Skip to content

Commit

Permalink
should not delete ServiceAccounts CRBs
Browse files Browse the repository at this point in the history
  • Loading branch information
Disper committed Dec 5, 2024
1 parent 50625ba commit d0b08e2
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,9 @@ func isRBACUserKindOneOf(names []string) func(rbacv1.Subject) bool {
}
}

func isRBACServiceAccountKindOneOf(names []string) func(rbacv1.Subject) bool {
func isRBACServiceAccountKind() func(rbacv1.Subject) bool {
return func(s rbacv1.Subject) bool {
return s.Kind == rbacv1.ServiceAccountKind &&
slices.Contains(names, s.Name)
return s.Kind == rbacv1.ServiceAccountKind
}
}

Expand All @@ -136,7 +135,7 @@ func getRemoved(crbs []rbacv1.ClusterRoleBinding, admins []string) (removed []rb
continue
}

index = slices.IndexFunc(crb.Subjects, isRBACServiceAccountKindOneOf(admins))
index = slices.IndexFunc(crb.Subjects, isRBACServiceAccountKind())
if index >= 0 {
// cluster role binding does not contain serviceaccount subject
continue
Expand Down
27 changes: 27 additions & 0 deletions internal/controller/runtime/fsm/runtime_fsm_apply_crb_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,14 @@ var _ = Describe(`runtime_fsm_apply_crb`, Label("applyCRB"), func() {
},
expected: nil,
}),
Entry("should not remove Service account CRB not managed by reconciler or KIM", tcCRBData{
admins: []string{"test1", "test2"},
crbs: []rbacv1.ClusterRoleBinding{
toServiceAccountClusterRoleBinding("test3-should-stay"),
toServiceAccountClusterRoleBinding("test4-should-stay"),
},
expected: nil,
}),
Entry("should remove CRB managed by reconciler or KIM, that are not in the admin list", tcCRBData{
admins: []string{"test4", "test5"},
crbs: []rbacv1.ClusterRoleBinding{
Expand Down Expand Up @@ -285,3 +293,22 @@ func toManagedClusterRoleBinding(name, managedBy string) rbacv1.ClusterRoleBindi
}
return clusterRoleBinding
}

func toServiceAccountClusterRoleBinding(name string) rbacv1.ClusterRoleBinding {
return rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
Subjects: []rbacv1.Subject{{
Kind: rbacv1.ServiceAccountKind,
Name: "cluster-admin",
Namespace: "cicdnamespace",
APIGroup: rbacv1.GroupName,
}},
RoleRef: rbacv1.RoleRef{
APIGroup: rbacv1.GroupName,
Kind: "ClusterRole",
Name: "cluster-admin",
},
}
}

0 comments on commit d0b08e2

Please sign in to comment.