Allow cluster role bindings for pods ultimately owned by a cluster wide operator #1646
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
edcdavid
force-pushed
the
clusterwide-role-bindings2
branch
3 times, most recently
from
a3c8fd2
to
ee35373
Compare
sebrandon1
reviewed
Nov 21, 2023
If top owner is a CSV installed cluster-wide, allow cluster role-bindings
edcdavid
force-pushed
the
clusterwide-role-bindings2
branch
from
ee35373
to
44818d3
Compare
greyerof
approved these changes
Nov 28, 2023
sebrandon1
approved these changes
Nov 28, 2023
greyerof
added a commit
that referenced
this pull request
Dec 15, 2023
* Bump github.com/onsi/ginkgo/v2 from 2.13.0 to 2.13.1 (#1610) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.0 to 2.13.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.0...v2.13.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/test-network-function/privileged-daemonset (#1612) Bumps [github.com/test-network-function/privileged-daemonset](https://github.com/test-network-function/privileged-daemonset) from 1.0.14 to 1.0.15. - [Release notes](https://github.com/test-network-function/privileged-daemonset/releases) - [Commits](test-network-function/privileged-daemonset@v1.0.14...v1.0.15) --- updated-dependencies: - dependency-name: github.com/test-network-function/privileged-daemonset dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Temporarily disable QE parallel flag for nightlies (#1617) * Bump github.com/test-network-function/test-network-function-claim (#1611) Bumps [github.com/test-network-function/test-network-function-claim](https://github.com/test-network-function/test-network-function-claim) from 1.0.30 to 1.0.31. - [Release notes](https://github.com/test-network-function/test-network-function-claim/releases) - [Commits](test-network-function/test-network-function-claim@v1.0.30...v1.0.31) --- updated-dependencies: - dependency-name: github.com/test-network-function/test-network-function-claim dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: David Rabkin <david@rabkin.co.il> * Update RHCOS to OCP version map (#1618) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Disable Go cache for self-hosted (#1626) * Add retries to QE nightlies (#1628) * Fix gchat alert message. (#1630) After testing it in a private repo, it works when the webhook URL+query is surrounded by single quotes. * Update RHCOS to OCP version map (#1629) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Fixed function AreCPUResourcesWholeUnits(). (#1631) The bug happens when deploying pods with containers that don't have any cpu req/limit defined in its spec but they do have any other resource (like mem) set. cut.Resources.Requests and cut.Resources.Limits are maps, whose keys are the different resources (mem, cpu, hugepages) that were explicitly set in the container spec. Requests.Cpu() returns a defaulted (zeroed) Quantity for the cpu resource if that resource type doesn't exist in the requests map, which will happen if cpu reqs/limits are not explicitly set in the pod spec. * Bump ubi8/ubi from 8.8-1067.1698056881 to 8.9-1028 (#1633) Bumps ubi8/ubi from 8.8-1067.1698056881 to 8.9-1028. --- updated-dependencies: - dependency-name: ubi8/ubi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/test-network-function/oct from 0.0.3 to 0.0.4 (#1632) * Bump ubi8/ubi-minimal from 8.8-1072.1697626218 to 8.9-1029 (#1634) Bumps ubi8/ubi-minimal from 8.8-1072.1697626218 to 8.9-1029. --- updated-dependencies: - dependency-name: ubi8/ubi-minimal dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/kubectl from 0.28.3 to 0.28.4 (#1636) Bumps [k8s.io/kubectl](https://github.com/kubernetes/kubectl) from 0.28.3 to 0.28.4. - [Commits](kubernetes/kubectl@v0.28.3...v0.28.4) --- updated-dependencies: - dependency-name: k8s.io/kubectl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update RHCOS to OCP version map (#1641) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Re-enable QE PR checks (#1640) * enable collector's sanity check (#1606) * enable collector's sanity check * added tmate session for testing * disable tmate session * Fix catalog links (#1650) * Prepare for v4.5.6 (#1651) * Temp. disable collector sanity check (#1653) * Bump github.com/mittwald/go-helm-client from 0.12.3 to 0.12.4 (#1652) Bumps [github.com/mittwald/go-helm-client](https://github.com/mittwald/go-helm-client) from 0.12.3 to 0.12.4. - [Release notes](https://github.com/mittwald/go-helm-client/releases) - [Commits](mittwald/go-helm-client@v0.12.3...v0.12.4) --- updated-dependencies: - dependency-name: github.com/mittwald/go-helm-client dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/deckarep/golang-set/v2 from 2.3.1 to 2.4.0 (#1656) Bumps [github.com/deckarep/golang-set/v2](https://github.com/deckarep/golang-set) from 2.3.1 to 2.4.0. - [Release notes](https://github.com/deckarep/golang-set/releases) - [Commits](deckarep/golang-set@v2.3.1...v2.4.0) --- updated-dependencies: - dependency-name: github.com/deckarep/golang-set/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update RHCOS to OCP version map (#1659) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Update RHCOS to OCP version map (#1660) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Update RHCOS to OCP version map (#1661) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Bump github.com/operator-framework/api from 0.19.0 to 0.20.0 (#1657) Bumps [github.com/operator-framework/api](https://github.com/operator-framework/api) from 0.19.0 to 0.20.0. - [Release notes](https://github.com/operator-framework/api/releases) - [Changelog](https://github.com/operator-framework/api/blob/master/RELEASE.md) - [Commits](operator-framework/api@v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: github.com/operator-framework/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gonzalo Reyero Ferreras <87083379+greyerof@users.noreply.github.com> * Allow cluster role bindings for pods ultimately owned by a cluster wide operator (#1646) * Recursively get top pod owners. If top owner is a CSV installed cluster-wide, allow cluster role-bindings * Addressing comments from Gonzalo * Adding unit testing (comment from Brandon) * Add-batch-cert-script (#1604) * Script to batch check operators * installing operators using tasty😋(https://github.com/karmab/tasty) instead of operator SDK * Addressing comments from David R. and other fixes * Update RHCOS to OCP version map (#1669) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Bump github.com/onsi/ginkgo/v2 from 2.13.1 to 2.13.2 (#1671) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.1 to 2.13.2. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.1...v2.13.2) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add depends-on PRs action to qe-hosted workflow (#1677) * Bump github.com/deckarep/golang-set/v2 from 2.4.0 to 2.5.0 (#1674) Bumps [github.com/deckarep/golang-set/v2](https://github.com/deckarep/golang-set) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/deckarep/golang-set/releases) - [Commits](deckarep/golang-set@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/deckarep/golang-set/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gonzalo Reyero Ferreras <87083379+greyerof@users.noreply.github.com> * Update RHCOS to OCP version map (#1678) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Cherry pick 1-to-1 result struct change (#1675) * Switch gradetool to latest image (main) (#1680) * Increase QE timeout to 90 minutes (#1683) * Update RHCOS to OCP version map (#1685) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * Fix copyright years (#1686) * Prepare for v4.5.7 (#1682) * Fix WG done call (#1688) * Remove GPL commitment (#1689) * Bump github.com/test-network-function/privileged-daemonset (#1695) Bumps [github.com/test-network-function/privileged-daemonset](https://github.com/test-network-function/privileged-daemonset) from 1.0.15 to 1.0.16. - [Release notes](https://github.com/test-network-function/privileged-daemonset/releases) - [Commits](test-network-function/privileged-daemonset@v1.0.15...v1.0.16) --- updated-dependencies: - dependency-name: github.com/test-network-function/privileged-daemonset dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update Go to v1.21.5 (#1697) * Bump actions/setup-go from 4 to 5 (#1700) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v4...v5) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update RHCOS to OCP version map (#1705) Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> * The find command requires a directory as the first argument (#1709) * Add operator versions (#1708) * Add operator versions * Fix the indentation * extracts results.html from tar.gz and debug mode (#1706) * extracts results.html from tar.gz and debug mode * Addressing comment from David R. * Updating Telco list (#1712) * skip operator if claim file couldn't be parsed (#1714) * skip operator if claim file couldn't be parsed * addressing comments from David R. * Bump github/codeql-action from 2 to 3 (#1722) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Enable QE nightlies for ginkgo_removal (#1723) * Revert "Enable QE nightlies for ginkgo_removal (#1723)" (#1724) This reverts commit 82d3442. * Bump actions/upload-artifact from 3 to 4 (#1729) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Adjusted tags in versions.json. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Brandon Palm <bpalm@redhat.com> Co-authored-by: David Rabkin <david@rabkin.co.il> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: sebrandon1 <sebrandon1@users.noreply.github.com> Co-authored-by: jmontesi <100689165+jmontesi@users.noreply.github.com> Co-authored-by: Shir Moran <101132224+shirmoran@users.noreply.github.com> Co-authored-by: David Elie-Dit-Cosaque <86730676+edcdavid@users.noreply.github.com> Co-authored-by: Banashri Mandal <bmandal@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pods' Owner references are traversed using unstructured generic objects until the top owner are reached and then recorded. If the top owner includes a CSV that is "cluster wide", we allow cluster role bindings to be used by the pods.
A CSV is clusterwide if: