OpenShift LDAP Users Cleaner
OSLUC does following:
- Gets a list of all OpenShift users (equivalent of
oc get users -o yaml) using in-kubernetes or KUBECONFIG variable provided credentials - Binds to LDAP service by using configuration sourced from LDAPSyncConfig compatible YAML file.
- File needs to be mounted inside the container, path to it is configured using
OSLUC_LDAP_SYNC_CONFIG_PATHenvironmental variable
- File needs to be mounted inside the container, path to it is configured using
- Traverses subset of users from the list
- Checks if user contains idenitities list with one and only entry prefixed with LDAP provider name. Prefix value is read from
OSLUC_USER_IDENTITY_PREFIXenvironmental variable. - Searches LDAP for the presence and status of the user
- If user is deactivated or not found, removes User and Identity resource - when
OSLUC_CONFIRMis set toTRUEotherwise, it is a dry run
- Checks if user contains idenitities list with one and only entry prefixed with LDAP provider name. Prefix value is read from
- Create a CronJob
- use this image
- mount ConfigMap containing LDAPSyncConfig
- mount Secret containing LDAP bind credentials
- use separate service account
- give service account permissions to use verbs
delete,get,listonUser.user.openshift.io/v1andIdentity.user.openshift.io/v1
- Set environmental variables as per description in
environment.mdfile
- better way to read LDAPSyncConfig
- more tests