New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1833558: create ClusteRole and ClusterRoleBinding when invoking oc adm policy add-scc-to-user #412
Conversation
@soltysh: This pull request references Bugzilla bug 1833558, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments and ideas.
I'm not sure about the situation around o.PrintFlags.OutputFormat
(when they are unset), but the condition around dry-running a cluster-role creation seems wrong.
p, err := o.ToPrinter(message) | ||
if err != nil { | ||
return err | ||
clusterRole := &rbacv1.ClusterRole{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would make sense to have these clusterroles created already when the command is run. Manifests or bindata in KAS-o, depending on how SCCs are handled, that way the clusterroles would even be reconciled so we can always be sure that these commands don't have any side-effects.
I assume we need to keep the backward compatibility of oc
so we'll still have to create these cluster roles for older clusters, but for the new ones, I would like to see these already created and maintained. You won't have to be able to create cluster roles in that case, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... I struggled with that thought, but ok. Lemme open a apiserver PR doing that too, and this will be a fallback in case we don't have that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/openshift/cluster-kube-apiserver-operator/tree/master/manifests could be a good spot for these as SCCs are already there
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... I went with openshift/openshift-apiserver#108 since that seemed the most natural to me, scc belonging to openshift-apiserver.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spoke with Standa on slack, I'll move this to kas-o, since SCCs CRDs are created there, so it's logical continuation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/cli/admin/policy/modify_scc.go
Outdated
if err != nil { | ||
return err | ||
} | ||
if o.DryRunStrategy == kcmdutil.DryRunClient || (o.PrintFlags.OutputFormat != nil && len(*o.PrintFlags.OutputFormat) > 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no creating the clusterrole if an OutputFormat
is specified?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, I copied that from modify_roles.go
, which probably needs an update too.
return err | ||
} | ||
} else { | ||
if _, err := o.RbacClient.ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{}); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder whether the apimachinery's CreateOptions.DryRun
could be used here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Theoretically - yes, but we don't support that, yet.
addSubjects := RoleModificationOptions{ | ||
RoleKind: clusterRole.Kind, | ||
RoleName: clusterRole.Name, | ||
RoleBindingName: fmt.Sprintf(RBACNamesFmt, o.SCCName), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the way SCCs originally worked, namespacing access to an SCC was not possible, but we can add namespaced access now by passing in RoleBindingNamespace
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@stlaz comments addressed, ptal |
Origin test changes in openshift/origin#24974 |
pkg/cli/admin/policy/modify_scc.go
Outdated
RoleKind: "ClusterRole", | ||
RoleName: fmt.Sprintf(RBACNamesFmt, o.SCCName), | ||
RoleBindingName: fmt.Sprintf(RBACNamesFmt, o.SCCName), | ||
RoleBindingNamespace: o.DefaultSubjectNamespace, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the default should still be cluster-scoped, add -n
option make this available
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in latest push.
|
…c adm policy add-scc-to-user
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: soltysh, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
10 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
9 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/hold |
This is waiting for openshift/origin#25032 to be able to pass e2e-cmd |
/hold cancel |
/retest Please review the full test history for this PR and help us cut down flakes. |
@soltysh: Some pull requests linked via external trackers have merged: openshift/origin#25032, openshift/oc#412. The following pull requests linked via external trackers have not merged:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is new version of openshift/origin#22781 with some changes.
I'll need to update tests too.
/assign @stlaz