image-pruning: adding replica sets to the graph

Michal Minář · Michal Minář · commit 65de9332ca3c · 2017-10-20T15:54:07.000+02:00
Signed-off-by: Michal Minář &lt;miminar@redhat.com&gt;
diff --git a/pkg/apps/graph/nodes/nodes.go b/pkg/apps/graph/nodes/nodes.go
@@ -92,3 +92,30 @@ func FindOrCreateSyntheticDeploymentConfigNode(g osgraph.MutableUniqueGraph, dc
 		},
 	).(*DeploymentConfigNode)
 }
+
+// EnsureReplicaSetNode adds the provided replica set to the graph if it does not exist
+func EnsureReplicaSetNode(g osgraph.MutableUniqueGraph, rs *kapisext.ReplicaSet) *ReplicaSetNode {
+	rsName := ReplicaSetNodeName(rs)
+	rsNode := osgraph.EnsureUnique(
+		g,
+		rsName,
+		func(node osgraph.Node) graph.Node {
+			return &ReplicaSetNode{Node: node, ReplicaSet: rs, IsFound: true}
+		},
+	).(*ReplicaSetNode)
+
+	podTemplateSpecNode := kubegraph.EnsurePodTemplateSpecNode(g, &rs.Spec.Template, rs.Namespace, rsName)
+	g.AddEdge(rsNode, podTemplateSpecNode, osgraph.ContainsEdgeKind)
+
+	return rsNode
+}
+
+func FindOrCreateSyntheticReplicaSetNode(g osgraph.MutableUniqueGraph, rs *kapisext.ReplicaSet) *ReplicaSetNode {
+	return osgraph.EnsureUnique(
+		g,
+		ReplicaSetNodeName(rs),
+		func(node osgraph.Node) graph.Node {
+			return &ReplicaSetNode{Node: node, ReplicaSet: rs, IsFound: false}
+		},
+	).(*ReplicaSetNode)
+}
diff --git a/pkg/apps/graph/nodes/types.go b/pkg/apps/graph/nodes/types.go
@@ -13,6 +13,7 @@ var (
 	DaemonSetNodeKind        = reflect.TypeOf(kapisext.DaemonSet{}).Name()
 	DeploymentNodeKind       = reflect.TypeOf(kapisext.Deployment{}).Name()
 	DeploymentConfigNodeKind = reflect.TypeOf(deployapi.DeploymentConfig{}).Name()
+	ReplicaSetNodeKind       = reflect.TypeOf(kapisext.ReplicaSet{}).Name()
 )
 
 func DaemonSetNodeName(o *kapisext.DaemonSet) osgraph.UniqueName {
@@ -95,3 +96,30 @@ func (n DeploymentConfigNode) String() string {
 func (*DeploymentConfigNode) Kind() string {
 	return DeploymentConfigNodeKind
 }
+
+func ReplicaSetNodeName(o *kapisext.ReplicaSet) osgraph.UniqueName {
+	return osgraph.GetUniqueRuntimeObjectNodeName(ReplicaSetNodeKind, o)
+}
+
+type ReplicaSetNode struct {
+	osgraph.Node
+	ReplicaSet *kapisext.ReplicaSet
+
+	IsFound bool
+}
+
+func (n ReplicaSetNode) Found() bool {
+	return n.IsFound
+}
+
+func (n ReplicaSetNode) Object() interface{} {
+	return n.ReplicaSet
+}
+
+func (n ReplicaSetNode) String() string {
+	return string(ReplicaSetNodeName(n.ReplicaSet))
+}
+
+func (*ReplicaSetNode) Kind() string {
+	return ReplicaSetNodeKind
+}
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -553,6 +553,7 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
 				rbac.NewRule("get", "list").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(extensionsGroup).Resources("deployments").RuleOrDie(),
+				rbac.NewRule("get", "list").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
 
