kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Delete cluster-owned service account roles upon cluster deletion

This commit is contained in:
John Gardiner Myers 2021-05-15 11:50:52 -07:00
parent 4baf2cbdcf
commit a41d0e21be
1 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
pkg/resources/aws/aws.go
View File

@ -1938,33 +1938,27 @@ func DeleteIAMRole(cloud fi.Cloud, r *resources.Resource) error {
func ListIAMRoles(cloud fi.Cloud, clusterName string) ([]*resources.Resource, error) { func ListIAMRoles(cloud fi.Cloud, clusterName string) ([]*resources.Resource, error) {
c := cloud.(awsup.AWSCloud) c := cloud.(awsup.AWSCloud)
remove := make(map[string]bool) var resourceTrackers []*resources.Resource
remove["masters."+clusterName] = true // Find roles owned by the cluster
remove["nodes."+clusterName] = true
remove["bastions."+clusterName] = true
var roles []*iam.Role
// Find roles matching remove map
{ {
var getRoleErr error
ownershipTag := "kubernetes.io/cluster/" + clusterName
request := &iam.ListRolesInput{} request := &iam.ListRolesInput{}
err := c.IAM().ListRolesPages(request, func(p *iam.ListRolesOutput, lastPage bool) bool { err := c.IAM().ListRolesPages(request, func(p *iam.ListRolesOutput, lastPage bool) bool {
for _, r := range p.Roles { for _, r := range p.Roles {
name := aws.StringValue(r.RoleName) name := aws.StringValue(r.RoleName)
if remove[name] { if !strings.HasSuffix(name, "."+clusterName) {
roles = append(roles, r) continue
} }
}
return true getRequest := &iam.GetRoleInput{RoleName: r.RoleName}
}) roleOutput, err := c.IAM().GetRole(getRequest)
if err != nil { if err != nil {
return nil, fmt.Errorf("error listing IAM roles: %v", err) getRoleErr = fmt.Errorf("calling IAM GetRole on %s: %w", name, err)
return false
} }
} for _, tag := range roleOutput.Role.Tags {
if fi.StringValue(tag.Key) == ownershipTag && fi.StringValue(tag.Value) == "owned" {
var resourceTrackers []*resources.Resource
for _, role := range roles {
name := aws.StringValue(role.RoleName)
resourceTracker := &resources.Resource{ resourceTracker := &resources.Resource{
Name: name, Name: name,
ID: name, ID: name,
@ -1973,6 +1967,17 @@ func ListIAMRoles(cloud fi.Cloud, clusterName string) ([]*resources.Resource, er
} }
resourceTrackers = append(resourceTrackers, resourceTracker) resourceTrackers = append(resourceTrackers, resourceTracker)
} }
}
}
return true
})
if getRoleErr != nil {
return nil, getRoleErr
}
if err != nil {
return nil, fmt.Errorf("error listing IAM roles: %v", err)
}
}
return resourceTrackers, nil return resourceTrackers, nil
} }