Remove empty role bindings when removing subjects

simo5 · simo5 · commit 63edf56ec00c · 2018-01-29T23:27:53.000-05:00
diff --git a/pkg/oc/admin/policy/modify_roles.go b/pkg/oc/admin/policy/modify_roles.go
@@ -551,7 +551,11 @@ func (o *RoleModificationOptions) RemoveRole() error {
 	for _, roleBinding := range roleBindings {
 		roleBinding.Subjects = removeSubjects(roleBinding.Subjects, subjectsToRemove)
 
-		err := o.RoleBindingAccessor.UpdateRoleBinding(roleBinding)
+		if len(roleBinding.Subjects) > 0 {
+			err = o.RoleBindingAccessor.UpdateRoleBinding(roleBinding)
+		} else {
+			err = o.RoleBindingAccessor.DeleteRoleBinding(roleBinding.Name)
+		}
 		if err != nil {
 			return err
 		}
diff --git a/pkg/oc/admin/policy/policy.go b/pkg/oc/admin/policy/policy.go
@@ -121,6 +121,7 @@ type RoleBindingAccessor interface {
 	GetRoleBinding(name string) (*authorizationapi.RoleBinding, error)
 	UpdateRoleBinding(binding *authorizationapi.RoleBinding) error
 	CreateRoleBinding(binding *authorizationapi.RoleBinding) error
+	DeleteRoleBinding(name string) error
 }
 
 // LocalRoleBindingAccessor operates against role bindings in namespace
@@ -181,6 +182,10 @@ func (a LocalRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.Ro
 	return err
 }
 
+func (a LocalRoleBindingAccessor) DeleteRoleBinding(name string) error {
+	return a.Client.RoleBindings(a.BindingNamespace).Delete(name, &metav1.DeleteOptions{})
+}
+
 // ClusterRoleBindingAccessor operates against cluster scoped role bindings
 type ClusterRoleBindingAccessor struct {
 	Client authorizationtypedclient.ClusterRoleBindingsGetter
@@ -249,3 +254,7 @@ func (a ClusterRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.
 	_, err := a.Client.ClusterRoleBindings().Create(clusterBinding)
 	return err
 }
+
+func (a ClusterRoleBindingAccessor) DeleteRoleBinding(name string) error {
+	return a.Client.ClusterRoleBindings().Delete(name, &metav1.DeleteOptions{})
+}
