istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/convert_RbacConfig_to_ClusterRbacConfig.sh (about)

     1  #!/bin/bash
     2  
     3  # Copyright Istio Authors
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #    http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  set -e
    18  set -u
    19  
    20  # This script is provided to help converting RbacConfig to ClusterRbacConfig automatically. The RbacConfig
    21  # will be deleted after the corresponding ClusterRbacConfig is successfully applied.
    22  # The RbacConfig is deprecated by ClusterRbacConfig due to an implementation bug that could cause the
    23  # RbacConfig to be namespace scoped in some cases. The ClusterRbacConfig has exactly same specification
    24  # as the RbacConfig, but with correctly implemented cluster scope.
    25  
    26  RBAC_CONFIGS=$(kubectl get RbacConfig --all-namespaces --no-headers --ignore-not-found)
    27  if [ "${RBAC_CONFIGS}" == "" ]
    28  then
    29    echo "RbacConfig not found"
    30    exit 0
    31  fi
    32  
    33  RBAC_CONFIG_COUNT=$(echo "${RBAC_CONFIGS}" | wc -l)
    34  if [ "${RBAC_CONFIG_COUNT}" -ne 1 ]
    35  then
    36    echo "${RBAC_CONFIGS}"
    37    echo "found ${RBAC_CONFIG_COUNT} RbacConfigs, expecting only 1. Please delete extra RbacConfigs and execute again."
    38    exit 1
    39  fi
    40  
    41  NS=$(echo "${RBAC_CONFIGS}" | cut -f 1 -d ' ')
    42  echo "converting RbacConfig in namespace $NS to ClusterRbacConfig"
    43  
    44  SPEC=$(kubectl get RbacConfig default -n "${NS}" -o yaml | sed -n -e '/spec:/,$p')
    45  
    46  cat <<EOF | kubectl apply -n "${NS}" -f -
    47  apiVersion: "rbac.istio.io/v1alpha1"
    48  kind: ClusterRbacConfig
    49  metadata:
    50    name: default
    51  ${SPEC}
    52  EOF
    53  
    54  # shellcheck disable=SC2181
    55  if [ $? -ne 0 ]
    56  then
    57    echo "failed to apply ClusterRbacConfig"
    58    exit 1
    59  fi
    60  
    61  echo "waiting for 15 seconds to delete RbacConfig"
    62  sleep 15
    63  kubectl delete RbacConfig --all -n "${NS}"