STOR-1443: Sync 05_operator_role-hypershift.yaml manifest from cluster-csi-snapsht-controller-operator
#2915
Conversation
…ter-csi-snapsht-controller-operator The operator needs perms to monitor secret (`csi-snapshot-webhook-secret`) updates.
openshift-ci-robot
added
the
jira/valid-reference
|
@mpatlasov: This pull request references STOR-1443 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@mpatlasov: GitHub didn't allow me to request PR reviews from the following users: openshift/storage. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
do-not-merge/needs-area
area/control-plane-operator
|
/test e2e-aws |
1 similar comment
|
/test e2e-aws |
| @@ -67,6 +67,13 @@ rules: | |||
| - create | |||
| - patch | |||
| - update | |||
| - apiGroups: | |||
| - "" | |||
| resources: | |||
There was a problem hiding this comment.
Does this need access to all secrets in the namespace, or can we narrow this down to specific resource names?
There was a problem hiding this comment.
This is only a role (as opposed to clusterrole), so only applies to the namespace where it lives
There was a problem hiding this comment.
@csrwng I know. My question still stands -- does this role require access to all secrets in the namespace, or if it's looking at one specific secret (the description says csi-snapshot-webhook-secret) then can we add a resource name to scope the access to that?
There was a problem hiding this comment.
That's how Informers (openshift/cluster-csi-snapshot-controller-operator@2770991#diff-0d623dfd885adb20f991bda4c2453aebd732ca6dbb4d1d4be6e79805c3b48de6R259) work. We can narrow down list-n-watch to specific namespace, but not to specific secret in namespace. I don't know if it's implementation restriction of Informers or API server itself.
|
/test e2e-kubevirt-aws-ovn |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: csrwng, mpatlasov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/lgtm |
|
@mpatlasov: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What this PR does / why we need it:
The PR implements restarting
csi-snapshot-webhookif the secretcsi-snapshot-webhook-secretis updated. To do it, the operator needs to monitor for secret updates. This requires new perms in05_operator_role-hypershift.yaml. This PR simply syncs those changes to hypershift repo manifest./cc @openshift/storage
Checklist