New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-3873: adding rbac for UserOAuthAccessToken #2962
OCPBUGS-3873: adding rbac for UserOAuthAccessToken #2962
Conversation
control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
Show resolved
Hide resolved
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: csrwng, Patryk-Stefanski The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…indings for useroauthaccesstoken
if r.Annotations == nil { | ||
r.Annotations = map[string]string{} | ||
} | ||
r.Annotations["rbac.authorization.kubernetes.io/autoupdate"] = "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need this annotation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure if we do or why but Its present in the yaml file I used as a reference (link) aswell as on regular ocp .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we please investigate and clarify with that team why is needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
I don't think we need this as we are already reconciling it, but also don't see any harm in having it. Wdyt @enxebre ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My vote is to leave it on there, given that at some point we may want to honor this annotation in the hcco so that we're in line with kube.
/lgtm |
@Patryk-Stefanski: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@Patryk-Stefanski: Jira Issue OCPBUGS-3873: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-3873 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
Adds rbac to hosted clusters to allow users created through OAuth to retrieve the
UserOAuthAccessToken
Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)
format, where issue_number might be a GitHub issue, or a Jira story:Fixes #
OCPBUGS-3873
Checklist