fix(more resources): fix porting and functionality [r8s-103] (#8)

Co-authored-by: testA113 <aliharriss1995@gmail.com> Co-authored-by: Anthony Lapenna <anthony.lapenna@portainer.io> Co-authored-by: Ali <83188384+testA113@users.noreply.github.com>
2025-07-23 07:19:41 +02:00 · 2024-11-12 09:55:30 +13:00 · 2024-11-12 09:55:30 +13:00 · 6d31f4876a
commit 6d31f4876a
parent e6577ca269
48 changed files with 894 additions and 186 deletions
--- a/api/kubernetes/cli/cluster_role.go
+++ b/api/kubernetes/cli/cluster_role.go
@ -3,10 +3,14 @@ package cli
 import (
 	"context"
 	"errors"
+	"strings"

 	models "github.com/portainer/portainer/api/http/models/kubernetes"
+	"github.com/portainer/portainer/api/internal/errorlist"
+	"github.com/rs/zerolog/log"
 	rbacv1 "k8s.io/api/rbac/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 // GetClusterRoles gets all the clusterRoles for at the cluster level in a k8s endpoint.
@ -21,7 +25,7 @@ func (kcl *KubeClient) GetClusterRoles() ([]models.K8sClusterRole, error) {

 // fetchClusterRoles returns a list of all Roles in the specified namespace.
 func (kcl *KubeClient) fetchClusterRoles() ([]models.K8sClusterRole, error) {
-	clusterRoles, err := kcl.cli.RbacV1().ClusterRoles().List(context.TODO(), metav1.ListOptions{})
+	clusterRoles, err := kcl.cli.RbacV1().ClusterRoles().List(context.TODO(), meta.ListOptions{})
 	if err != nil {
 		return nil, err
 	}
@ -39,5 +43,61 @@ func parseClusterRole(clusterRole rbacv1.ClusterRole) models.K8sClusterRole {
 	return models.K8sClusterRole{
 		Name:         clusterRole.Name,
 		CreationDate: clusterRole.CreationTimestamp.Time,
+		UID:          clusterRole.UID,
+		IsSystem:     isSystemClusterRole(&clusterRole),
 	}
 }
+
+func (kcl *KubeClient) DeleteClusterRoles(req models.K8sClusterRoleDeleteRequests) error {
+	var errors []error
+	for _, name := range req {
+		client := kcl.cli.RbacV1().ClusterRoles()
+
+		clusterRole, err := client.Get(context.Background(), name, meta.GetOptions{})
+		if err != nil {
+			if k8serrors.IsNotFound(err) {
+				continue
+			}
+			// this is a more serious error to do with the client so we return right away
+			return err
+		}
+
+		if isSystemClusterRole(clusterRole) {
+			log.Warn().Str("role_name", name).Msg("ignoring delete of 'system' cluster role, not allowed")
+		}
+
+		err = client.Delete(context.Background(), name, meta.DeleteOptions{})
+		if err != nil {
+			log.Err(err).Str("role_name", name).Msg("unable to delete the cluster role")
+			errors = append(errors, err)
+		}
+	}
+
+	return errorlist.Combine(errors)
+}
+
+func isSystemClusterRole(role *rbacv1.ClusterRole) bool {
+	if role.Namespace == "kube-system" || role.Namespace == "kube-public" ||
+		role.Namespace == "kube-node-lease" || role.Namespace == "portainer" {
+		return true
+	}
+
+	if strings.HasPrefix(role.Name, "system:") {
+		return true
+	}
+
+	if role.Labels != nil {
+		if role.Labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
+			return true
+		}
+	}
+
+	roles := getPortainerDefaultK8sRoleNames()
+	for i := range roles {
+		if role.Name == roles[i] {
+			return true
+		}
+	}
+
+	return false
+}