53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
---
|
|
# Delete the kubeadmin user after OIDC is configured and admin groups
|
|
# have cluster-admin. This is a security best practice.
|
|
#
|
|
# Safety checks:
|
|
# 1. Verify at least one group in oidc_admin_groups is configured
|
|
# 2. Verify ClusterRoleBindings exist for those groups
|
|
# 3. Verify the OAuth deployment is ready (OIDC login is available)
|
|
# 4. Only then delete the kubeadmin secret
|
|
|
|
- name: Fail if no admin groups are configured
|
|
ansible.builtin.fail:
|
|
msg: >-
|
|
Cannot delete kubeadmin: oidc_admin_groups is empty.
|
|
At least one OIDC group must have cluster-admin before kubeadmin can be removed.
|
|
when: oidc_admin_groups | length == 0
|
|
|
|
- name: Verify OIDC admin ClusterRoleBindings exist
|
|
kubernetes.core.k8s_info:
|
|
api_version: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
name: "oidc-{{ item | regex_replace('[^a-zA-Z0-9-]', '-') }}-cluster-admin"
|
|
loop: "{{ oidc_admin_groups }}"
|
|
register: __sno_deploy_admin_crbs
|
|
failed_when: __sno_deploy_admin_crbs.resources | length == 0
|
|
|
|
- name: Verify OAuth deployment is ready
|
|
kubernetes.core.k8s_info:
|
|
api_version: apps/v1
|
|
kind: Deployment
|
|
namespace: openshift-authentication
|
|
name: oauth-openshift
|
|
register: __sno_deploy_oauth_status
|
|
failed_when: >-
|
|
__sno_deploy_oauth_status.resources | length == 0 or
|
|
(__sno_deploy_oauth_status.resources[0].status.readyReplicas | default(0)) < 1
|
|
|
|
- name: Delete kubeadmin secret
|
|
kubernetes.core.k8s:
|
|
api_version: v1
|
|
kind: Secret
|
|
namespace: kube-system
|
|
name: kubeadmin
|
|
state: absent
|
|
register: __sno_deploy_kubeadmin_deleted
|
|
|
|
- name: Display kubeadmin deletion result
|
|
ansible.builtin.debug:
|
|
msg: >-
|
|
{{ 'kubeadmin user deleted successfully. Login is now only available via OIDC.'
|
|
if __sno_deploy_kubeadmin_deleted.changed
|
|
else 'kubeadmin was already deleted.' }}
|