Make OpenShift infrastructure create a special service account for workspaces #11199
Conversation
sleshchenko
added
status/code-review
|
ci-test |
|
ci-test build report: |
sleshchenko
force-pushed
the
workspaceServiceAccountCreation
branch
from
9adc196 to
86aaa3b
Compare
|
Tests failed because of error in |
|
ci-test |
|
ci-test build report: |
|
@riuvshin @tolusha @tsmaeder Guys, as I see all last ci-test executions failed because of build error in |
|
To be honest I have no idea. |
|
@tolusha I saw it) Do you think it happens because of CI infrastructures issue? |
|
I think so. |
|
looks like docker issue, try rerun |
|
ci-test |
|
ci-test build report: |
garagatyi
left a comment
garagatyi
left a comment
There was a problem hiding this comment.
Overall looks good. Can you take a look at inlined comments?
...java/org/eclipse/che/workspace/infrastructure/openshift/project/WorkspaceServiceAccount.java
Show resolved
Hide resolved
...java/org/eclipse/che/workspace/infrastructure/openshift/project/WorkspaceServiceAccount.java
Outdated
Show resolved
Hide resolved
...c/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProject.java
Show resolved
Hide resolved
| */ | ||
| public OpenShiftProject create(String workspaceId) throws InfrastructureException { | ||
| final String projectName = isNullOrEmpty(this.projectName) ? workspaceId : this.projectName; | ||
| boolean isPredefined = !isNullOrEmpty(this.projectName); |
There was a problem hiding this comment.
Looks like this line can be moved to the constructor
There was a problem hiding this comment.
Yeap, it even can be moved to the constructor of parent class KubernetesNamespaceFactory.
So, really thank you for this comment. Because of that, I believe that I found an issue in KubernetesNamespaceFactory. isPredefined method returns true if the configured namespace isNullOrEmpty and false otherwise, but it should do vice versa.
It may be a cause of appearing a lot of error messages in ci-jobs tests about failed PVC clean up jobs.
I'll check it and will consider adding unit test for KubernetesNamespaceFactory.
There was a problem hiding this comment.
Done.
Also, I added dummy test class for OpenShiftProjectFactory and will fix it before merge.
| # Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods. | ||
| # Note that Che Server won't create the service account and it should exist. | ||
| # Note that Kubernetes Infrastructure won't create the service account and it should exist. | ||
| # OpenShift infrastructure will check if project is predefined: |
There was a problem hiding this comment.
when you say "if project is predefined" you mean "if che.infra.openshift.project is set" right?
There was a problem hiding this comment.
Right, I'll add the corresponding comment here.
|
ci-test |
|
Results of automated E2E tests of Eclipse Che Multiuser on OCP: |
|
Tests failed because of error in |
|
ci-test |
|
Results of automated E2E tests of Eclipse Che Multiuser on OCP: |
amisevsk
left a comment
amisevsk
left a comment
There was a problem hiding this comment.
Looks good, just a few (not very important) quesitons.
|
|
||
| # Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods. | ||
| # Note that Che Server won't create the service account and it should exist. | ||
| # Note that Kubernetes Infrastructure won't create the service account and it should exist. |
There was a problem hiding this comment.
This line is a little unclear to me in related to KubernetesServiceAccount.java -- we're creating a SA there if necessary right?
There was a problem hiding this comment.
I believe this is the limitation of the current version of k8s client - rolebindings can only be created via OpenShiftClient, not KubernetesClient
There was a problem hiding this comment.
This line is a little unclear to me in related to KubernetesServiceAccount.java -- we're creating a SA there if necessary right?
Actually, we don't create but we wait for default SA. We are able to create a new one but because of limitation that Illya mentioned we are not able to create rolebinding and role, so it will be implemented for K8s too after upgrading to facric8-client 4.0.4.
| } | ||
| } | ||
|
|
||
| private void createWorkspaceServiceAccount(OpenShiftClient osClient) { |
There was a problem hiding this comment.
Just to double check: does creating a SA / rolebindings require different privileges from what the standard Che SA might be given currently (esp. on public clusters)?
There was a problem hiding this comment.
If workspaces are configured to be created in the same namespace then Che SA needs admin rights in the current namespace (for OpenShift, now we create SA with edit rights in its project).
If workspaces are configured to be created in different namespaces then Che SA needs cluster-admin right or OAuth provider should be used, then a user should be able to create Projects and objects there.
So, I would say that service-account should be used only if:
- Workspaces are created in the same namespace and service account is created during deployment.
- Oauth provider is configured.
Otherwise, extra privileges should be provided for Che SA. Hope it will be helpful.
| # Note that Kubernetes Infrastructure won't create the service account and it should exist. | ||
| # OpenShift infrastructure will check if project is predefined(if `che.infra.openshift.project` is not empty): | ||
| # - if it is predefined then service account must exist there | ||
| # - if it is 'NULL' or empty string then infrastructure will create new OpenShift project per workspace |
There was a problem hiding this comment.
This is for single-user only, right? I'm not clear on how this would work in the multi-user case.
There was a problem hiding this comment.
This is for both. But out-of-the-box it will work only with OAuth provider configured, without it Che SA needs extra permissions for single or multi user mode.
|
@eivantsov FYI |
|
Tests failed again because of error in Che Dockerfiles :: Theia module that is not modified in this PR =( |
|
ci-test |
sleshchenko
force-pushed
the
workspaceServiceAccountCreation
branch
from
926a2bf to
fede1b2
Compare
|
Results of automated E2E tests of Eclipse Che Multiuser on OCP: |
benoitf
removed
the
status/code-review
9 participants
What does this PR do?
Improve OpenShift infrastructure to create a special service account for workspaces if there is no predefined project configured (it means that each workspace will be created in a new project which should be create by Che Server). Che Server makes sure that all needed objects (service account, roles, role bindings) exist each time before a workspace start. It is done in this way to provide backward compatibility with existing installation where some of workspaces' projects exist.
What issues does this PR fix or reference?
#10991
Release Notes
N/A
Docs PR
Will be provided further