ClusterRoles and ClusterRoleBindings are k8s resources that can be applied to the target cluster. This section exports the cluster roles and corresponding cluster role bindings. However, you may not want all the cluster roles and rolebindings on the target cluster. So while the scripts generate the files, you can manually filter out the ones needed and apply the ones you decide.
To get a list of cluster roles run
oc get clusterroles
To render a specific cluster role removing extraneous information
CLUSTER_ROLE_NAME=<<clusterrolename>>
oc get clusterrole $CLUSTER_ROLE_NAME -o yaml | \
yq e 'del(.metadata.creationTimestamp)' - \
| yq e 'del(.metadata.resourceVersion)' - \
| yq e 'del(.metadata.managedFields)' - \
| yq e 'del(.metadata.selfLink)' - \
| yq e 'del(.metadata.uid)' -
Depending on what is installed on the OpenShift cluster, there may be many cluster roles that may not be required to be ported to the target cluster. So you may have to filter out the ones that are not needed from the list generated by the following command. The following command exports cluster roles to clusterconfigs/cluster-roles folder:
mkdir -p clusterconfigs/cluster/cluster-roles
for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do \
echo "Exporting ClusterRole: " $i
oc get clusterrole $i -o yaml | \
yq e 'del(.metadata.creationTimestamp)' - \
| yq e 'del(.metadata.resourceVersion)' - \
| yq e 'del(.metadata.managedFields)' - \
| yq e 'del(.metadata.selfLink)' - \
| yq e 'del(.metadata.uid)' - > clusterconfigs/cluster/cluster-roles/$i.yaml; \
done
Review the list of cluster roles in the projectconfigs/cluster-roles folder and delete the manifests for the roles that should not be exported to the target cluster.
If you are dealing with individual cluster role binding migration, you can list the clusterrolebindings using oc get clusterrolebindings and then get the individual clusterrolebinding manifest by running:
CLUSTER_ROLE_BINDING=<<clusterrolebinding>>
oc get clusterrolebinding cluster-admin -o yaml | \
yq e 'del(.metadata.creationTimestamp)' - \
| yq e 'del(.metadata.resourceVersion)' - \
| yq e 'del(.metadata.selfLink)' - \
| yq e 'del(.metadata.managedFields)' - \
| yq e 'del(.metadata.uid)' -
To export all the ClusterRoleBindings relevant to the filtered list of ClusterRoles in clusterconfigs/cluster/cluster-roles folder, run the following script. This will save the ClusterRoleBindings into clusterconfigs/cluster/cluster-role-bindings folder.
mkdir -p clusterconfigs/cluster/cluster-role-bindings
for role in $(ls clusterconfigs/cluster/cluster-roles | sed -e 's/\.yaml$//'); do \
cmd=(oc get clusterrolebindings -o jsonpath='{.items[?(@.roleRef.name == ROLE)].metadata.name}'); \
cmd[4]=${cmd[4]//ROLE/\"$role\"}; \
for i in $("${cmd[@]}"); do \
echo "Exporting ClusterRoleBinding: " $i; \
oc get clusterrolebinding $i -o yaml | \
yq e 'del(.metadata.creationTimestamp)' - \
| yq e 'del(.metadata.resourceVersion)' - \
| yq e 'del(.metadata.selfLink)' - \
| yq e 'del(.metadata.managedFields)' - \
| yq e 'del(.metadata.uid)' - - > clusterconfigs/cluster/cluster-role-bindings/$i.yaml; \
done; done
Verify the ClusterRoles and ClusterRoleBindings together again and remove those that are not relevant to target cluster.