test1", "infrastructure-manager"), - toManagedClusterRoleBinding("test2", "reconciler"), }, }), )