From 4ad47895c1722f23ed3fe38c8a120076a220105a Mon Sep 17 00:00:00 2001 From: Alex Volkov Date: Fri, 13 Dec 2024 12:02:32 +0100 Subject: [PATCH 1/5] adding managed script for os pod deletion --- scripts/CEE/delete-os-pod/README.md | 21 +++++++++++ scripts/CEE/delete-os-pod/metadata.yaml | 27 ++++++++++++++ scripts/CEE/delete-os-pod/script.sh | 47 +++++++++++++++++++++++++ 3 files changed, 95 insertions(+) create mode 100644 scripts/CEE/delete-os-pod/README.md create mode 100644 scripts/CEE/delete-os-pod/metadata.yaml create mode 100755 scripts/CEE/delete-os-pod/script.sh diff --git a/scripts/CEE/delete-os-pod/README.md b/scripts/CEE/delete-os-pod/README.md new file mode 100644 index 00000000..70fa5f4c --- /dev/null +++ b/scripts/CEE/delete-os-pod/README.md @@ -0,0 +1,21 @@ +# Delete Openshift Pod Script + +## Purpose + +This script is designed to delete a pod from OpenShift cluster core namespace + +## Usage + +Parameters: +- NAMESPACE: Namespace name where por to delete is running, must start with openshift-*. +- POD_NAME: Name of the pod to delete. + +```bash +ocm backplane managedjob create CEE/delete-os-pod -p NAMESPACE=openshift-dns -p POD_NAME: dns-default-h7l2w +``` + + +## Important Notes + +- The script utilizes the `oc` command-line tool, and the user running the script should have the necessary permissions to access the cluster. +- Ensure that the required tools (`oc`) are available in the environment where the script is executed. \ No newline at end of file diff --git a/scripts/CEE/delete-os-pod/metadata.yaml b/scripts/CEE/delete-os-pod/metadata.yaml new file mode 100644 index 00000000..22a6dc39 --- /dev/null +++ b/scripts/CEE/delete-os-pod/metadata.yaml @@ -0,0 +1,27 @@ +file: script.sh +name: delete-os-pod +shortDescription: Deletes a pod from openshift namespace +description: Deletes a single pod from openshift's reserved namespace. +author: Alex Volkov +allowedGroups: + - CEE +rbac: + clusterRoleRules: + - apiGroups: + - "" + resources: + - "pods" + verbs: + - "delete" + - "get" + +envs: +- key: NAMESPACE + description: Namespace name where por to delete is running, must start with openshift-* + optional: false +- key: POD_NAME + description: Name of the pod to delete + optional: false + +language: bash +customerDataAccess: false diff --git a/scripts/CEE/delete-os-pod/script.sh b/scripts/CEE/delete-os-pod/script.sh new file mode 100755 index 00000000..cc49c799 --- /dev/null +++ b/scripts/CEE/delete-os-pod/script.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +set -e +set -o errexit +set -o nounset +set -o pipefail + +## Input validation +### Check the correct number of arguments is provided +if [ "$#" -ne 2 ]; then + echo "Usage: $0 " +fi + +if [[ -z "${POD_NAME:-}" ]]; then + echo 'Variable POD_NAME cannot be blank' + exit 1 +fi + +if [[ -z "${NAMESPACE:-}" ]]; then + echo 'Variable NAMESPACE cannot be blank' + exit 1 +fi + +### Check namespace is "openshift-*" +if [[ ! "$NAMESPACE" =~ ^openshift-.*$ ]]; then + echo "The namespace must start with 'openshift-'" + exit 1 +fi + +## Delete the pod +delete_pod(){ + echo -e "\nDeleting pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." + oc delete pod "$POD_NAME" -n "$NAMESPACE" + + if [ $? -eq 0 ]; then + echo -e "\n[SUCCESS] Pod '$POD_NAME' successfully deleted from namespace '$NAMESPACE'." + else + echo -e "\n[ERROR] Failed to delete pod '$POD_NAME' from namespace '$NAMESPACE'." + fi +} + + +main(){ + delete_pod +} + +main \ No newline at end of file From a4275c125812fda2dc34cffb0575fb1556874aca Mon Sep 17 00:00:00 2001 From: Alex Volkov Date: Fri, 13 Dec 2024 13:12:48 +0100 Subject: [PATCH 2/5] adding SREP to allowedGroups --- scripts/CEE/delete-os-pod/metadata.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/CEE/delete-os-pod/metadata.yaml b/scripts/CEE/delete-os-pod/metadata.yaml index 22a6dc39..8e51a85b 100644 --- a/scripts/CEE/delete-os-pod/metadata.yaml +++ b/scripts/CEE/delete-os-pod/metadata.yaml @@ -5,6 +5,7 @@ description: Deletes a single pod from openshift's reserved namespace. author: Alex Volkov allowedGroups: - CEE + - SREP rbac: clusterRoleRules: - apiGroups: From eca9f003df4175dc3ee84a0490acfc0d2638ec00 Mon Sep 17 00:00:00 2001 From: Alex Volkov Date: Mon, 7 Apr 2025 12:50:13 +0200 Subject: [PATCH 3/5] adding --force flag and replicaset ownership check --- scripts/CEE/delete-os-pod/script.sh | 47 ------------ .../{delete-os-pod => delete-pod}/README.md | 0 .../metadata.yaml | 2 +- scripts/CEE/delete-pod/script.sh | 74 +++++++++++++++++++ 4 files changed, 75 insertions(+), 48 deletions(-) delete mode 100755 scripts/CEE/delete-os-pod/script.sh rename scripts/CEE/{delete-os-pod => delete-pod}/README.md (100%) rename scripts/CEE/{delete-os-pod => delete-pod}/metadata.yaml (97%) create mode 100755 scripts/CEE/delete-pod/script.sh diff --git a/scripts/CEE/delete-os-pod/script.sh b/scripts/CEE/delete-os-pod/script.sh deleted file mode 100755 index cc49c799..00000000 --- a/scripts/CEE/delete-os-pod/script.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -set -e -set -o errexit -set -o nounset -set -o pipefail - -## Input validation -### Check the correct number of arguments is provided -if [ "$#" -ne 2 ]; then - echo "Usage: $0 " -fi - -if [[ -z "${POD_NAME:-}" ]]; then - echo 'Variable POD_NAME cannot be blank' - exit 1 -fi - -if [[ -z "${NAMESPACE:-}" ]]; then - echo 'Variable NAMESPACE cannot be blank' - exit 1 -fi - -### Check namespace is "openshift-*" -if [[ ! "$NAMESPACE" =~ ^openshift-.*$ ]]; then - echo "The namespace must start with 'openshift-'" - exit 1 -fi - -## Delete the pod -delete_pod(){ - echo -e "\nDeleting pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." - oc delete pod "$POD_NAME" -n "$NAMESPACE" - - if [ $? -eq 0 ]; then - echo -e "\n[SUCCESS] Pod '$POD_NAME' successfully deleted from namespace '$NAMESPACE'." - else - echo -e "\n[ERROR] Failed to delete pod '$POD_NAME' from namespace '$NAMESPACE'." - fi -} - - -main(){ - delete_pod -} - -main \ No newline at end of file diff --git a/scripts/CEE/delete-os-pod/README.md b/scripts/CEE/delete-pod/README.md similarity index 100% rename from scripts/CEE/delete-os-pod/README.md rename to scripts/CEE/delete-pod/README.md diff --git a/scripts/CEE/delete-os-pod/metadata.yaml b/scripts/CEE/delete-pod/metadata.yaml similarity index 97% rename from scripts/CEE/delete-os-pod/metadata.yaml rename to scripts/CEE/delete-pod/metadata.yaml index 8e51a85b..8eba3ef1 100644 --- a/scripts/CEE/delete-os-pod/metadata.yaml +++ b/scripts/CEE/delete-pod/metadata.yaml @@ -4,8 +4,8 @@ shortDescription: Deletes a pod from openshift namespace description: Deletes a single pod from openshift's reserved namespace. author: Alex Volkov allowedGroups: - - CEE - SREP + - MCSTierTwo rbac: clusterRoleRules: - apiGroups: diff --git a/scripts/CEE/delete-pod/script.sh b/scripts/CEE/delete-pod/script.sh new file mode 100755 index 00000000..bf34826e --- /dev/null +++ b/scripts/CEE/delete-pod/script.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +set -e +set -o errexit +set -o nounset +set -o pipefail + +## Input validation +### Check the correct number of arguments is provided +if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then + echo "Usage: $0 [--force]" + exit 1 +fi + +POD_NAME=$1 +NAMESPACE=$2 +FORCE_FLAG=false + +# Check if force flag is provided +if [[ "${3:-}" == "--force" ]]; then + FORCE_FLAG=true +fi + +if [[ -z "${POD_NAME:-}" ]]; then + echo 'Variable POD_NAME cannot be blank' + exit 1 +fi + +if [[ -z "${NAMESPACE:-}" ]]; then + echo 'Variable NAMESPACE cannot be blank' + exit 1 +fi + +### Check namespace is "openshift-*" +if [[ ! "$NAMESPACE" =~ ^openshift-.