Page MenuHomePhabricator

toolforge: rbac: change existing roles to reference PSP in the policy group
Closed, ResolvedPublic

Description

maintain_kubeusers has been creating roles for Toolforge tools referencing PSP in the extension API group rather than policy.

We may need to 'backfill' existing resources to refresh this.

See also:

Related Objects

Event Timeline

Patch file:

[
    { "op": "replace", "path": "/rules/0/apiGroups/0", "value": "policy" }
]

Command to find affected roles:

root@tools-k8s-control-5:~/psp-patch# kubectl get role -A -o json | jq '.items[] | select(.rules[0].apiGroups[0] == "extensions") | select(.rules[0].resources[0] == "podsecuritypolicies") | [.metadata.namespace, .metadata.name]'

Final command line:

root@tools-k8s-control-5:~/psp-patch# kubectl get role -A -o json | jq -r '.items[] | select(.rules[0].apiGroups[0] == "extensions") | select(.rules[0].resources[0] == "podsecuritypolicies") | .metadata.namespace + " role " + .metadata.name' | xargs -L 1 kubectl patch --type=json --patch-file=patch.json -n

Mentioned in SAL (#wikimedia-cloud) [2023-04-10T10:46:38Z] <taavi> patch existing PSP roles to use policy/v1beta1 T331619