Check by namespaces to delete role bindings (see #4)

numberly · Sep 11, 2019 · d1e1d47 · d1e1d47
1 parent 51303ad
commit d1e1d47
Showing 1 changed file with 28 additions and 24 deletions.
diff --git a/gitlab2rbac.py b/gitlab2rbac.py
@@ -1,6 +1,7 @@
 #!/usr/bin/python env
 
 import logging
+from collections import defaultdict
 from os import environ
 from time import sleep
 
@@ -334,31 +335,34 @@ def create_role_binding(
 
     def delete_deprecated_user_role_bindings(self, users):
         try:
-            users_ids = [user["id"] for user in users]
-            role_bindings = (
-                self.client_rbac.list_role_binding_for_all_namespaces()
-            )
-
-            for role_binding in role_bindings.items:
-                try:
-                    user_id = role_binding.metadata.labels[
-                        "gitlab2rbac.kubernetes.io/user_id"
-                    ]
-                except (TypeError, KeyError):
-                    continue
-
-                if user_id not in users_ids:
-                    self.client_rbac.delete_namespaced_role_binding(
-                        name=role_binding.metadata.name,
-                        namespace=role_binding.metadata.namespace,
-                        body=role_binding,
-                    )
-                    logging.info(
-                        u"|_ role-binding deprecated name={} namespace={}".format(
-                            role_binding.metadata.name,
-                            role_binding.metadata.namespace,
+            users_grouped_by_ns = defaultdict(list)
+            for user in users:
+                users_grouped_by_ns[user["namespace"]].append(user)
+
+            for ns in users_grouped_by_ns:
+                role_bindings = self.client_rbac.list_namespaced_role_binding(ns)
+                users_ids = [user["id"] for user in users_grouped_by_ns[ns]]
+
+                for role_binding in role_bindings.items:
+                    try:
+                        user_id = role_binding.metadata.labels[
+                            "gitlab2rbac.kubernetes.io/user_id"
+                        ]
+                    except (TypeError, KeyError):
+                        continue
+
+                    if user_id not in users_ids:
+                        self.client_rbac.delete_namespaced_role_binding(
+                            name=role_binding.metadata.name,
+                            namespace=role_binding.metadata.namespace,
+                            body=role_binding,
+                        )
+                        logging.info(
+                            u"|_ role-binding deprecated name={} namespace={}".format(
+                                role_binding.metadata.name,
+                                role_binding.metadata.namespace,
+                            )
                         )
-                    )
         except ApiException as e:
             error = "unable to delete deprecated user role bindings :: {}".format(
                 eval(e.body)["message"]