New DevWorkspace CRD #15425
Comments
l0rd
added
kind/enhancement
che-bot
added
the
status/need-triage
|
@skabashnyuk @sleshchenko please review |
l0rd
removed
the
status/need-triage
che-bot
added
the
status/need-triage
ibuziuk
added
team/devex
and removed
status/need-triage
sleshchenko
added
engine/devworkspace
benoitf
added
team/controller
and removed
kind/enhancement
|
I would like to get the authZ side clarified... But when Workspace CRD & Controller are introduced it will work in a traditional operator/controller way:
It means it will be possible to grand users permissions to manipulate with Workspace CRs only. So, they can't create their own deployments. Such users still be able to start workspaces. Is this the plan? |
|
Do keep in mind too that k8s does not have a mechanism the same as openshift tokens. |
OpenShift uses the same RBAC for controllers and CRs as Kube. So, the flow I described for Workspace Controller is the same for OpenShift and Kube. |
That's totally the plan yes. |
|
Issues go stale after Mark the issue as fresh with If this issue is safe to close now please do so. Moderators: Add |
che-bot
added
the
lifecycle/stale
sleshchenko
added
lifecycle/frozen
I am very interested in this part, where a devWorkspace is consisted of more than one pod, for example to handle different architectures. but will it be possible to make it invisible to the containers in those pods and still have them act as if they were all part of the same pod?. Like, having a pipe socket connection between 2 containers in separate pods |
This epic is about using a Kubernetes Custom Resource to provision Che Workspaces and transferring some of Che Master responsibilities to a Kubernetes controller.
Current architecture
Che Workspaces are currently provisioned by Che Master: a Java application that exposes a secured REST API to manage Che workspaces.
To create/start/stop a workspace a client sends an HTTP request to wsmaster. Some examples of the wsmaster clients are the Che User Dashboard (Che landing page), chectl (che command line tool) or the OpenShift Dev Console.
Note that the Workspace API is not the only API exposed by the Che Master API. Other APIs include auth, factory, ssh, metrics, user.
Che Master is stateful and data are persisted in a Postgresql database. Persisted data includes workspaces metadata and users preferences and data.
New architecture
We want to move the part of the Che Master that is responsible for scheduling workspace containers to a Kubernetes CRD and controller. This has a few benefits:
Authentication and Authorization
In multi-user mode, requests to the Che Master API need to be authenticated and authorized as before. Nothing should change for the Che Master API auth.
Authentication to the Workspaces services should continue to work as it is currently. With the JWT Proxy securing communications at Workspaces level.
What changes with the introduction of the
DevWorkspaceCRD is that the provisioning of the JWT Proxy Pod and Workspaces ingresses/routes will be the responsibility of a Kubernetes controller rather then the Che Master.The PoC of the DevWorkspace already comes with one example of such a controller (for OpenShift OAuth). The controller is associated with a secondary CRD called
DevWorkspaceRouting(managed by the DevWorkspace operator as the primary CRD). A new controller namedDevWorkspaceRoutingControllershould be implemented to support the current Che Workspaces auth model with the JWT Proxy.Deployment
The deployment will be done through a new DevWorkspace operator. The current Che operator should be updated to programmatically subscribe to the DevWorkspace operator when a user subscribe to it. That will guarantee that the creation of a CheCluster CRD will be always associated to the creation of a DevWorkspaces CRD.
FAQ
How do we see the CRD workspace controller
The controller has the responsibility for reconciling a DevWorkspace spec and status with one or more pods implementing the workspace.
What are the logical relation and technical connections between CRD controller and workspace master
The CRD controller will be a pre-requirement of the wsmaster. The wsmaster will need the controller to create the workspace abstraction. The CRD controller instead can be deployed and be operational even without a wsmaster.
What is the scope of the responsibilities of the Che Master?
The scope of the Che Master would still be the same but instead of low level Kubernetes API (like pods, deployment, etc..) it will manage higher level custom resources (DevWorkspace CR but also other CRs as detailed in the following answers about users, orgs, etc ...):
Will the wsmaster or API server continue exposes a REST API?
No reason why the API would change. But the implementation of the API would change to use the
DevWorkspaceCRs under-the-cover.What is the scope of the responsibilities of CRD controller?
Reconcile the
DevWorkspaceCustom Resources and create the corresponding Deployment and associated Kubernetes objects. It mainly replaces low-level parts of the Kubernetes or Openshift infrastructure implementation.How do we see authentication/authorization in a CRD controller/workspace master future?
The main idea would be to use:
DevWorkspaceRoutingCRD with a customizable secondary controller that enables customizing the creation of ingresses / routes + the related authentication methodThis was already implemented in the POC with an example using OpenShift authentication through
oauth-proxyHow do we see Che organization/groups/resource management?
Che user would mainly become a cluster-wide Custom Resource (DevWorkspaceUser), which would also allow storing preferences.
The same could be true for Organization (DevWorkspaceUsersOrganisation) if there are specific settings to store on them.
These CRs should be linked to the underlying K8S users / groups so that RBAC rules can then be used to manage and check permissions.
What are the steps of integration CRD controller into Che?
1st Phase:
2nd phase:
Replace Users and profiles (and possibly other data) stored in the Postgres database by cluster-wide CRs, and manage them accordingly in the Che Master. We should be able to get rid of Postgres at this point.
3rd phase:
We should be able to remove Keycloak or replace it with other alternate authentication method.
Are we going to get rid of Keycloak?
Keycloak should at least become an option among others. But the priority, in terms of scalability, and management burden, is more about removing Postgres and have everything stored as CRs in ETCD.
Are we going to get rid of PostgreSQL?
That's the idea yes. Currently we don't even support safe rolling-update of the postgres database. It doesn't seem to be very scalable.
Are we going to get rid of something else?
No. But the REST API could become a Quarkus application, and thus even benefit from serverless scale-to-0 features. Not getting rid of it, but at least some interesting refactoring work.
Can a Che workspace be provisioned and run without the Che Master? In other words, once we get rid of Keycloak and Postgres, can we envision a lighter Che installation with Kubernetes CRDs and controllers only?
Yes, it’s already the case in the existing POC. However, in order to correctly support the Che-Theia component, we still need to have access to a minimal implementation of the
https://github.com/eclipse/che-workspace-clientclient API. However it isn’t a problem and is already provided by an optional extra-simple sidecar that mainly provides this required endpoints by just reading the devfile and other fields on the DevWorkspace Custom resource.Of course this is only useful in order to transparently support che-theia in the current state of the overall Che architecture.
In the perspective to use Che to implement a Kubernetes Cloud shell: in what namespace is the DevWorkspace CR been created? What if that namespace doesn’t exist? What if it already exists with resources already running there? If the user opens 2 tabs will we have 2 workspaces or only one?
See the CloudShell epic
The text was updated successfully, but these errors were encountered: