Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update control-plane-operator policy #1469

Merged
merged 1 commit into from Feb 13, 2023
Merged

Update control-plane-operator policy #1469

merged 1 commit into from Feb 13, 2023

Conversation

csrwng
Copy link
Contributor

@csrwng csrwng commented Feb 8, 2023
edited by openshift-ci bot

What type of PR is this?

feature

What this PR does / why we need it?

The control-plane-opertor needs additional permissions in order to create and destroy a default security group for NodePools where no security group is specified.

Which Jira/Github issue(s) this PR fixes?

Fixes # HOSTEDCP-789

Special notes for your reviewer:

Pre-checks (if applicable):

  • Tested latest changes against a cluster

  • Included documentation changes with PR

  • If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

@cblecker
Copy link
Member

cblecker commented Feb 8, 2023

/assign @jharrington22

@fahlmant
Copy link
Contributor

fahlmant commented Feb 8, 2023

@csrwng Is this specific to hypershift?

@csrwng
Copy link
Contributor Author

csrwng commented Feb 9, 2023

@fahlmant yes it is. The entire control plane operator policy is only used in hypershift

jewzaam
jewzaam requested changes Feb 10, 2023
View reviewed changes
Copy link
Member

@jewzaam jewzaam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is HS specific, should go in https://github.com/openshift/managed-cluster-config/blob/master/resources/sts/4.12/hypershift/ControlPlaneOperatorPolicy.json ?

@jharrington22
Copy link
Contributor

@csrwng as @jewzaam suggested could you also add these actions to the policy in the HyperShift directory? The plan is to migrate from these to those newer policies which will contain IAM conditions to ensure we only operate on objects tagged by Red Hat.

@csrwng
Update control-plane-operator policy
23b879d 
The control-plane-opertor needs additional permissions in order to
create and destroy a default security group for NodePools where no
security group is specified.
@csrwng
Copy link
Contributor Author

csrwng commented Feb 10, 2023

Thanks @jharrington22. Done.

jharrington22
jharrington22 approved these changes Feb 13, 2023
View reviewed changes
Copy link
Contributor

@jharrington22 jharrington22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 13, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 13, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng, jharrington22

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 13, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 13, 2023

@csrwng: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit e6b9fa6 into openshift:master Feb 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jewzaam jewzaam jewzaam requested changes

@jharrington22 jharrington22 jharrington22 approved these changes

@dustman9000 dustman9000 Awaiting requested review from dustman9000

@rafael-azevedo rafael-azevedo Awaiting requested review from rafael-azevedo

Assignees

@jharrington22 jharrington22

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@csrwng @cblecker @fahlmant @jharrington22 @jewzaam @openshift-merge-robot