 				rbac.NewRule("delete").Groups(imageGroup, legacyImageGroup).Resources("images").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(imageGroup, legacyImageGroup).Resources("images", "imagestreams").RuleOrDie(),
diff --git a/pkg/image/prune/prune.go b/pkg/image/prune/prune.go
@@ -141,6 +141,8 @@ type PrunerOptions struct {
 	Deployments *kapisext.DeploymentList
 	// DCs is the entire list of deployment configs across all namespaces in the cluster.
 	DCs *deployapi.DeploymentConfigList
+	// RSs is the entire list of replica sets across all namespaces in the cluster.
+	RSs *kapisext.ReplicaSetList
 	// LimitRanges is a map of LimitRanges across namespaces, being keys in this map.
 	LimitRanges map[string][]*kapi.LimitRange
 	// DryRun indicates that no changes will be made to the cluster and nothing
@@ -205,6 +207,7 @@ var _ Pruner = &pruner{}
 // - any daemonsets
 // - any kube deployments
 // - any deployment configs
+// - any replica sets
 // - any build configs
 // - any builds
 // - the n most recent tag revisions in an image stream's status.tags
@@ -251,6 +254,7 @@ func NewPruner(options PrunerOptions) (Pruner, error) {
 	addDaemonSetsToGraph(g, options.DSs)
 	addDeploymentsToGraph(g, options.Deployments)
 	addDeploymentConfigsToGraph(g, options.DCs)
+	addReplicaSetsToGraph(g, options.RSs)
 
 	return &pruner{
 		g:              g,
@@ -520,6 +524,19 @@ func addDeploymentConfigsToGraph(g graph.Graph, dcs *deployapi.DeploymentConfigL
 	}
 }
 
+// addReplicaSetsToGraph adds replica set to the graph.
+//
+// Edges are added to the graph from each replica set to the images specified by its pod spec's list of
+// containers, as long as the image is managed by OpenShift.
+func addReplicaSetsToGraph(g graph.Graph, rss *kapisext.ReplicaSetList) {
+	for i := range rss.Items {
+		rs := &rss.Items[i]
+		glog.V(4).Infof("Examining ReplicaSet %s", getName(rs))
+		rsNode := deploygraph.EnsureReplicaSetNode(g, rs)
+		addPodSpecToGraph(g, &rs.Spec.Template.Spec, rsNode)
+	}
+}
+
 // addBuildConfigsToGraph adds build configs to the graph.
 //
 // Edges are added to the graph from each build config to the image specified by its strategy.from.
diff --git a/pkg/image/prune/prune_test.go b/pkg/image/prune/prune_test.go
@@ -305,6 +305,26 @@ func dc(namespace, name string, containerImages ...string) deployapi.DeploymentC
 	}
 }
 
+func rsList(rss ...kapisext.ReplicaSet) kapisext.ReplicaSetList {
+	return kapisext.ReplicaSetList{
+		Items: rss,
+	}
+}
+
+func rs(namespace, name string, containerImages ...string) kapisext.ReplicaSet {
+	return kapisext.ReplicaSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      name,
+		},
+		Spec: kapisext.ReplicaSetSpec{
+			Template: kapi.PodTemplateSpec{
+				Spec: podSpec(containerImages...),
+			},
+		},
+	}
+}
+
 func bcList(bcs ...buildapi.BuildConfig) buildapi.BuildConfigList {
 	return buildapi.BuildConfigList{
 		Items: bcs,
@@ -523,6 +543,7 @@ func TestImagePruning(t *testing.T) {
 		dss                        kapisext.DaemonSetList
 		deployments                kapisext.DeploymentList
 		dcs                        deployapi.DeploymentConfigList
+		rss                        kapisext.ReplicaSetList
 		limits                     map[string][]*kapi.LimitRange
 		expectedImageDeletions     []string
 		expectedStreamUpdates      []string
@@ -686,6 +707,15 @@ func TestImagePruning(t *testing.T) {
 			expectedImageDeletions: []string{"sha256:0000000000000000000000000000000000000000000000000000000000000001"},
 		},
 
