KIC only keeps needed RBAC role and bindings in the cluster

[ccfishk]

Is there an existing issue for this?

• I have searched the existing issues

Problem Statement

The RBAC role names and bindings do differ between 1.x and 2.x. After upgrade from 1.x to 2.x, will
leave the now-unused 1.x role and binding around. They should be deleted.

Proposed Solution

Propose a prepare function within 2.x controller, which basically remove all non-used (1.x) RBAC role names and bindings, or any other known-unneeded resources before KIC ready for work. Or put it another word, only keep 2.x required RBAC role in the cluster.

Additional information

No response

Acceptance Criteria

• [] only needed resources are kept on the cluster when 2.X KIC is ready to work.

[rainest]

We'd need to grant RBAC management permissions to the new ServiceAccount for it to handle this automatically. I don't think we'd want to for a one-off task, given that those are a pretty powerful. Instead, I suggest that we just provide the commands to clear out the old resources:

kubectl delete clusterrole kong-ingress-clusterrole
kubectl delete clusterrolebinding kong-ingress-clusterrole-nisa-binding
kubectl delete -n kong serviceaccount kong-serviceaccount

[ccfishk]

Yes, those resource names/namespace are the same from 1.3 to 2.0, need ensure only deleted 1.3 ones.

[rainest]

Ah, the SA is actually the same, but the roles/bindings aren't: https://gist.github.com/rainest/7188f056bcf06226066bb894ea236893

So instead, just:

kubectl delete clusterrole kong-ingress-clusterrole
kubectl delete clusterrolebinding kong-ingress-clusterrole-nisa-binding

[shaneutt]

Closing as stale. Let's re-open if we determine there's any followup needed here.