45 lines
1.6 KiB
YAML
45 lines
1.6 KiB
YAML
---
|
|
- name: Rotate Tokens | Get list of pods and their current secrets
|
|
command: >-
|
|
{{ bin_dir }}/kubectl get pods --all-namespaces
|
|
-o 'jsonpath={range .items[*]}{.metadata.namespace}{" "}{.metadata.name}{" "}{.spec.volumes[*].name}{"\n"}{end}'
|
|
|
|
register: pods_secrets
|
|
run_once: true
|
|
|
|
- name: Rotate Tokens | Get default tokens to expire
|
|
shell: >-
|
|
{{ bin_dir }}/kubectl get secrets --all-namespaces
|
|
-o 'jsonpath={range .items[*]}{"\n"}{.metadata.namespace}{" "}{.metadata.name}{end}'
|
|
| grep default-token
|
|
register: tokens_to_delete
|
|
run_once: true
|
|
|
|
- name: view pods_secrets
|
|
debug: msg="{{ pods_secrets.stdout_lines }}"
|
|
|
|
- name: view pods_secrets2
|
|
#debug: msg="{{ item.split(" ")[0] }}"
|
|
debug: msg="{{ item.split(" ")[0] }} {{ item.split(" ")[1] }}"
|
|
with_items: "{{ tokens_to_delete.stdout_lines }}"
|
|
|
|
- name: Rotate Tokens | Delete expired tokens
|
|
command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
|
|
with_items: "{{ tokens_to_delete.stdout_lines }}"
|
|
run_once: true
|
|
|
|
- set_fact:
|
|
t2d: |-
|
|
["default default-token-38nh5",
|
|
"kube-public default-token-cx54r",
|
|
"kube-system default-token-d6dfh",
|
|
"default default-token-b58hs"
|
|
]
|
|
|
|
- name: Rotate Tokens | Delete pods with default tokens
|
|
command: "{{ bin_dir }}/kubectl delete pod -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
|
|
with_items: "{{ pods_secrets.stdout_lines }}"
|
|
register: delete_pods
|
|
when: item.split(" ")[0] + " " + item.split(" ")[2] in tokens_to_delete.stdout
|
|
failed_when: delete_pods.rc != 0 and "not found" not in delete_pods.stderr
|
|
run_once: true
|