*$ ]]; then + echo "The namespace must start with 'openshift-'" + exit 1 +fi + +## Validate if pod is owned by a replicaset +check_owned_by_replicaset(){ + echo -e "\nChecking replicaset owning the pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." + local owner + owner=$(oc get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath='{.metadata.ownerReferences[0].kind}' || true) + + if [[ "$owner" == "ReplicaSet" ]]; then + echo "Pod '$POD_NAME' is owned by a ReplicaSet." + if [ "$FORCE_FLAG" = false ]; then + echo "Use the --force flag to bypass the validation." + exit 1 + fi + else + echo "Pod '$POD_NAME' is not owned by a ReplicaSet, proceeding with deletion." + fi +} + +## Delete pod +delete_pod(){ + echo -e "\nDeleting pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." + oc delete pod "$POD_NAME" -n "$NAMESPACE" + + if [ $? -eq 0 ]; then + echo -e "\n[SUCCESS] Pod '$POD_NAME' successfully deleted from namespace '$NAMESPACE'." + else + echo -e "\n[ERROR] Failed to delete pod '$POD_NAME' from namespace '$NAMESPACE'." + fi +} + +main(){ + check_owned_by_replicaset + delete_pod +} + +main \ No newline at end of file From f65f9574a9aaf5cf746b2dae9e2a4befd544b7e0 Mon Sep 17 00:00:00 2001 From: Alex Volkov Date: Mon, 7 Apr 2025 18:37:30 +0200 Subject: [PATCH 4/5] adding replicaset check and --force flag for bypassing it, fixed script name --- scripts/CEE/delete-pod/README.md | 12 +++++---- scripts/CEE/delete-pod/metadata.yaml | 11 ++++++--- scripts/CEE/delete-pod/script.sh | 37 ++++++++++++++-------------- 3 files changed, 32 insertions(+), 28 deletions(-) diff --git a/scripts/CEE/delete-pod/README.md b/scripts/CEE/delete-pod/README.md index 70fa5f4c..01672f15 100644 --- a/scripts/CEE/delete-pod/README.md +++ b/scripts/CEE/delete-pod/README.md @@ -2,20 +2,22 @@ ## Purpose -This script is designed to delete a pod from OpenShift cluster core namespace +This script is designed to delete a pod from OpenShift cluster core namespace. ## Usage Parameters: +- POD_NAME: Name of pod to delete. - NAMESPACE: Namespace name where por to delete is running, must start with openshift-*. -- POD_NAME: Name of the pod to delete. +- FLAGS: Optional flags, currently only accepts --force. ```bash -ocm backplane managedjob create CEE/delete-os-pod -p NAMESPACE=openshift-dns -p POD_NAME: dns-default-h7l2w +ocm backplane managedjob create CEE/delete-pod -p POD_NAME: dns-default-h7l2w -p NAMESPACE=openshift-dns -p FLAGS="--force" ``` - ## Important Notes - The script utilizes the `oc` command-line tool, and the user running the script should have the necessary permissions to access the cluster. -- Ensure that the required tools (`oc`) are available in the environment where the script is executed. \ No newline at end of file +- Ensure that the required tools (`oc`) are available in the environment where the script is executed. +- The script requires pod to be bound to a replicaset. Otherwise pod cannot be deleted. +- The script provides force flag to bypass replicaset check. \ No newline at end of file diff --git a/scripts/CEE/delete-pod/metadata.yaml b/scripts/CEE/delete-pod/metadata.yaml index 8eba3ef1..f2f99463 100644 --- a/scripts/CEE/delete-pod/metadata.yaml +++ b/scripts/CEE/delete-pod/metadata.yaml @@ -1,5 +1,5 @@ file: script.sh -name: delete-os-pod +name: delete-pod shortDescription: