Bug 1833558: create ClusteRole and ClusterRoleBinding when invoking oc adm policy add-scc-to-user #412
Conversation
openshift-ci-robot
added
the
bugzilla/severity-high
|
@soltysh: This pull request references Bugzilla bug 1833558, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
bugzilla/valid-bug
openshift-ci-robot
added
the
approved
| p, err := o.ToPrinter(message) | ||
| if err != nil { | ||
| return err | ||
| clusterRole := &rbacv1.ClusterRole{ |
There was a problem hiding this comment.
It would make sense to have these clusterroles created already when the command is run. Manifests or bindata in KAS-o, depending on how SCCs are handled, that way the clusterroles would even be reconciled so we can always be sure that these commands don't have any side-effects.
I assume we need to keep the backward compatibility of oc so we'll still have to create these cluster roles for older clusters, but for the new ones, I would like to see these already created and maintained. You won't have to be able to create cluster roles in that case, too.
There was a problem hiding this comment.
Hmm... I struggled with that thought, but ok. Lemme open a apiserver PR doing that too, and this will be a fallback in case we don't have that.
There was a problem hiding this comment.
https://github.com/openshift/cluster-kube-apiserver-operator/tree/master/manifests could be a good spot for these as SCCs are already there
There was a problem hiding this comment.
Hmm... I went with openshift/openshift-apiserver#108 since that seemed the most natural to me, scc belonging to openshift-apiserver.
There was a problem hiding this comment.
Spoke with Standa on slack, I'll move this to kas-o, since SCCs CRDs are created there, so it's logical continuation.
There was a problem hiding this comment.
pkg/cli/admin/policy/modify_scc.go
Outdated
| if err != nil { | ||
| return err | ||
| } | ||
| if o.DryRunStrategy == kcmdutil.DryRunClient || (o.PrintFlags.OutputFormat != nil && len(*o.PrintFlags.OutputFormat) > 0) { |
There was a problem hiding this comment.
no creating the clusterrole if an OutputFormat is specified?
There was a problem hiding this comment.
Good catch, I copied that from modify_roles.go, which probably needs an update too.
| return err | ||
| } | ||
| } else { | ||
| if _, err := o.RbacClient.ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{}); err != nil { |
There was a problem hiding this comment.
I wonder whether the apimachinery's CreateOptions.DryRun could be used here
There was a problem hiding this comment.
Theoretically - yes, but we don't support that, yet.
| addSubjects := RoleModificationOptions{ | ||
| RoleKind: clusterRole.Kind, | ||
| RoleName: clusterRole.Name, | ||
| RoleBindingName: fmt.Sprintf(RBACNamesFmt, o.SCCName), |
There was a problem hiding this comment.
With the way SCCs originally worked, namespacing access to an SCC was not possible, but we can add namespaced access now by passing in RoleBindingNamespace.
|
@stlaz comments addressed, ptal |
|
Origin test changes in openshift/origin#24974 |
pkg/cli/admin/policy/modify_scc.go
Outdated
| RoleKind: "ClusterRole", | ||
| RoleName: fmt.Sprintf(RBACNamesFmt, o.SCCName), | ||
| RoleBindingName: fmt.Sprintf(RBACNamesFmt, o.SCCName), | ||
| RoleBindingNamespace: o.DefaultSubjectNamespace, |
There was a problem hiding this comment.
the default should still be cluster-scoped, add -n option make this available
|
|
…c adm policy add-scc-to-user
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: soltysh, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
10 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
9 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
This is waiting for openshift/origin#25032 to be able to pass e2e-cmd |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@soltysh: Some pull requests linked via external trackers have merged: openshift/origin#25032, openshift/oc#412. The following pull requests linked via external trackers have not merged:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is new version of openshift/origin#22781 with some changes.
I'll need to update tests too.
/assign @stlaz