rancher/steve
1
0
Fork 0
mirror of https://github.com/rancher/steve.git synced 2025-06-28 15:57:24 +00:00
Code Issues Projects Releases Wiki Activity

Ensure that impersonation pods are deleted after an hour

Browse Source
This commit is contained in:
Darren Shepherd 2020-09-17 12:23:07 -07:00
parent cfede8c002
commit 7c151f76f8
1 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
pkg/podimpersonation/podimpersonation.go
View File

@ -3,6 +3,7 @@ package podimpersonation
import ( import (
"context" "context"
"fmt" "fmt"
"sync"
"time" "time"
"github.com/rancher/steve/pkg/stores/proxy" "github.com/rancher/steve/pkg/stores/proxy"
@ -35,6 +36,8 @@ type PodImpersonation struct {
cg proxy.ClientGetter cg proxy.ClientGetter
key string key string
imageName func() string imageName func() string
pending map[string]bool
pendingLock sync.Mutex
} }
func New(key string, cg proxy.ClientGetter, roleTimeout time.Duration, imageName func() string) *PodImpersonation { func New(key string, cg proxy.ClientGetter, roleTimeout time.Duration, imageName func() string) *PodImpersonation {
@ -43,6 +46,7 @@ func New(key string, cg proxy.ClientGetter, roleTimeout time.Duration, imageName
cg: cg, cg: cg,
key: key, key: key,
imageName: imageName, imageName: imageName,
pending: map[string]bool{},
} }
} }
@ -65,17 +69,40 @@ func (s *PodImpersonation) PurgeOldRoles(gvr schema.GroupVersionResource, key st
return nil return nil
} }
client, err := s.cg.AdminK8sInterface()
if err != nil {
return nil
}
if meta.GetCreationTimestamp().Add(s.roleTimeout).Before(time.Now()) { if meta.GetCreationTimestamp().Add(s.roleTimeout).Before(time.Now()) {
client, err := s.cg.AdminK8sInterface()
if err != nil {
return nil
}
name := meta.GetName() name := meta.GetName()
go func() { go func() {
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel() defer cancel()
_ = client.RbacV1().ClusterRoles().Delete(ctx, name, metav1.DeleteOptions{}) _ = client.RbacV1().ClusterRoles().Delete(ctx, name, metav1.DeleteOptions{})
}() }()
} else {
s.pendingLock.Lock()
defer s.pendingLock.Unlock()
name := meta.GetName()
wait := meta.GetCreationTimestamp().Add(s.roleTimeout).Sub(time.Now())
if !s.pending[meta.GetName()] {
s.pending[meta.GetName()] = true
go func() {
time.Sleep(wait)
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
_ = client.RbacV1().ClusterRoles().Delete(ctx, name, metav1.DeleteOptions{})
s.pendingLock.Lock()
delete(s.pending, name)
s.pendingLock.Unlock()
}()
}
} }
return nil return nil
@ -519,7 +546,7 @@ func (s *PodImpersonation) augmentPod(pod *v1.Pod, sa *v1.ServiceAccount) *v1.Po
Value: "/root/.kube/config", Value: "/root/.kube/config",
}, },
}, },
Command: []string{"kubectl", "proxy"}, Command: []string{"sh", "-c", "kubectl proxy || true"},
SecurityContext: &v1.SecurityContext{ SecurityContext: &v1.SecurityContext{
RunAsUser: &zero, RunAsUser: &zero,
RunAsGroup: &zero, RunAsGroup: &zero,