Solve conflicts from main branch (after sync)

yonahd · Oct 16, 2024 · 7e0d786 · 7e0d786
1 parent 64e7aac
commit 7e0d786
Show file tree

Hide file tree

Showing 7 changed files with 392 additions and 0 deletions.
diff --git a/pkg/kor/all.go b/pkg/kor/all.go
@@ -265,6 +265,19 @@ func getUnusedNetworkPolicies(clientset kubernetes.Interface, namespace string,
 	return namespaceNetpolDiff
 }
 
+func getUnusedRoleBindings(clientset kubernetes.Interface, namespace string, filterOpts *filters.Options) ResourceDiff {
+	roleBindingDiff, err := processNamespaceRoleBindings(clientset, namespace, filterOpts)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to get %s namespace %s: %v\n", "RoleBindings", namespace, err)
+	}
+
+	namespaceRoleBindingDiff := ResourceDiff{
+		"RoleBinding",
+		roleBindingDiff,
+	}
+	return namespaceRoleBindingDiff
+}
+
 func getUnusedArgoRollouts(clientset kubernetes.Interface, clientsetargorollouts versioned.Interface, namespace string, filterOpts *filters.Options) ResourceDiff {
 	argoRolloutsDiff, err := processNamespaceArgoRollouts(clientset, clientsetargorollouts, namespace, filterOpts)
 	if err != nil {
@@ -300,6 +313,7 @@ func GetUnusedAllNamespaced(filterOpts *filters.Options, clientset kubernetes.In
 			resources[namespace]["ReplicaSet"] = getUnusedReplicaSets(clientset, namespace, filterOpts).diff
 			resources[namespace]["DaemonSet"] = getUnusedDaemonSets(clientset, namespace, filterOpts).diff
 			resources[namespace]["NetworkPolicy"] = getUnusedNetworkPolicies(clientset, namespace, filterOpts).diff
+			resources[namespace]["RoleBinding"] = getUnusedRoleBindings(clientset, namespace, filterOpts).diff
 		case "resource":
 			appendResources(resources, "ConfigMap", namespace, getUnusedCMs(clientset, namespace, filterOpts).diff)
 			appendResources(resources, "Service", namespace, getUnusedSVCs(clientset, namespace, filterOpts).diff)
@@ -318,6 +332,7 @@ func GetUnusedAllNamespaced(filterOpts *filters.Options, clientset kubernetes.In
 			appendResources(resources, "ReplicaSet", namespace, getUnusedReplicaSets(clientset, namespace, filterOpts).diff)
 			appendResources(resources, "DaemonSet", namespace, getUnusedDaemonSets(clientset, namespace, filterOpts).diff)
 			appendResources(resources, "NetworkPolicy", namespace, getUnusedNetworkPolicies(clientset, namespace, filterOpts).diff)
+			appendResources(resources, "RoleBinding", namespace, getUnusedRoleBindings(clientset, namespace, filterOpts).diff)
 		}
 	}
 

diff --git a/pkg/kor/delete.go b/pkg/kor/delete.go
@@ -204,7 +204,10 @@ func updateResource(clientset kubernetes.Interface, namespace, resourceType stri
 		return clientset.StorageV1().StorageClasses().Update(context.TODO(), resource.(*storagev1.StorageClass), metav1.UpdateOptions{})
 	case "NetworkPolicy":
 		return clientset.NetworkingV1().NetworkPolicies(namespace).Update(context.TODO(), resource.(*networkingv1.NetworkPolicy), metav1.UpdateOptions{})
+	case "RoleBinding":
+		return clientset.RbacV1().RoleBindings(namespace).Update(context.TODO(), resource.(*rbacv1.RoleBinding), metav1.UpdateOptions{})
 	}
+
 	return nil, fmt.Errorf("resource type '%s' is not supported", resourceType)
 }
 
