Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore rules for aggregate ClusterRoles #529

Merged
merged 1 commit into from
Jun 8, 2022
Merged

Ignore rules for aggregate ClusterRoles #529

merged 1 commit into from
Jun 8, 2022

Conversation

scothis
Copy link
Contributor

@scothis scothis commented Jun 7, 2022

What this PR does / why we need it:

Aggregate ClusterRole have their rules filled in by the control plane at
runtime. There is no need for kapp to manage this field as it will only
create churn that the control plane has to then undo.

By adding a default rebase rule for ClusterRoles that have an
aggregationRule field set, we can ignore the rules on update.

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?

Ignore rules field for aggregate ClusterRole

Additional Notes for your reviewer:

Refs https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

Review Checklist:
  • Follows the developer guidelines
  • Relevant tests are added or updated
  • Relevant docs in this repo added or updated
  • Relevant carvel.dev docs added or updated in a separate PR and there's
    a link to that PR
  • Code is at least as readable and maintainable as it was before this
    change

Additional documentation e.g., Proposal, usage docs, etc.:

@scothis
Ignore rules for aggregate ClusterRoles
ad72ef4 
Aggregate ClusterRole have their rules filled in by the control plane at
runtime. There is no need for kapp to manage this field as it will only
create churn that the control plane has to then undo.

By adding a default rebase rule for ClusterRoles that have an
aggregationRule field set, we can ignore the rules on update.

Refs https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

Signed-off-by: Scott Andrews <andrewssc@vmware.com>
praveenrewar
praveenrewar approved these changes Jun 8, 2022
View reviewed changes
Copy link
Member

@praveenrewar praveenrewar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @scothis.
LGTM!

pkg/kapp/config/default.go
Comment on lines +189 to +190
emptyFieldMatcher:
path: [aggregationRule]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@cppforlife cppforlife merged commit 23cc51e into carvel-dev:develop Jun 8, 2022
@scothis scothis deleted the aggregate-cluster-role-rules branch June 8, 2022 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@praveenrewar praveenrewar praveenrewar approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@scothis @praveenrewar @cppforlife @vmwclabot