Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added node to persistent-volume-binder clusterrole #46771

Merged
merged 1 commit into from
Jun 5, 2017
Merged

Added node to persistent-volume-binder clusterrole #46771

merged 1 commit into from
Jun 5, 2017

Conversation

n-marton
Copy link
Contributor

@n-marton n-marton commented Jun 1, 2017

What this PR does / why we need it: Added missing permission to volume-binder clusterrole

Which issue this PR fixes: fixes #46770

Special notes for your reviewer: Non

Release note: Non

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 1, 2017
@k8s-ci-robot
Copy link
Contributor

Hi @n-marton. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 1, 2017
@k8s-github-robot k8s-github-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note-label-needed labels Jun 1, 2017
liggitt
liggitt reviewed Jun 1, 2017
View reviewed changes
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -188,6 +188,8 @@ func init() {
rbac.NewRule("get", "list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
rbac.NewRule("get", "create", "delete").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
rbac.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
// openstack
rbac.NewRule("get", "list").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is this used? I see it in the attach-detach controller, but not in the binder

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nm, found it https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/cinder/cinder_util.go#L146

@liggitt
Copy link
Member

liggitt commented Jun 2, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 2, 2017
@liggitt
Copy link
Member

liggitt commented Jun 2, 2017

@k8s-bot ok to test

@k8s-ci-robot k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 2, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, n-marton

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. labels Jun 2, 2017
@liggitt liggitt added release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. labels Jun 2, 2017
@liggitt liggitt added this to the v1.7 milestone Jun 2, 2017
@liggitt liggitt added kind/bug Categorizes issue or PR as related to a bug. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. labels Jun 2, 2017
@n-marton
Copy link
Contributor Author

n-marton commented Jun 2, 2017

Are those three failed relevant here?

@liggitt
Copy link
Member

liggitt commented Jun 2, 2017

Are those three failed relevant here?

nope, flakes.

@k8s-bot pull-kubernetes-federation-e2e-gce test this
@k8s-bot pull-kubernetes-e2e-kops-aws test this

@pospispa pospispa mentioned this pull request Jun 2, 2017
Merged
@liggitt
Copy link
Member

liggitt commented Jun 2, 2017

@k8s-bot pull-kubernetes-e2e-kops-aws test this
@k8s-bot pull-kubernetes-federation-e2e-gce test this

@wojtek-t
Copy link
Member

wojtek-t commented Jun 4, 2017

@k8s-bot pull-kubernetes-e2e-kops-aws test this

@k8s-ci-robot
Copy link
Contributor

@n-marton: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-federation-e2e-gce a6a9fc1 link @k8s-bot pull-kubernetes-federation-e2e-gce test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 46734, 46810, 46759, 46259, 46771)

@k8s-github-robot k8s-github-robot merged commit 0cff839 into kubernetes:master Jun 5, 2017
deads2k pushed a commit to deads2k/kubernetes that referenced this pull request Jul 5, 2017
@deads2k
UPSTREAM: 46771: Allow persistent-volume-binder to List Nodes/Zones A…
b04556d 
…vailable in the Cluster

Backport of K8s PR kubernetes#46771.

Cinder provisioner chooses a zone from the list of zones available in the cluster in case no zone is specified in the corresponding Storage Class. However, currently the provisioner (persistent-volume-binder) does not have right to get the list of nodes/zones available in the cluster.

That's why the persistent-volume-binder is being given permission to list and watch nodes in the cluster.

Note: the above problem was fixed in openshift/ose@54b994c
however, the fix was mistakenly "deleted" in openshift/ose@8c7065f

:100644 100644 f82ab0fe3c... fb3501d849... M	plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
:100644 100644 72c5d81d84... d06e2271f7... M	plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
deads2k pushed a commit to openshift/kubernetes that referenced this pull request Jul 5, 2017
@deads2k
UPSTREAM: 46771: Allow persistent-volume-binder to List Nodes/Zones A…
ba2b028 
…vailable in the Cluster

Backport of K8s PR kubernetes#46771.

Cinder provisioner chooses a zone from the list of zones available in the cluster in case no zone is specified in the corresponding Storage Class. However, currently the provisioner (persistent-volume-binder) does not have right to get the list of nodes/zones available in the cluster.

That's why the persistent-volume-binder is being given permission to list and watch nodes in the cluster.

Note: the above problem was fixed in openshift/ose@54b994c
however, the fix was mistakenly "deleted" in openshift/ose@8c7065f

:100644 100644 f82ab0fe3c... fb3501d849... M	plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
:100644 100644 72c5d81d84... d06e2271f7... M	plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

Assignees

@liggitt liggitt

@ericchiang ericchiang

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.7
Development

Successfully merging this pull request may close these issues.

RBAC missing permission for persistent-volume-binder
6 participants
@n-marton @k8s-ci-robot @liggitt @k8s-github-robot @wojtek-t @ericchiang