Deletes a pod from openshift namespace description: Deletes a single pod from openshift's reserved namespace. author: Alex Volkov @@ -17,12 +17,15 @@ rbac: - "get" envs: -- key: NAMESPACE - description: Namespace name where por to delete is running, must start with openshift-* - optional: false - key: POD_NAME description: Name of the pod to delete optional: false +- key: NAMESPACE + description: Namespace name where por to delete is running, must start with openshift-* + optional: false +- key: FLAGS + description: Flag to bypass ReplicaSet validation + optional: true language: bash customerDataAccess: false diff --git a/scripts/CEE/delete-pod/script.sh b/scripts/CEE/delete-pod/script.sh index bf34826e..d5ab46a3 100755 --- a/scripts/CEE/delete-pod/script.sh +++ b/scripts/CEE/delete-pod/script.sh @@ -6,18 +6,13 @@ set -o nounset set -o pipefail ## Input validation -### Check the correct number of arguments is provided -if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then - echo "Usage: $0 [--force]" - exit 1 +if ! declare -p FLAGS &>/dev/null || [[ -z "${FLAGS}" ]]; then + FLAGS="" fi -POD_NAME=$1 -NAMESPACE=$2 +# If --force is in FLAGS, set FORCE_FLAG to true FORCE_FLAG=false - -# Check if force flag is provided -if [[ "${3:-}" == "--force" ]]; then +if [[ "$FLAGS" =~ --force ]]; then FORCE_FLAG=true fi @@ -39,24 +34,28 @@ fi ## Validate if pod is owned by a replicaset check_owned_by_replicaset(){ - echo -e "\nChecking replicaset owning the pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." - local owner - owner=$(oc get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath='{.metadata.ownerReferences[0].kind}' || true) + echo -e "\n[INFO] Checking replicaset owning the pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." + + local owner_kind + owner_kind=$(oc get pod "$POD_NAME" -n "$NAMESPACE" -o jsonpath='{.metadata.ownerReferences[0].kind}' 2>/dev/null || echo "") - if [[ "$owner" == "ReplicaSet" ]]; then - echo "Pod '$POD_NAME' is owned by a ReplicaSet." - if [ "$FORCE_FLAG" = false ]; then - echo "Use the --force flag to bypass the validation." + if [[ "$owner_kind" == "ReplicaSet" ]]; then + echo "[INFO] Pod '${POD_NAME}' is owned by a ReplicaSet." + else + echo "[WARN] Pod '${POD_NAME}' is not owned by a ReplicaSet." + + if [[ "$FORCE_FLAG" != true ]]; then + echo "[ERROR] Deletion blocked. Use --force to override." >&2 exit 1 + else + echo "[INFO] --force flag detected. Proceeding with deletion." fi - else - echo "Pod '$POD_NAME' is not owned by a ReplicaSet, proceeding with deletion." fi } ## Delete pod delete_pod(){ - echo -e "\nDeleting pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." + echo -e "\n[INFO] Deleting pod \"${POD_NAME}\" from \"${NAMESPACE}\" namespace." oc delete pod "$POD_NAME" -n "$NAMESPACE" if [ $? -eq 0 ]; then From 86eaec24d55a3c373f6b06e5864c8bb521b6c8d9 Mon Sep 17 00:00:00 2001 From: Alex Volkov Date: Fri, 11 Jul 2025 14:26:28 +0200 Subject: [PATCH 5/5] Update scripts/CEE/delete-pod/metadata.yaml Co-authored-by: typeid --- scripts/CEE/delete-pod/metadata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/CEE/delete-pod/metadata.yaml b/scripts/CEE/delete-pod/metadata.yaml index f2f99463..f6c4b98f 100644 --- a/scripts/CEE/delete-pod/metadata.yaml +++ b/scripts/CEE/delete-pod/metadata.yaml @@ -21,7 +21,7 @@ envs: description: Name of the pod to delete optional: false - key: NAMESPACE - description: Namespace name where por to delete is running, must start with openshift-* + description: Namespace name where pod to delete is running, must start with openshift-* optional: false - key: FLAGS description: Flag to bypass ReplicaSet validation