Add option to pass configmap with mapping between SA and IAM role #142
Conversation
What is the behavior if an annotation is removed and the configmap is not being used? Also is it intended that someone can use both configmap and annotations (I assume so based on the PR). In that case, which takes precedence? |
That's a good catch. The Easiest way to change this is probably that
Hopefully the two will match. Technically the last one takes precedence, but documentation-wise I would say that if the two differ, the behavior is undocumented. I have no idea what the user intent would be in such a situation either. I do want to support both configmap and annotation in parallel both to preserve existing configurations, and because annotations offer more flexibility for those who really need to fine-tune the behavior. |
olemarkus
force-pushed
the
configmap-mapping
branch
from
7ca650a
to
517037d
Compare
Understandable that you would want to support both, but I'm wondering—if we support hybrid environments, what happens if we have a case where an annotation or configmap entry is removed, but the alternative still exists? Even if we look at the old and new object of a certain type, it seems like we can get into the following states:
It seems to me that the only difference between 1 and 3 is the order in which prior events took place, and the same is true for 2 and 4. If my understanding is correct, and these would result in different webhook behavior, then I think we would need to solve this before allowing both modes to operate at the same time. I think we would adopt a strict precedence (not call it undefined) like service account always wins, and we might need to cache both types separately so we can see the state of both types when making decisions (service account annotation exists, but configmap doesn't => use mapping from service account annotation). |
olemarkus
force-pushed
the
configmap-mapping
branch
from
517037d
to
392a34f
Compare
|
Thanks for the feedback. Had hoped to avoid having two caches, but seems like that is the best way to go about this. Added this now, plus a test that confirms the presedence order is as expected. |
olemarkus
force-pushed
the
configmap-mapping
branch
from
c6ea547
to
f404469
Compare
There was a problem hiding this comment.
Thanks for the additional documentation -- one remaining question I have is what is the behavior if the configmap is improperly formatted? The unmarshal should fail, populateCacheFromCM should return an error, but it shouldn't affect the service account informer. Is that correct?
olemarkus
force-pushed
the
configmap-mapping
branch
2 times, most recently
from
46fb7d8
to
446aa16
Compare
Update pkg/cache/cache_test.go Co-authored-by: Nicholas Turner <1205393+nckturner@users.noreply.github.com>
olemarkus
force-pushed
the
configmap-mapping
branch
from
ac2f924
to
de7ba6d
Compare
Description of changes:
This PR adds an option for the webhook to watch a configmap for additional SA to Role mappings. This is useful where there are tooling that creates IAM Roles and already know what SA should use them. In particular kOps already has this mapping. Adding the annotation to the SAs is then just additional manual work.
A few notes:
CacheResponse. This takes an orignally internal struct and makes it into a public interface. Mostly something to be aware of if one wants to change this struct in the future./cc @nckturner
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.