|
| 1 | +kind: CronJob |
| 2 | +apiVersion: batch/v1 |
| 3 | +metadata: |
| 4 | + name: multiple-ns-group-sync |
| 5 | + labels: |
| 6 | + component.opendatahub.io/name: multiple-ns-group-sync |
| 7 | + opendatahub.io/component: 'true' |
| 8 | + opendatahub.io/modified: 'false' |
| 9 | +spec: |
| 10 | + schedule: '0 * * * *' |
| 11 | + startingDeadlineSeconds: 200 |
| 12 | + concurrencyPolicy: Allow |
| 13 | + suspend: false |
| 14 | + jobTemplate: |
| 15 | + metadata: |
| 16 | + labels: |
| 17 | + component.opendatahub.io/name: multiple-ns-group-sync |
| 18 | + opendatahub.io/component: 'true' |
| 19 | + spec: |
| 20 | + template: |
| 21 | + metadata: |
| 22 | + labels: |
| 23 | + component.opendatahub.io/name: multiple-ns-group-sync |
| 24 | + opendatahub.io/component: 'true' |
| 25 | + parent: multiple-ns-group-sync |
| 26 | + spec: |
| 27 | + restartPolicy: Never |
| 28 | + serviceAccountName: multiple-ns-group-sync |
| 29 | + schedulerName: default-scheduler |
| 30 | + terminationGracePeriodSeconds: 30 |
| 31 | + securityContext: {} |
| 32 | + containers: |
| 33 | + - name: oc-cli |
| 34 | + image: >- |
| 35 | + registry.redhat.io/openshift4/ose-cli@sha256:25fef269ac6e7491cb8340119a9b473acbeb53bc6970ad029fdaae59c3d0ca61 |
| 36 | + command: ["/bin/bash", "-c", "--"] |
| 37 | + args: |
| 38 | + - | |
| 39 | + # get everyone in current grouping |
| 40 | + group_users=($(oc get groups --as system:admin $GROUP_NAME -o jsonpath='{.users[*]}')) |
| 41 | +
|
| 42 | + # get everyone who has edit permissions on a workbench |
| 43 | + curr_users=() |
| 44 | +
|
| 45 | + namespaces=($(oc get ns --as system:admin -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep "^${CLASS_NAME}-")) |
| 46 | +
|
| 47 | + for ns in "${namespaces[@]}"; do |
| 48 | + users=$(oc -n "$ns" get rolebinding -o jsonpath='{range .items[?(@.roleRef.name=="edit")].subjects[?(@.kind=="User")]}{.name}{"\n"}{end}') |
| 49 | + for u in $users; do |
| 50 | + [[ -z "$u" ]] && continue |
| 51 | +
|
| 52 | + # if not in already in current users, add to current users |
| 53 | + [[ " ${curr_users[*]} " =~ " $u " ]] || curr_users+=("$u") |
| 54 | + done |
| 55 | + done |
| 56 | +
|
| 57 | + # add users to the group who have rolebindings, but are not in the group |
| 58 | + users_to_add=() |
| 59 | + # remove users who are in the group, but dont have rolebindings |
| 60 | + users_to_remove=() |
| 61 | +
|
| 62 | + for u in ${curr_users[@]}; do |
| 63 | + # if not in group users, but in current users, add user |
| 64 | + if [[ ! " ${group_users[*]} " =~ " $u " ]]; then |
| 65 | + users_to_add+=("$u") |
| 66 | + fi |
| 67 | + done |
| 68 | +
|
| 69 | + for u in ${group_users[@]}; do |
| 70 | + # if not in group users, but in current users, add user |
| 71 | + if [[ ! " ${curr_users[*]} " =~ " $u " ]]; then |
| 72 | + users_to_remove+=("$u") |
| 73 | + fi |
| 74 | + done |
| 75 | +
|
| 76 | + echo "users to add:" |
| 77 | + echo ${users_to_add[@]} |
| 78 | + echo " " |
| 79 | +
|
| 80 | + echo "users to remove:" |
| 81 | + echo ${users_to_remove[@]} |
| 82 | + echo " " |
| 83 | +
|
| 84 | + if [ ${#users_to_add[@]} -gt 0 ]; then |
| 85 | + oc adm groups add-users --as system:admin "$GROUP_NAME" "${users_to_add[@]}" |
| 86 | + fi |
| 87 | +
|
| 88 | + if [ ${#users_to_remove[@]} -gt 0 ]; then |
| 89 | + oc adm groups remove-users --as system:admin "$GROUP_NAME" "${users_to_remove[@]}" |
| 90 | + fi |
| 91 | + env: |
| 92 | + # EDIT VALUE HERE BEFORE RUNNING |
| 93 | + - name: CLASS_NAME |
| 94 | + value: "bu-cs599-pmpp-cuda" |
| 95 | + - name: GROUP_NAME |
| 96 | + value: "cs599-pmpp" |
| 97 | + resources: |
| 98 | + limits: |
| 99 | + cpu: 100m |
| 100 | + memory: 800Mi |
| 101 | + requests: |
| 102 | + cpu: 100m |
| 103 | + memory: 400Mi |
| 104 | + terminationMessagePath: /dev/termination-log |
| 105 | + terminationMessagePolicy: File |
| 106 | + imagePullPolicy: IfNotPresent |
| 107 | + dnsPolicy: ClusterFirst |
| 108 | + successfulJobsHistoryLimit: 7 |
| 109 | + failedJobsHistoryLimit: 7 |
0 commit comments