Last active
July 5, 2022 12:14
-
-
Save jvanz/f8ef73739fb4dd555f492e07a8984200 to your computer and use it in GitHub Desktop.
Kubewarden PSP migration script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env sh | |
set -e | |
PSP_MIGRATION_TOOL_VERSION=v1.33.351 | |
LOCAL_PSP_MIGRATION_TOOL_PATH=psp-migration | |
DRY_RUN="false" | |
HELP="false" | |
OUTPUT_FILE="policies.yaml" | |
FORCE="false" | |
for arg in "$@" | |
do | |
case "$arg" in | |
--dry-run) | |
DRY_RUN="true" | |
shift 1 | |
;; | |
--help) | |
HELP="true" | |
shift 1 | |
;; | |
--force) | |
FORCE="true" | |
shift 1 | |
;; | |
--output) | |
OUTPUT_FILE="$2" | |
shift 2 | |
;; | |
esac | |
done | |
if [ "$HELP" = "true" ]; | |
then | |
echo "" | |
echo "This script is used to migrate the PodSecurityPolicy running in your Kubernetes cluster into Kubewarden policies." | |
echo "The available options are:" | |
echo "" | |
echo " --dry-run: migrate all your PodSecurityPolicy but do _NOT_ apply them. The migrated policies will be saved into a file" | |
echo " --force: overwrite output file if necessary" | |
echo " --help: show this help message" | |
echo " --output: file where the Kubewarden policies will be defined" | |
exit 0 | |
fi | |
# download the tool used to migrate PSP into Kubewarden policies | |
if [ ! -x $LOCAL_PSP_MIGRATION_TOOL_PATH ] | |
then | |
echo "Downloading PSP migration tool... This can take some minutes." | |
curl -L -s -o psp-migration "https://github.com/appvia/psp-migration/releases/download/$PSP_MIGRATION_TOOL_VERSION/psp-migration-linux-x64" > /dev/null | |
chmod +x psp-migration | |
fi | |
echo "Migrating PSPs to Kubewarden policies..." | |
# get PSP names | |
PSP_LIST=$(kubectl get psp -A --no-headers | awk ' {print $1} ') | |
# if necessary, remove the output file before creating it again | |
if [ -f $OUTPUT_FILE ]; then | |
if [ "$FORCE" = "true" ]; then | |
rm --force $OUTPUT_FILE | |
else | |
echo "The output file $OUTPUT_FILE already exists." | |
echo "If you want to overwrite the file. Use --force command line argument." | |
exit 1 | |
fi | |
fi | |
# generate Kubewarden policies | |
for psp in $PSP_LIST | |
do | |
echo "---" >> $OUTPUT_FILE | |
kubectl get PodSecurityPolicy $psp -o yaml | ./psp-migration -e kubewarden >> $OUTPUT_FILE | |
done | |
# apply Kubewarden policies | |
if [ -f $OUTPUT_FILE ]; | |
then | |
echo "Yours policies are defined in the file \"$OUTPUT_FILE\"" | |
if [ "$DRY_RUN" = "false" ]; | |
then | |
kubectl apply -f $OUTPUT_FILE | |
fi | |
else | |
echo "There are no policies to migrate." | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment