New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1796412: cluster-reader is unable to view machine resources #149
Bug 1796412: cluster-reader is unable to view machine resources #149
Conversation
414d648
to
3b9b5df
Compare
install/03_rbac.yaml
Outdated
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 | |||
kind: ClusterRole | |||
metadata: | |||
name: cluster-autoscaler-operator | |||
labels: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this clusterRole has more permissions than the cluster reader should have.
We need to create one particular clusterRole reader for it, e.g https://github.com/openshift/cloud-credential-operator/blob/aa07b32fc3440d30bc90af636ca9ccd62e70c58a/manifests/00_clusterreader_clusterrole.yaml
hack/gen-crd.sh
Outdated
@@ -3,12 +3,12 @@ | |||
set -eu | |||
|
|||
function annotate_crd() { | |||
script='/^metadata:/a\ | |||
\ \ annotations:\ | |||
script1='/^ annotations:/a\ | |||
\ \ \ \ exclude.release.openshift.io/internal-openshift-hosted: "true"' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this does not seem related to this PR, please let's drop it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JoelSpeed going to include the autogen fix for crds in another pr, as I agree it is out of scope
@@ -17,7 +17,6 @@ spec: | |||
- ca | |||
singular: clusterautoscaler | |||
scope: Cluster | |||
preserveUnknownFields: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this required? @enxebre I remember you introduced preserveUnknownFields: false
intentionally
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the comment below now
@@ -38,7 +38,6 @@ spec: | |||
- ma | |||
singular: machineautoscaler | |||
scope: Namespaced | |||
preserveUnknownFields: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this does not seem related to this PR, please let's drop it.
BUG 1796412: cluster-reader is unable to view machine resources
3b9b5df
to
7835856
Compare
metadata: | ||
name: cluster-autoscaler-operator:cluster-reader | ||
labels: | ||
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there any docs we can refer here for this label?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Under already created aggregation rule this ClusterRole will be combined with cluster-reader
list of permissions, according to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
/retest |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enxebre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
/bugzilla refresh |
@enxebre: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@Danil-Grigorev: This pull request references Bugzilla bug 1796412, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@Danil-Grigorev: All pull requests linked via external trackers have merged: openshift/cluster-autoscaler-operator#149. Bugzilla bug 1796412 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Added cluster-reader permissions to
cluster-autoscaler
cluster-role