miry · November 25, 2019 16:51
diff --git a/service_acocunt_example.yaml b/service_acocunt_example.yaml
 ---

 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    k8s-app: deployments-gc
  name: deployments-gc
  namespace: staging

 ---

 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 metadata:
  name: system:clean-deployments
  namespace: staging
  labels:
    k8s-app: deployments-gc
 rules:
  - apiGroups:
      - ""
      - extensions
      - v1beta1
    resources:
      - deployments
      - services
      - replicasets
      - ingresses
      - secrets
    verbs:
      - get
      - list
      - delete
      - update

 ---

 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: deployments-gc
  namespace: staging
  labels:
    k8s-app: deployments-gc
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: system:clean-deployments
 subjects:
  - kind: ServiceAccount
    name: deployments-gc
    namespace: staging

 ---

 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: deployments-gc-script
  namespace: staging
  labels:
    k8s-app: deployments-gc
 data:
  clean_deployments.sh: |-
    set -e
    KUBE_URL="https://kubernetes.default.svc.cluster.local"
    KUBE_TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
    kubectl -s $KUBE_URL --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt --token=${KUBE_TOKEN} -n staging delete deploy,service,replicasets,ingress -l app=dashboard,environment=staging
    for secret in $(kubectl -s $KUBE_URL --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt --token=${KUBE_TOKEN} -n staging get secrets -o wide --sort-by=.type --field-selector=type=kubernetes.io/tls -o jsonpath='{.items[*].metadata.name}' -l certmanager.k8s.io/certificate-name)
    do
      if [[ $secret != "dashboard-root-cert" ]] && [[ $secret != "dashboard-master-cert" ]]; then
        kubectl -s $KUBE_URL --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt --token=${KUBE_TOKEN} -n staging delete secret "${secret}"
      fi
    done
    echo "Done"
 ---

 apiVersion: v1
 kind: Pod
 metadata:
  name: deployments-gc
  namespace: staging
  labels:
    k8s-app: deployments-gc

 spec:
  serviceAccountName: deployments-gc
  containers:
    - image: lachlanevenson/k8s-kubectl
      command:
        - /bin/sh
        - /opt/utils/clean_deployments.sh
      name: busybox
      volumeMounts:
        - name: clean-deployments
          mountPath: /opt/utils/
  restartPolicy: Never
  volumes:
    - name: clean-deployments
      configMap:
        name: deployments-gc-script
	---

	apiVersion: v1
	kind: ServiceAccount
	metadata:
	labels:
	k8s-app: deployments-gc
	name: deployments-gc
	namespace: staging

	---

	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1alpha1
	metadata:
	name: system:clean-deployments
	namespace: staging
	labels:
	k8s-app: deployments-gc
	rules:
	- apiGroups:
	- ""
	- extensions
	- v1beta1
	resources:
	- deployments
	- services
	- replicasets
	- ingresses
	- secrets
	verbs:
	- get
	- list
	- delete
	- update

	---

	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: RoleBinding
	metadata:
	name: deployments-gc
	namespace: staging
	labels:
	k8s-app: deployments-gc
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: system:clean-deployments
	subjects:
	- kind: ServiceAccount
	name: deployments-gc
	namespace: staging

	---

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: deployments-gc-script
	namespace: staging
	labels:
	k8s-app: deployments-gc
	data:
	clean_deployments.sh: \|-
	set -e
	KUBE_URL="https://kubernetes.default.svc.cluster.local"
	KUBE_TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
	kubectl -s $KUBE_URL --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt --token=${KUBE_TOKEN} -n staging delete deploy,service,replicasets,ingress -l app=dashboard,environment=staging
	for secret in $(kubectl -s $KUBE_URL --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt --token=${KUBE_TOKEN} -n staging get secrets -o wide --sort-by=.type --field-selector=type=kubernetes.io/tls -o jsonpath='{.items[*].metadata.name}' -l certmanager.k8s.io/certificate-name)
	do
	if [[ $secret != "dashboard-root-cert" ]] && [[ $secret != "dashboard-master-cert" ]]; then
	kubectl -s $KUBE_URL --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt --token=${KUBE_TOKEN} -n staging delete secret "${secret}"
	fi
	done
	echo "Done"
	---

	apiVersion: v1
	kind: Pod
	metadata:
	name: deployments-gc
	namespace: staging
	labels:
	k8s-app: deployments-gc

	spec:
	serviceAccountName: deployments-gc
	containers:
	- image: lachlanevenson/k8s-kubectl
	command:
	- /bin/sh
	- /opt/utils/clean_deployments.sh
	name: busybox
	volumeMounts:
	- name: clean-deployments
	mountPath: /opt/utils/
	restartPolicy: Never
	volumes:
	- name: clean-deployments
	configMap:
	name: deployments-gc-script