Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CLOUD-2261] adding permisssion to list pods #447

Merged

Conversation

@ochaloup
Copy link
Contributor

commented Apr 17, 2018

https://issues.jboss.org/browse/CLOUD-2261

Adding new system role with permission to query api to get list of pods. This is needed for case the recovery of transaction is done via apy querying as discussed at CLOUD-2261 and at document https://docs.google.com/document/d/1JdOTMP6pdexJ__KYlw9hgwR6DOCHTtYCQy7PqyMk8OU/edit

/cc @rcernich

"metadata": {
"name": "listing-pod-role"
},
"rules": [

This comment has been minimized.

Copy link
@rcernich

rcernich Apr 17, 2018

Contributor

I assume we're adding this because it's more restrictive than the view role?

This comment has been minimized.

Copy link
@ochaloup

ochaloup Apr 18, 2018

Author Contributor

yes, the point was not using the view role but allow only the least necessary minimum

This comment has been minimized.

Copy link
@rcernich

rcernich Apr 18, 2018

Contributor

I suspect we'll have the same problem of recreating the role on subsequent template invocations. It may be better to use view to avoid this problem for the time being.

"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"name": "listing-pod"

This comment has been minimized.

Copy link
@rcernich

rcernich Apr 17, 2018

Contributor

Using a static name in the template will cause problems on subsequent invocations, because the service account already exists.

{
"kind": "ServiceAccount",
"name": "listing-pod",
"namespace": "${NAMESPACE}"

This comment has been minimized.

Copy link
@rcernich

rcernich Apr 17, 2018

Contributor

Is namespace required here? If so, that might present a usability problem. I thought most references defaulted to the containing namespace if not specified.

{
"displayName": "Project Namespace",
"description": "Project namespace where the template pods will be installed to. The value is used to define service account and role to permit listing pods from OpenShift API.",
"name": "NAMESPACE",

This comment has been minimized.

Copy link
@rcernich

rcernich Apr 17, 2018

Contributor

We should try to remove this. Having to specify the namespace directly is a bit of a usability problem, since it should default to the namespace within which the resources are being created.

@ochaloup ochaloup force-pushed the ochaloup:CLOUD-2261-adding-roles-to-templates branch from 4a4beff to fa1eeca Apr 18, 2018

@ochaloup

This comment has been minimized.

Copy link
Contributor Author

commented Apr 18, 2018

@rcernich thanks for your points. I've changed the template a bit to address them exept of the issue with the namespace. Without defining the namespace in role ref part of the template the image does not work. As I understand it' known issue, see openshift/origin#11566 (comment)

Do you think using view role would be more appropriate? Or would you have an idea how to get around of this? Many thanks!

@ochaloup ochaloup force-pushed the ochaloup:CLOUD-2261-adding-roles-to-templates branch from fa1eeca to cd74754 Apr 19, 2018

@ochaloup

This comment has been minimized.

Copy link
Contributor Author

commented Apr 19, 2018

@rcernich I see. I've changed the template to use the view Role, for the service account, instead of the newly defined one. What do you think now?

@ochaloup

This comment has been minimized.

Copy link
Contributor Author

commented Apr 23, 2018

hi @rcernich , what do you think about the change-set now? And what is your expectation for jboss-openshift/cct_module#230 ?

Thank you

"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"name": "${SERVICE_ACCOUNT_NAME}"

This comment has been minimized.

Copy link
@rcernich

rcernich Apr 24, 2018

Contributor

I would recommend removing the parameter and just have it use something like ${APPLICATION_NAME}-account or ${APPLICATION_NAME}-sa.

This comment has been minimized.

Copy link
@ochaloup

ochaloup Apr 25, 2018

Author Contributor

I see, thanks. Here you go.

@ochaloup ochaloup force-pushed the ochaloup:CLOUD-2261-adding-roles-to-templates branch from cd74754 to b46bf52 Apr 25, 2018

@ochaloup ochaloup force-pushed the ochaloup:CLOUD-2261-adding-roles-to-templates branch from b46bf52 to 474cebd Jun 29, 2018

@rcernich rcernich merged commit 886661e into jboss-openshift:master Jul 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.