+		"referenced by replicaset - don't prune": {
+			images: imageList(
+				image("sha256:0000000000000000000000000000000000000000000000000000000000000000", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000"),
+				image("sha256:0000000000000000000000000000000000000000000000000000000000000001", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000001"),
+			),
+			rss: rsList(rs("foo", "rc1", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000")),
+			expectedImageDeletions: []string{"sha256:0000000000000000000000000000000000000000000000000000000000000001"},
+		},
+
 		"referenced by upstream deployment - don't prune": {
 			images: imageList(
 				image("sha256:0000000000000000000000000000000000000000000000000000000000000000", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000"),
@@ -1207,6 +1237,7 @@ func TestImagePruning(t *testing.T) {
 			DSs:         &test.dss,
 			Deployments: &test.deployments,
 			DCs:         &test.dcs,
+			RSs:         &test.rss,
 			LimitRanges: test.limits,
 			RegistryURL: &url.URL{Scheme: "https", Host: registryHost},
 		}
@@ -1455,6 +1486,7 @@ func TestRegistryPruning(t *testing.T) {
 			DSs:              &kapisext.DaemonSetList{},
 			Deployments:      &kapisext.DeploymentList{},
 			DCs:              &deployapi.DeploymentConfigList{},
+			RSs:              &kapisext.ReplicaSetList{},
 			RegistryURL:      &url.URL{Scheme: "https", Host: "registry1.io"},
 		}
 		p, err := NewPruner(options)
@@ -1515,6 +1547,7 @@ func TestImageWithStrongAndWeakRefsIsNotPruned(t *testing.T) {
 	dss := dsList()
 	deployments := deploymentList()
 	dcs := dcList()
+	rss := rsList()
 
 	options := PrunerOptions{
 		Images:      &images,
@@ -1526,6 +1559,7 @@ func TestImageWithStrongAndWeakRefsIsNotPruned(t *testing.T) {
 		DSs:         &dss,
 		Deployments: &deployments,
 		DCs:         &dcs,
+		RSs:         &rss,
 	}
 	keepYoungerThan := 24 * time.Hour
 	keepTagRevisions := 2
diff --git a/pkg/oc/admin/prune/images.go b/pkg/oc/admin/prune/images.go
@@ -264,6 +264,7 @@ func (o PruneImagesOptions) Run() error {
 
 	allDSs, err := o.KubeClient.Extensions().DaemonSets(o.Namespace).List(metav1.ListOptions{})
 	if err != nil {
+		// TODO: remove in future (3.9) release
 		if !kerrors.IsForbidden(err) {
 			return err
 		}
@@ -272,6 +273,7 @@ func (o PruneImagesOptions) Run() error {
 
 	allDeployments, err := o.KubeClient.Extensions().Deployments(o.Namespace).List(metav1.ListOptions{})
 	if err != nil {
+		// TODO: remove in future (3.9) release
 		if !kerrors.IsForbidden(err) {
 			return err
 		}
@@ -283,6 +285,15 @@ func (o PruneImagesOptions) Run() error {
 		return err
 	}
 
+	allRSs, err := o.KubeClient.Extensions().ReplicaSets(o.Namespace).List(metav1.ListOptions{})
+	if err != nil {
+		// TODO: remove in future (3.9) release
+		if !kerrors.IsForbidden(err) {
+			return err
+		}
+		fmt.Fprintf(os.Stderr, "Failed to list replicasets: %v\n - * Make sure to update clusterRoleBindings.\n", err)
+	}
+
 	limitRangesList, err := o.KubeClient.Core().LimitRanges(o.Namespace).List(metav1.ListOptions{})
 	if err != nil {
 		return err
@@ -352,6 +363,7 @@ func (o PruneImagesOptions) Run() error {
 		DSs:                allDSs,
 		Deployments:        allDeployments,
 		DCs:                allDCs,
+		RSs:                allRSs,
 		LimitRanges:        limitRangesMap,
 		DryRun:             o.Confirm == false,
 		RegistryClient:     registryClient,
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -1871,6 +1871,27 @@ items:
     verbs:
     - get
     - list
+  - apiGroups:
+    - extensions
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - extensions
+    resources:
+    - deployments
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - extensions
+    resources:
+    - replicasets
+    verbs:
+    - get
+    - list
   - apiGroups:
     - ""
     - image.openshift.io
diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml
@@ -2041,6 +2041,30 @@ items:
     verbs:
     - get
     - list
+  - apiGroups:
+    - extensions
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - extensions
+    attributeRestrictions: null
+    resources:
+    - deployments
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - extensions
+    attributeRestrictions: null
+    resources:
+    - replicasets
+    verbs:
+    - get
+    - list
   - apiGroups:
     - ""
     - image.openshift.io
