New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix openshift custom host role #56
Conversation
Looking at OpenShift code it seems it has some sort of custom code that includes an Admission Controller for Kubernetes Ingress objects: There also seems to be this check for OpenShift Route objects too: We had a similar problem with Zync some time ago. What are the implications of adding that element from a non-admin user point of view? Can we check them? Are we also sure that on k8s native the addition to that permission is not a problem? have this been tried with OLM or a non-admin user? I also seem to remember that permissions problems were not reproduced when deploying the role.yaml as an admin. For example, if you tried to add a non-existing verb for a given Kind/APIGroup and you deployed as admin I seem to remember K8s/OpenShift didn't complain but at the moment this was done as a non-admin the problem surfaced. |
I answer to myself a little bit of the comments I left regarding:
The problem I was referring to was related to UPDATING the host name and not creating it. |
Tested reconcilliation and added required role rules. |
I've tried the following example in an OpenShift cluster:
But, when adding a non existing APIGroup/Kind into the role an error is received when the user tries to create it:
Role creation attempt:
However, if the user that tries to create the role is a cluster-admin, NO error is shown even when the APIGroup/Kind does not exist in the cluster, what confirms what I thought:
|
Some findings: Namespace admin users should be able to deploy apicast instances The new role definition in this PR can be deployed using OLM. Tested in OCP 4.2 |
As you commented, to deploy operator.yaml you have to be cluster-admin so I understand we can go forward with including the OpenShift permissions in a single file, even deploying in K8s where the API/Kind of those permissions does not exist, because it is ignored when you are cluster admin as I showed in OpenShift case. |
Add role rule
routes.route.openshift.io/custom-host
to support OCP. Does not affect k8s eventhough it is "openshift" related role.Tested on:
An alternative option would be maintain operator metadata different for k8s and OCP "flavors".
The motivation for this change is that when creating an Ingress with an IngressRule that has the 'host' field set in an OpenShift environment the following error is shown: