-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cli: add more rbac utils sub-commands
* scan-user-permissions * cleanup-user-permissions
- Loading branch information
Showing
7 changed files
with
370 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# RBAC | ||
|
||
|
||
## scan-user-permissions | ||
|
||
扫描指定集群中存在的 RAM 用户和角色的 RBAC bindings. | ||
|
||
```shell | ||
|
||
# 默认只输出已删除 RAM 用户和角色 | ||
$ ack-ram-tool rbac scan-user-permissions -c <集群ID> | ||
UID UserType UserName Binding | ||
2432******** (deleted) RamUser ClusterRoleBinding/-/24*****-clusterrolebinding | ||
|
||
|
||
# 可以通过 -A 显示所有用户和角色 | ||
$ ack-ram-tool rbac scan-user-permissions -A -c <集群ID> | ||
UID UserType UserName Binding | ||
2432******** (deleted) RamUser ClusterRoleBinding/-/24*****-clusterrolebinding | ||
2342******** RamUser foobar ClusterRoleBinding/-/23*****-clusterrolebinding | ||
|
||
``` | ||
|
||
## cleanup-user-permissions | ||
|
||
清理指定集群中指定的 RAM 用户和角色的 RBAC bindings. | ||
|
||
```shell | ||
|
||
# <用户ID> 可以从上面的 scan 命令的结果中获取 | ||
$ ack-ram-tool rbac cleanup-user-permissions -c <集群ID> -u <用户ID> | ||
Start to scan users and bindings | ||
Will cleanup RBAC bindings as blow: | ||
UID UserType UserName Binding | ||
300******************** (deleted) RamRole RoleBinding/kube-system/300********************-heapster-rolebinding | ||
300******************** (deleted) RamRole RoleBinding/arms-prom/300********************-arms-prom-rolebinding | ||
300******************** (deleted) RamRole RoleBinding/default/300********************-default-rolebinding | ||
300******************** (deleted) RamRole ClusterRoleBinding/-/300********************-clusterrolebinding | ||
? Are you sure you want to cleanup these bindings? Yes | ||
start to cleanup binding: RoleBinding/kube-system/300********************-heapster-rolebinding | ||
finished cleanup binding: RoleBinding/kube-system/300********************-heapster-rolebinding | ||
start to cleanup binding: RoleBinding/arms-prom/300********************-arms-prom-rolebinding | ||
finished cleanup binding: RoleBinding/arms-prom/300********************-arms-prom-rolebinding | ||
start to cleanup binding: RoleBinding/default/300********************-default-rolebinding | ||
finished cleanup binding: RoleBinding/default/300********************-default-rolebinding | ||
start to cleanup binding: ClusterRoleBinding/-/300********************-clusterrolebinding | ||
finished cleanup binding: ClusterRoleBinding/-/300********************-clusterrolebinding | ||
all bindings have been cleanup | ||
|
||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
package binding | ||
|
||
import ( | ||
"context" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/log" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/openapi" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/types" | ||
"strconv" | ||
) | ||
|
||
func ListAccounts(ctx context.Context, client openapi.RamClientInterface) (map[int64]types.Account, error) { | ||
accounts := make(map[int64]types.Account, 0) | ||
users, err := client.ListUsers(ctx) | ||
if err != nil { | ||
log.Logger.Errorf("list users failed: %s", err) | ||
return nil, err | ||
} | ||
roles, err := client.ListRoles(ctx) | ||
if err != nil { | ||
log.Logger.Errorf("list roles failed: %s", err) | ||
return nil, err | ||
} | ||
for _, u := range users { | ||
id, _ := strconv.ParseInt(u.Id, 10, 64) | ||
accounts[id] = types.Account{ | ||
Type: types.AccountTypeUser, | ||
User: u, | ||
} | ||
} | ||
for _, r := range roles { | ||
id, _ := strconv.ParseInt(r.RoleId, 10, 64) | ||
accounts[id] = types.Account{ | ||
Type: types.AccountTypeRole, | ||
Role: r, | ||
} | ||
} | ||
|
||
return accounts, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
package cleanupuserpermissions | ||
|
||
import ( | ||
