diff --git a/README.md b/README.md index cc547ad..baeb8ad 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,36 @@ Alternatively, to run the script immediately: This will trigger the cronjob to spawn a job manually. +### multiple-ns-group-sync +This cronjob runs once every hours at the top of the hour, adding all users with the edit rolebinding in the specified namespaces to the specified group. This cronjob differs from the original `group-sync` cronjob by syncing with multiple namespaces rather than just one namespace. + +1. Ensure you are logged in to your OpenShift account via the CLI and you have access to ope-rhods-testing namespace. +Then run: +``` +oc project ope-rhods-testing +``` +2. Ensure the environment variables for `GROUP_NAME`, and `CLASS_NAME` are correctly set. + +3. From cronjobs/multiple-ns-group-sync directory run: + +``` + oc apply -k . --as system:admin +``` + + +This will deploy all the necessary resources for the cronjob to run on the specified schedule.(Every hour by default) + +Alternatively, to run the script immediately: + +1. Ensure you followed the steps above +2. Verify the cronjob `multiple-ns-group-sync` exists +``` + oc get cronjob multiple-ns-group-sync +``` +3. +```` + kubectl create job --from=cronjob/multiple-ns-group-sync -n ope-rhods-testing multiple-ns-group-sync +```` ## Scripts diff --git a/cronjobs/multiple-ns-group-sync/clusterrole.yaml b/cronjobs/multiple-ns-group-sync/clusterrole.yaml new file mode 100644 index 0000000..5e5a156 --- /dev/null +++ b/cronjobs/multiple-ns-group-sync/clusterrole.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: multiple-ns-group-sync +rules: +- apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get + - update + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - get + - list + - watch diff --git a/cronjobs/multiple-ns-group-sync/clusterrolebinding.yaml b/cronjobs/multiple-ns-group-sync/clusterrolebinding.yaml new file mode 100644 index 0000000..f14bd0d --- /dev/null +++ b/cronjobs/multiple-ns-group-sync/clusterrolebinding.yaml @@ -0,0 +1,11 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: multiple-ns-group-sync +subjects: + - kind: ServiceAccount + name: multiple-ns-group-sync +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit diff --git a/cronjobs/multiple-ns-group-sync/cronjob.yaml b/cronjobs/multiple-ns-group-sync/cronjob.yaml new file mode 100644 index 0000000..f91ed23 --- /dev/null +++ b/cronjobs/multiple-ns-group-sync/cronjob.yaml @@ -0,0 +1,109 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: multiple-ns-group-sync + labels: + component.opendatahub.io/name: multiple-ns-group-sync + opendatahub.io/component: 'true' + opendatahub.io/modified: 'false' +spec: + schedule: '0 * * * *' + startingDeadlineSeconds: 200 + concurrencyPolicy: Allow + suspend: false + jobTemplate: + metadata: + labels: + component.opendatahub.io/name: multiple-ns-group-sync + opendatahub.io/component: 'true' + spec: + template: + metadata: + labels: + component.opendatahub.io/name: multiple-ns-group-sync + opendatahub.io/component: 'true' + parent: multiple-ns-group-sync + spec: + restartPolicy: Never + serviceAccountName: multiple-ns-group-sync + schedulerName: default-scheduler + terminationGracePeriodSeconds: 30 + securityContext: {} + containers: + - name: oc-cli + image: >- + registry.redhat.io/openshift4/ose-cli@sha256:25fef269ac6e7491cb8340119a9b473acbeb53bc6970ad029fdaae59c3d0ca61 + command: ["/bin/bash", "-c", "--"] + args: + - | + # get everyone in current grouping + group_users=($(oc get groups $GROUP_NAME -o jsonpath='{.users[*]}')) + + # get everyone who has edit permissions on a workbench + curr_users=() + + namespaces=($(oc get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep "^${CLASS_NAME}-")) + + for ns in "${namespaces[@]}"; do + users=$(oc -n "$ns" get rolebinding -o jsonpath='{range .items[?(@.roleRef.name=="edit")].subjects[?(@.kind=="User")]}{.name}{"\n"}{end}') + for u in $users; do + [[ -z "$u" ]] && continue + + # if not in already in current users, add to current users + [[ " ${curr_users[*]} " =~ " $u " ]] || curr_users+=("$u") + done + done + + # add users to the group who have rolebindings, but are not in the group + users_to_add=() + # remove users who are in the group, but dont have rolebindings + users_to_remove=() + + for u in ${curr_users[@]}; do + # if not in group users, but in current users, add user + if [[ ! " ${group_users[*]} " =~ " $u " ]]; then + users_to_add+=("$u") + fi + done + + for u in ${group_users[@]}; do + # if not in group users, but in current users, add user + if [[ ! " ${curr_users[*]} " =~ " $u " ]]; then + users_to_remove+=("$u") + fi + done + + echo "users to add:" + echo ${users_to_add[@]} + echo " " + + echo "users to remove:" + echo ${users_to_remove[@]} + echo " " + + if [ ${#users_to_add[@]} -gt 0 ]; then + oc adm groups add-users "$GROUP_NAME" "${users_to_add[@]}" + fi + + if [ ${#users_to_remove[@]} -gt 0 ]; then + oc adm groups remove-users "$GROUP_NAME" "${users_to_remove[@]}" + fi + env: + # EDIT VALUE HERE BEFORE RUNNING + - name: CLASS_NAME + value: "bu-cs599-pmpp-cuda" + - name: GROUP_NAME + value: "cs599-pmpp" + resources: + limits: + cpu: 100m + memory: 800Mi + requests: + cpu: 100m + memory: 400Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + imagePullPolicy: IfNotPresent + dnsPolicy: ClusterFirst + successfulJobsHistoryLimit: 7 + failedJobsHistoryLimit: 7 diff --git a/cronjobs/multiple-ns-group-sync/kustomization.yaml b/cronjobs/multiple-ns-group-sync/kustomization.yaml new file mode 100644 index 0000000..51d752e --- /dev/null +++ b/cronjobs/multiple-ns-group-sync/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrole.yaml + - cronjob.yaml + - clusterrolebinding.yaml + - serviceaccount.yaml + - rhods-rb.yaml +namespace: ope-rhods-testing diff --git a/cronjobs/multiple-ns-group-sync/rhods-rb.yaml b/cronjobs/multiple-ns-group-sync/rhods-rb.yaml new file mode 100644 index 0000000..dd0d525 --- /dev/null +++ b/cronjobs/multiple-ns-group-sync/rhods-rb.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: multiple-ns-group-sync-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: multiple-ns-group-sync +subjects: + - kind: ServiceAccount + name: multiple-ns-group-sync + namespace: ope-rhods-testing diff --git a/cronjobs/multiple-ns-group-sync/serviceaccount.yaml b/cronjobs/multiple-ns-group-sync/serviceaccount.yaml new file mode 100644 index 0000000..3c198f3 --- /dev/null +++ b/cronjobs/multiple-ns-group-sync/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: multiple-ns-group-sync