Merge pull request #19619 from deads2k/cli-33-prune

add oc adm prune role command to replace the existing reaper
openshift · May 10, 2018 · 74a6a14 · 74a6a14
2 parents d388176 + 73e6152
commit 74a6a14
Show file tree

Hide file tree

Showing 21 changed files with 677 additions and 293 deletions.
diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc
diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc
diff --git a/docs/man/man1/.files_generated_oc b/docs/man/man1/.files_generated_oc
diff --git a/docs/man/man1/oc-adm-prune-auth.1 b/docs/man/man1/oc-adm-prune-auth.1
diff --git a/hack/import-restrictions.json b/hack/import-restrictions.json
@@ -429,6 +429,7 @@
       "vendor/k8s.io/kubernetes/pkg/printers",
       "vendor/k8s.io/kubernetes/pkg/util",
       "vendor/k8s.io/utils",
+      "vendor/github.com/davecgh/go-spew/spew",
 
       "github.com/openshift/origin/pkg/apps/generated",
       "github.com/openshift/origin/pkg/authorization/generated",
@@ -457,7 +458,7 @@
       "github.com/openshift/origin/pkg/apps/client/v1",
       "github.com/openshift/origin/pkg/apps/util",
       "github.com/openshift/origin/pkg/authorization/apis/authorization",
-      "github.com/openshift/origin/pkg/authorization/reaper",
+      "github.com/openshift/origin/pkg/authorization/apis/authorization/install",
       "github.com/openshift/origin/pkg/authorization/registry/util",
       "github.com/openshift/origin/pkg/authorization/util",
       "github.com/openshift/origin/pkg/build/apis/build",
@@ -525,7 +526,6 @@
       "github.com/openshift/origin/pkg/unidling/util",
       "github.com/openshift/origin/pkg/user/apis/user",
       "github.com/openshift/origin/pkg/user/apis/user/install",
-      "github.com/openshift/origin/pkg/user/reaper",
       "github.com/openshift/origin/pkg/util",
       "github.com/openshift/origin/pkg/util/docker/dockerfile",
       "github.com/openshift/origin/pkg/util/dot",

diff --git a/pkg/authorization/reaper/cluster_role.go b/pkg/authorization/reaper/cluster_role.go
diff --git a/pkg/authorization/reaper/role.go b/pkg/authorization/reaper/role.go
diff --git a/pkg/user/reaper/bindings.go → pkg/oc/admin/prune/authprune/bindings.go b/pkg/user/reaper/bindings.go → pkg/oc/admin/prune/authprune/bindings.go
@@ -1,7 +1,9 @@
-package reaper
+package authprune
 
 import (
-	"github.com/golang/glog"
+	"fmt"
+	"io"
+
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
@@ -10,10 +12,12 @@ import (
 )
 
 // reapClusterBindings removes the subject from cluster-level role bindings
-func reapClusterBindings(removedSubject kapi.ObjectReference, c authclient.Interface) error {
+func reapClusterBindings(removedSubject kapi.ObjectReference, c authclient.Interface, out io.Writer) []error {
+	errors := []error{}
+
 	clusterBindings, err := c.Authorization().ClusterRoleBindings().List(metav1.ListOptions{})
 	if err != nil {
-		return err
+		return []error{err}
 	}
 	for _, binding := range clusterBindings.Items {
 		retainedSubjects := []kapi.ObjectReference{}
@@ -26,18 +30,22 @@ func reapClusterBindings(removedSubject kapi.ObjectReference, c authclient.Inter
 			updatedBinding := binding
 			updatedBinding.Subjects = retainedSubjects
 			if _, err := c.Authorization().ClusterRoleBindings().Update(&updatedBinding); err != nil && !kerrors.IsNotFound(err) {
-				glog.Infof("Cannot update clusterrolebinding/%s: %v", binding.Name, err)
+				errors = append(errors, err)
+			} else {
+				fmt.Fprintf(out, "clusterrolebinding.rbac.authorization.k8s.io/"+updatedBinding.Name+" updated\n")
 			}
 		}
 	}
-	return nil
+	return errors
 }
 
 // reapNamespacedBindings removes the subject from namespaced role bindings
-func reapNamespacedBindings(removedSubject kapi.ObjectReference, c authclient.Interface) error {
+func reapNamespacedBindings(removedSubject kapi.ObjectReference, c authclient.Interface, out io.Writer) []error {
+	errors := []error{}
+
 	namespacedBindings, err := c.Authorization().RoleBindings(metav1.NamespaceAll).List(metav1.ListOptions{})
 	if err != nil {
-		return err
+		return []error{err}
 	}
 	for _, binding := range namespacedBindings.Items {
 		retainedSubjects := []kapi.ObjectReference{}
@@ -50,9 +58,11 @@ func reapNamespacedBindings(removedSubject kapi.ObjectReference, c authclient.In
 			updatedBinding := binding
 			updatedBinding.Subjects = retainedSubjects
 			if _, err := c.Authorization().RoleBindings(binding.Namespace).Update(&updatedBinding); err != nil && !kerrors.IsNotFound(err) {
-				glog.Infof("Cannot update rolebinding/%s in %s: %v", binding.Name, binding.Namespace, err)
+				errors = append(errors, err)
+			} else {
+				fmt.Fprintf(out, "rolebinding.rbac.authorization.k8s.io/"+updatedBinding.Name+" updated\n")
 			}
 		}
 	}
-	return nil
+	return errors
 }