"context" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/ctl/rbac/scanuserpermissions" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/log" | ||
"github.com/briandowns/spinner" | ||
"time" | ||
|
||
ctlcommon "github.com/AliyunContainerService/ack-ram-tool/pkg/ctl/common" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/ctl/rbac/binding" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/openapi" | ||
"github.com/AliyunContainerService/ack-ram-tool/pkg/types" | ||
"github.com/spf13/cobra" | ||
"k8s.io/client-go/kubernetes" | ||
) | ||
|
||
type Option struct { | ||
userId int64 | ||
|
||
clusterId string | ||
privateIpAddress bool | ||
temporaryDuration time.Duration | ||
//outputFormat OutputFormat | ||
allUsers bool | ||
} | ||
|
||
var opts = Option{ | ||
temporaryDuration: time.Hour, | ||
} | ||
|
||
var cmd = &cobra.Command{ | ||
Use: "cleanup-user-permissions", | ||
Short: "cleanup RBAC permissions for one user", | ||
Long: ``, | ||
Run: func(cmd *cobra.Command, args []string) { | ||
run() | ||
}, | ||
} | ||
|
||
func run() { | ||
ctx := context.Background() | ||
openAPIClient := ctlcommon.GetClientOrDie() | ||
|
||
oneCluster(ctx, openAPIClient, opts.clusterId) | ||
} | ||
|
||
func oneCluster(ctx context.Context, openAPIClient openapi.ClientInterface, clusterId string) { | ||
kubeClient := getKubeClient(ctx, openAPIClient, clusterId) | ||
|
||
log.Logger.Info("Start to scan users and bindings") | ||
spin := spinner.New(spinner.CharSets[9], 100*time.Millisecond) | ||
spin.Start() | ||
defer spin.Stop() | ||
|
||
rawBindings, err := binding.ListBindings(ctx, kubeClient) | ||
ctlcommon.ExitIfError(err) | ||
accounts, err := binding.ListAccounts(ctx, openAPIClient) | ||
ctlcommon.ExitIfError(err) | ||
spin.Stop() | ||
|
||
bindings := rawBindings.SortByUid() | ||
cleanup(ctx, bindings, accounts, kubeClient) | ||
} | ||
|
||
func cleanup(ctx context.Context, bindings []binding.Binding, | ||
accounts map[int64]types.Account, kube kubernetes.Interface) { | ||
var newBindings []binding.Binding | ||
for _, b := range bindings { | ||
if b.AliUid == 0 { | ||
continue | ||
} | ||
if opts.userId != 0 && b.AliUid != opts.userId { | ||
continue | ||
} | ||
acc, ok := accounts[b.AliUid] | ||
if !ok { | ||
acc = types.NewFakeAccount(b.AliUid) | ||
acc.MarkDeleted() | ||
accounts[b.AliUid] = acc | ||
} | ||
newBindings = append(newBindings, b) | ||
} | ||
|
||
log.Logger.Info("Will cleanup RBAC bindings as blow:") | ||
scanuserpermissions.OutputBindingsTable(newBindings, accounts, false) | ||
|
||
ctlcommon.YesOrExit("Are you sure you want to cleanup these bindings?") | ||
for _, b := range newBindings { | ||
log.Logger.Infof("start to cleanup binding: %s", b.String()) | ||
if err := binding.RemoveBinding(ctx, b, kube); err != nil { | ||
ctlcommon.ExitIfError(err) | ||
} | ||
log.Logger.Infof("finished cleanup binding: %s", b.String()) | ||
} | ||
log.Logger.Info("all bindings have been cleanup") | ||
} | ||
|
||
func getKubeClient(ctx context.Context, openAPIClient openapi.ClientInterface, clusterId string) kubernetes.Interface { | ||
kubeconfig, err := openAPIClient.GetUserKubeConfig(ctx, clusterId, | ||
opts.privateIpAddress, opts.temporaryDuration) | ||
ctlcommon.ExitIfError(err) | ||
|
||
client, err := ctlcommon.NewKubeClient(kubeconfig.RawData) | ||
ctlcommon.ExitIfError(err) | ||
return client | ||
} | ||
|
||
func SetupCmd(rootCmd *cobra.Command) { | ||
rootCmd.AddCommand(cmd) | ||
cmd.Flags().Int64VarP(&opts.userId, "user-id", "u", 0, "limit user id") | ||
cmd.Flags().StringVarP(&opts.clusterId, "cluster-id", "c", "", "cluster id") | ||
//cmd.Flags().BoolVarP(&opts.allUsers, "all-users", "A", false, "list all users") | ||
ctlcommon.ExitIfError(cmd.MarkFlagRequired("cluster-id")) | ||
ctlcommon.ExitIfError(cmd.MarkFlagRequired("user-id")) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.