Conversation
ghost
requested review from
garagatyi,
l0rd,
riuvshin and
sleshchenko
as code owners
|
ci-test |
benoitf
added
status/code-review
sleshchenko
left a comment
sleshchenko
left a comment
There was a problem hiding this comment.
LGTM
Please change PR title to make clear that it affects OpenShift deployment only
| name: che | ||
| roleRef: | ||
| name: admin | ||
| name: edit |
There was a problem hiding this comment.
maybe it makes describe in the documentation that CHE_INFRA_OPENSHIFT_PROJECT must be set to:
- the same with Che Server namespace
- empty value then oauth provider must be used
- any value different from Che Server namespace then cluster admin roles should be bound to Che service account (not sure that we need this way of configuration)
There was a problem hiding this comment.
Currently Che service account does not have cluster wide privileges so it is a general documentation improvement not really related to this particular PR. But good point.
| metadata: | ||
| name: che | ||
| roleRef: | ||
| name: admin |
There was a problem hiding this comment.
Will we use the same role to create namespaces for workspaces?
There was a problem hiding this comment.
In this case, a cluster admin should grant Che SA cluster-admin privileges:
oc adm policy add-cluster-role-to-user self-provisioner system:serviceaccount:eclipse-che:che
For k8s we do that out of the box: https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/cluster-role-binding.yaml#L16
And this makes it possible to set this env to empty string by default and things work out of the box.
So, to sum it up - on OpenShift we NEVER granted Che SA cluster-admin role while it was true for Kubernetes Helm charts. Hence, if we do the same change for k8s, then, https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/values.yaml#L47 should be namespace where Che SA has been created. And if a cluster admin wants Che to create workspaces in individual namespaces, Che SA is granted a cluster-admin role and https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/values.yaml#L47 becomes an empty string.
There was a problem hiding this comment.
Does it mean that we don't have right now an OS deployment option where Che creates namespaces?
There was a problem hiding this comment.
@garagatyi this option should be supported when Che is configured to use users tokens. Giving cluster-admin privileges to Che is something that we should not support: you can do it at your own risk :-)
|
ci-test build report: |
|
ci-test |
|
ci-test build report: |
benoitf
removed
the
status/code-review
5 participants
What does this PR do?
It looks like Che service account may have edit role to be able to create workspaces in the same namespace with Che server pod
What issues does this PR fix or reference?
#11142