@@ -256,6 +259,8 @@ func getResource(clientset kubernetes.Interface, namespace, resourceType, resour
 		return clientset.StorageV1().StorageClasses().Get(context.TODO(), resourceName, metav1.GetOptions{})
 	case "NetworkPolicy":
 		return clientset.NetworkingV1().NetworkPolicies(namespace).Get(context.TODO(), resourceName, metav1.GetOptions{})
+	case "RoleBinding":
+		return clientset.RbacV1().RoleBindings(namespace).Get(context.TODO(), resourceName, metav1.GetOptions{})
 	}
 	return nil, fmt.Errorf("resource type '%s' is not supported", resourceType)
 }

diff --git a/pkg/kor/exceptions/rolebindings/rolebindings.json b/pkg/kor/exceptions/rolebindings/rolebindings.json
@@ -0,0 +1,34 @@
+{
+    "exceptionRoleBindings": [
+        {
+            "Namespace": "kube-public",
+            "ResourceName": "kubeadm:bootstrap-signer-clusterinfo"
+        },
+        {
+            "Namespace": "kube-public",
+            "ResourceName": "system:controller:bootstrap-signer"
+        },
+        {
+            "Namespace": "kube-system",
+            "ResourceName": "kube-proxy"
+        },
+        {
+            "Namespace": "kube-system",
+            "ResourceName": "kubeadm:kubelet-config"
+        },
+        {
+            "Namespace": "kube-system",
+            "ResourceName": "kubeadm:nodes-kubeadm-config"
+        },
+        {
+            "Namespace": "kube-system",
+            "ResourceName": "system::*",
+            "MatchRegex": true
+        },
+        {
+            "Namespace": "kube-system",
+            "ResourceName": "system:controller:*",
+            "MatchRegex": true
+        }
+    ]
+}
diff --git a/pkg/kor/kor.go b/pkg/kor/kor.go
@@ -39,6 +39,7 @@ type Config struct {
 	ExceptionStorageClasses  []ExceptionResource `json:"exceptionStorageClasses"`
 	ExceptionJobs            []ExceptionResource `json:"exceptionJobs"`
 	ExceptionPdbs            []ExceptionResource `json:"exceptionPdbs"`
+	ExceptionRoleBindings    []ExceptionResource `json:"exceptionRoleBindings"`
 	// Add other configurations if needed
 }
 
@@ -206,3 +207,17 @@ func resourceInfoContains(slice []ResourceInfo, item string) bool {
 	}
 	return false
 }
+
+// Convert a slice of names into a map for fast lookup
+func convertNamesToPresenseMap(names []string, _ []string, err error) (map[string]bool, error) {
+	if err != nil {
+		return nil, err
+	}
+
+	namesMap := make(map[string]bool)
+	for _, n := range names {
+		namesMap[n] = true
+	}
+
+	return namesMap, nil
+}
diff --git a/pkg/kor/multi.go b/pkg/kor/multi.go
@@ -90,6 +90,8 @@ func retrieveNamespaceDiffs(clientset kubernetes.Interface, clientsetargorollout
 			diffResult = getUnusedDaemonSets(clientset, namespace, filterOpts)
 		case "netpol", "networkpolicy", "networkpolicies":
 			diffResult = getUnusedNetworkPolicies(clientset, namespace, filterOpts)
+		case "rolebinding", "rolebindings":
+			diffResult = getUnusedNetworkPolicies(clientset, namespace, filterOpts)
 		case "argorollouts":
 			diffResult = getUnusedArgoRollouts(clientset, clientsetargorollouts, namespace, filterOpts)
 		default:

diff --git a/pkg/kor/rolebindings.go b/pkg/kor/rolebindings.go
@@ -0,0 +1,158 @@
+package kor
+
+import (
+	"bytes"
+	"context"
+	_ "embed"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	v1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+
+	"github.com/yonahd/kor/pkg/common"
+	"github.com/yonahd/kor/pkg/filters"
+)
+
+//go:embed exceptions/rolebindings/rolebindings.json
+var roleBindingsConfig []byte
+
+// Filter out subjects base on Kind, can be later used for User and Group
+func filterSubjects(subjects []v1.Subject, kind string) []v1.Subject {
+	var serviceAccountSubjects []v1.Subject
+	for _, subject := range subjects {
+		if subject.Kind == kind {
+			serviceAccountSubjects = append(serviceAccountSubjects, subject)
+		}
+	}
+	return serviceAccountSubjects
+}
+
+// Check if any valid service accounts exist in the RoleBinding
+func isUsingValidServiceAccount(serviceAccounts []v1.Subject, serviceAccountNames map[string]bool) bool {
+	for _, sa := range serviceAccounts {
+		if serviceAccountNames[sa.Name] {
+			return true
+		}
+	}
+	return false
+}
+
+func validateRoleReference(rb v1.RoleBinding, roleNames, clusterRoleNames map[string]bool) *ResourceInfo {
+	if rb.RoleRef.Kind == "Role" && !roleNames[rb.RoleRef.Name] {
+		return &ResourceInfo{Name: rb.Name, Reason: "RoleBinding references a non-existing Role"}
+	}
+
+	if rb.RoleRef.Kind == "ClusterRole" && !clusterRoleNames[rb.RoleRef.Name] {
+		return &ResourceInfo{Name: rb.Name, Reason: "RoleBinding references a non-existing ClusterRole"}
+	}
+
+	return nil
+}
+
+func processNamespaceRoleBindings(clientset kubernetes.Interface, namespace string, filterOpts *filters.Options) ([]ResourceInfo, error) {
+	roleBindingsList, err := clientset.RbacV1().RoleBindings(namespace).List(context.TODO(), metav1.ListOptions{LabelSelector: filterOpts.IncludeLabels})
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames, err := convertNamesToPresenseMap(retrieveRoleNames(clientset, namespace, filterOpts))
+	if err != nil {
+		return nil, err
+	}
+
+	clusterRoleNames, err := convertNamesToPresenseMap(retrieveClusterRoleNames(clientset, filterOpts))
+	if err != nil {
+		return nil, err
+	}
+
+	serviceAccountNames, err := convertNamesToPresenseMap(retrieveServiceAccountNames(clientset, namespace, filterOpts))
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := unmarshalConfig(roleBindingsConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	var unusedRoleBindingNames []ResourceInfo
+
+	for _, rb := range roleBindingsList.Items {
+		if pass, _ := filter.SetObject(&rb).Run(filterOpts); pass {
+			continue
+		}
+
+		if exceptionFound, err := isResourceException(rb.Name, rb.Namespace, config.ExceptionRoleBindings); err != nil {
+			return nil, err
+		} else if exceptionFound {
+			continue
+		}
+
+		roleReferenceIssue := validateRoleReference(rb, roleNames, clusterRoleNames)
+		if roleReferenceIssue != nil {
+			unusedRoleBindingNames = append(unusedRoleBindingNames, *roleReferenceIssue)
+			continue
+		}
+
+		serviceAccountSubjects := filterSubjects(rb.Subjects, "ServiceAccount")
+
+		// If other kinds (Users/Groups) are used, we assume they exists for now
+		if len(serviceAccountSubjects) != len(rb.Subjects) {
+			continue
+		}
+
+		// Check if RoleBinding uses a valid service account
+		if !isUsingValidServiceAccount(serviceAccountSubjects, serviceAccountNames) {
+			unusedRoleBindingNames = append(unusedRoleBindingNames, ResourceInfo{Name: rb.Name, Reason: "RoleBinding references a non-existing ServiceAccount"})
+		}
+	}
+
+	return unusedRoleBindingNames, nil
+}
+
+func GetUnusedRoleBindings(filterOpts *filters.Options, clientset kubernetes.Interface, outputFormat string, opts common.Opts) (string, error) {
+	resources := make(map[string]map[string][]ResourceInfo)
+	for _, namespace := range filterOpts.Namespaces(clientset) {
+		diff, err := processNamespaceRoleBindings(clientset, namespace, filterOpts)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to process namespace %s: %v\n", namespace, err)
+			continue
+		}
+
+		if opts.DeleteFlag {
+			if diff, err = DeleteResource(diff, clientset, namespace, "RoleBinding", opts.NoInteractive); err != nil {
+				fmt.Fprintf(os.Stderr, "Failed to delete RoleBinding %s in namespace %s: %v\n", diff, namespace, err)
+			}
+		}
+
+		switch opts.GroupBy {
+		case "namespace":
+			resources[namespace] = make(map[string][]ResourceInfo)
+			resources[namespace]["RoleBinding"] = diff
+		case "resource":
+			appendResources(resources, "RoleBinding", namespace, diff)
+		}
+	}
+
+	var outputBuffer bytes.Buffer
+	var jsonResponse []byte
+	switch outputFormat {
+	case "table":
+		outputBuffer = FormatOutput(resources, opts)
+	case "json", "yaml":
+		var err error
+		if jsonResponse, err = json.MarshalIndent(resources, "", " "); err != nil {
+			return "", err
+		}
+	}
+
+	unusedRoleBindings, err := unusedResourceFormatter(outputFormat, outputBuffer, opts, jsonResponse)
+	if err != nil {
+		fmt.Printf("err: %v\n", err)
+	}
+
+	return unusedRoleBindings, nil
+}