Grant authenticated users access to read kubevirt-storage-class-defaults #498
Conversation
kubevirt-bot
added
release-note
deploy/cluster_role.yaml
Outdated
| kind: Role | ||
| metadata: | ||
| name: hco.kubevirt.io:config-reader | ||
| namespace: kubevirt-hyperconverged |
There was a problem hiding this comment.
not exactly sure the context in which this manifest is used but the other roles do not specify the namespace. So maybe also shouldn't here?
There was a problem hiding this comment.
I want to give access to the configmap with namespace kubevirt-hyperconverged and name kubevirt-storage-class-defaults.
if I don't restrict the namespace then I'm granting access to an identically named configmap in anu namespace (if someone happens to use that exact name. unlikely, but I shouldn't do it)
|
In order to make sure that it gets included in all of the places it should (ie. downstream), we need to make it so that However, even with that change, I don't think the Role will be installed when the HCO is installed via OLM. How exactly is this Role supposed to 1) make it onto a cluster 2) be used? |
|
Is this something that the HCO should be creating in it's |
|
Here's a version creating everything via reconcile. I added a functional test too. |
This comment has been minimized.
This comment has been minimized.
|
Rebased to include the latest (unrelated, but fixing the tests issue) commits. |
|
ping |
| APIGroups: []string{""}, | ||
| Resources: []string{"configmaps"}, | ||
| ResourceNames: []string{"kubevirt-storage-class-defaults"}, | ||
| Verbs: []string{"get", "watch", "list"}, |
There was a problem hiding this comment.
can you please run go fmt pkg/controller/hyperconverged/hyperconverged_controller.go and commit back the result?
| @@ -292,6 +293,8 @@ func (r *ReconcileHyperConverged) Reconcile(request reconcile.Request) (reconcil | |||
| for _, f := range []func(*hcov1alpha1.HyperConverged, logr.Logger, reconcile.Request) error{ | |||
| r.ensureKubeVirtConfig, | |||
| r.ensureKubeVirtStorageConfig, | |||
| r.ensureKubeVirtStorageRole, | |||
| r.ensureKubeVirtStorageRoleBinding, | |||
There was a problem hiding this comment.
Why have we to do it at runtime via HCO?
Isn't OLM not enough for this?
There was a problem hiding this comment.
I assume it can. I wasn't sure about how I'm expected to do something like this.
HCO seems to work with kubernetes too, whereas OLM is apparently specific to OpenShift.
Are we expected to add to the OLM files and have the kubernetes bits be generated?
There was a problem hiding this comment.
Yes, something like that:
https://github.com/kubevirt/hyperconverged-cluster-operator/blob/master/deploy/cluster_role_binding.yaml and https://github.com/kubevirt/hyperconverged-cluster-operator/blob/master/deploy/cluster_role.yaml are used only on plain k8s deployment.
https://github.com/kubevirt/hyperconverged-cluster-operator/blob/master/deploy/olm-catalog/kubevirt-hyperconverged/1.1.0/kubevirt-hyperconverged-operator.v1.1.0.clusterserviceversion.yaml is instead the CSV for OLM based deployment.
both the set of files are generated running hack/build-manifests.sh according to what's provided by the components operators.
In order to consume a different component you have to patch go.mod and run go mod vendor and hack/config
There was a problem hiding this comment.
In this case HCO is adding the ConfigMap, so it feels like the role should be something HCO adds. Is there somewhere that isn't auto-generated for appending to HCO-specific additions?
|
@maya-r: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
maya-r
force-pushed
the
rbac
branch
2 times, most recently
from
02fd070
to
7365560
Compare
|
All tests passed |
|
This looked like the right thing, I edited pkg/components/components.go and build-manifests.sh regenerated deploy/*.yaml, but the OLM CSV doesn't look like it picked up any changes. |
You can eventually patch GetInstallStrategyBase functions. |
|
Right now the configmap is generated by HCO in https://github.com/kubevirt/hyperconverged-cluster-operator/blob/master/pkg/controller/hyperconverged/hyperconverged_controller.go#L1502-L1524 I don't know why it's here (or why anything that it does is useful), but the web UI looks at this information |
|
So, I'm running into some trouble: OLM only lets me specify a serviceAccountName in a clusterPermissions. |
|
All tests passed |
|
I went back to the version adding the Role and RoleBinding via the reconcile loop, because I don't think it's possible to add them via OLM. Another option worth considering is granting access to the openshift-console serviceAccountName, that might have the expected effect too. @orenc1, could you have a look at this pull request? I'm under the impression that @tiraboschi is away on holiday. |
Hi @maya-r , we are using the OLM to set the required permissions for the service accounts of HCO's dependent operators. If the access for |
| @@ -469,6 +470,8 @@ func (r *ReconcileHyperConverged) ensureHco(req *hcoRequest) error { | |||
| r.ensureKubeVirtPriorityClass, | |||
| r.ensureKubeVirtConfig, | |||
| r.ensureKubeVirtStorageConfig, | |||
| r.ensureKubeVirtStorageRole, | |||
There was a problem hiding this comment.
In addition to the general comment about not doing it from reconcile - if there is no other choice, I would call these two methods from within ensureCDI and not as part of this loop. This is something that is not monitors by HCO as other resources.
There was a problem hiding this comment.
Thanks for the review.
My original motivation to write the code this way is that ensureKubeVirtStorageConfig is currently implemented as its own reconcile function.
If the intention in rotating the code is to "don't test if the rolebinding exists in every reconcile iteration", I don't think that this is a good idea.
It would violate our rule to write reconcile such that we reach eventual consistency. This might negatively affect updates, as one example.
If it's just to make things tidy, I should probably combine it with ensureKubeVirtStorageConfig too.
I would recommend you to test by manually configuring the required Roles&RoleBindings of this configmap for the console ServiceAccount and see if it solves the issue. If so, add the relevant section in |
|
I got a response from Tomas Jelinek that the web interface accesses objects in the cluster as the logged in user (I had some trouble experimenting in the web interface). |
|
OK. |
|
Yes, I also agree with @nunnatsa comment: all the methods called in the first loop in ensureHco method have a specific signature because the code there will use it to check the conditions reported by component operators and eventually the status of an upgrade. |
@maya-r ping? |
|
All tests passed |
kubevirt-bot
added
the
needs-rebase
- Add a role/rolebinding for this purpose, using reconcile. This is not done using OLM because OLM clusterPermissions only allows adding permissions to a serviceAccountName. - Add a functional test ensuring unprivileged users can read that configmap but not others. - Cargo cult add the role/rolebinding to the unit tests wherever we test all elements created by reconcile Signed-off-by: Maya Rashish <mrashish@redhat.com>
This means they can use a simpler function signature Signed-off-by: Maya Rashish <mrashish@redhat.com>
kubevirt-bot
removed
the
needs-rebase
|
All tests passed |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: orenc1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
Bugzilla bug report.