New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STOR-1443: Sync 05_operator_role-hypershift.yaml
manifest from cluster-csi-snapsht-controller-operator
#2915
Conversation
…ter-csi-snapsht-controller-operator The operator needs perms to monitor secret (`csi-snapshot-webhook-secret`) updates.
@mpatlasov: This pull request references STOR-1443 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@mpatlasov: GitHub didn't allow me to request PR reviews from the following users: openshift/storage. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws |
1 similar comment
/test e2e-aws |
@@ -67,6 +67,13 @@ rules: | |||
- create | |||
- patch | |||
- update | |||
- apiGroups: | |||
- "" | |||
resources: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need access to all secrets in the namespace, or can we narrow this down to specific resource names?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only a role (as opposed to clusterrole), so only applies to the namespace where it lives
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@csrwng I know. My question still stands -- does this role require access to all secrets in the namespace, or if it's looking at one specific secret (the description says csi-snapshot-webhook-secret
) then can we add a resource name to scope the access to that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's how Informers (openshift/cluster-csi-snapshot-controller-operator@2770991#diff-0d623dfd885adb20f991bda4c2453aebd732ca6dbb4d1d4be6e79805c3b48de6R259) work. We can narrow down list-n-watch to specific namespace, but not to specific secret in namespace. I don't know if it's implementation restriction of Informers or API server itself.
/test e2e-kubevirt-aws-ovn |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: csrwng, mpatlasov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
@mpatlasov: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What this PR does / why we need it:
The PR implements restarting
csi-snapshot-webhook
if the secretcsi-snapshot-webhook-secret
is updated. To do it, the operator needs to monitor for secret updates. This requires new perms in05_operator_role-hypershift.yaml
. This PR simply syncs those changes to hypershift repo manifest./cc @openshift/storage
Checklist