-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Delegate only needed roles to user in his namespace #355
Conversation
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.SshKeysConfigurator; | ||
import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPreferencesConfigurator; | ||
import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserProfileConfigurator; | ||
import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.*; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK we avoid wildcard imports.
namespace = create(name, client); | ||
create(name, client); | ||
} | ||
label(namespace, labels); | ||
annotate(namespace, annotations); | ||
label(client.namespaces().withName(name).get(), labels); | ||
annotate(client.namespaces().withName(name).get(), annotations); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it just refactoring? I'm not sure which benefits it provides e.g. client.namespaces().withName(name).get()
is called twice. I like the original version more
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To label and to annotation, we need a new fresh namespace object.
Otherwise adding annotation removes previously added labels.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, for not following
I looked at the label method and it seems to merge the existing and new labels - https://github.com/eclipse-che/che-server/pull/355/files#diff-2e663cdd99b84ca2ecf99c9d2df6edc6f1036866f87a175a2a7d8ae05f9aad7bR196
Could you clarify how this change is relevant to the PR?
@@ -107,6 +101,7 @@ protected void configure() { | |||
|
|||
Multibinder<NamespaceConfigurator> namespaceConfigurators = | |||
Multibinder.newSetBinder(binder(), NamespaceConfigurator.class); | |||
namespaceConfigurators.addBinding().to(UserPermissionConfigurator.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wondering why this configurator was not applied before? from what I see it falls back on che.infra.kubernetes.user_cluster_roles
property. In the context of https://issues.redhat.com/browse/CRW-3328 it is not clear for me how this would help
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be honest I don't know as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so, do we really need this change? e.g. why would you like to bind this configurator as part of this PR?
OpenShiftClient openshiftClient = cheServerOpenshiftClientFactory.createOC(); | ||
create(projectName, openshiftClient); | ||
waitDefaultServiceAccount(projectName, openshiftClient); | ||
openshiftClient | ||
.roleBindings() | ||
.inNamespace(projectName) | ||
.createOrReplace( | ||
new RoleBindingBuilder() | ||
.withNewMetadata() | ||
.withName("admin") | ||
.endMetadata() | ||
.addToUserNames(osClient.currentUser().getMetadata().getName()) | ||
.withNewRoleRef() | ||
.withApiVersion("rbac.authorization.k8s.io") | ||
.withKind("RoleBinding") | ||
.withName("admin") | ||
.endRoleRef() | ||
.build()); | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like the main change relevant to the project creation and role provisioning, but I'm not sure if this what we would like to achieve. e.g. by design user gets admin permissions in the namespace and this should be just fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's legacy code.
Basically I make OpenShift Infrastructure project creation codebase similar to Kuberntes infrastructure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tolusha my understanding was that we would restrict CR creation via webhook - eclipse-che/che-operator#1517
This change looks risky for me, and changes the default behaviour where admin rights are provisioned to user by default
So I think both approach brings value although using a webhook is probably more effective and more urgent now so +1 to prioritize that. |
@ibuziuk why do you think that the changes in this PR are risky? Why do we require that the developer is an admin in his namespace? (this is a question I already got from customers) |
Because I do not know why admin was provided in the first place when namespaces are provisioned using the SA and what impact it could have on the user flow. Would be nice to get the review from @skabashnyuk @metlos @sparkoo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not know why admin was provided in the first place when namespaces are provisioned using the SA and what impact it could have on the user flow.
I don't remember either That is quite an old piece of code.
In general, pr looks good to me.
I believe the reason |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, verified against crc, after the change user can not remove the *-che
project provisioned during the signup, the only suggestion would be to remove the wildcard imports.
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
Signed-off-by: Anatolii Bazko abazko@redhat.com
What does this PR do?
feat: Delegate only needed roles to user in his namespace
related che-operator PR: eclipse-che/che-operator#1532
Screenshot/screencast of this PR
N/A
What issues does this PR fix or reference?
eclipse-che/che#21695
How to test this PR?
chectl server:deploy --platform=openshift --cheimage docker.io/abazko/che-server:21695 --che-operator-image=docker.io/abazko/operator:21695
rolebindings
in a user namespace, it must contain only 2 rolebindings for the current user and it mustn't containadmin
ClusterRoleBindingPR Checklist
As the author of this Pull Request I made sure that:
What issues does this PR fix or reference
andHow to test this PR
completedReviewers
Reviewers, please comment how you tested the PR when approving it.