feat: Delegate only needed roles to user in his namespace

[tolusha]

Signed-off-by: Anatolii Bazko abazko@redhat.com

What does this PR do?

feat: Delegate only needed roles to user in his namespace
related che-operator PR: eclipse-che/che-operator#1532

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#21695

How to test this PR?

1. Deploy Eclipse Che
   chectl server:deploy --platform=openshift --cheimage docker.io/abazko/che-server:21695 --che-operator-image=docker.io/abazko/operator:21695
2. Log into Eclipse Che
3. Check rolebindings in a user namespace, it must contain only 2 rolebindings for the current user and it mustn't contain admin ClusterRoleBinding

oc get rolebindings -n <USER_NAMESPACE> -o custom-columns=NAME:metadata.name,ROLE:roleRef.name,SUBJECT:subjects\[0\].name  | grep <USERNAME>
NAME                                                 ROLE                                                 SUBJECT
eclipse-che-cheworkspaces-clusterrole                eclipse-che-cheworkspaces-clusterrole                <USERNAME>
eclipse-che-cheworkspaces-devworkspace-clusterrole   eclipse-che-cheworkspaces-devworkspace-clusterrole   <USERNAME>
...

4. Create and start a workspace

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[vinokurig]

AFAIK we avoid wildcard imports.

[ibuziuk]

is it just refactoring? I'm not sure which benefits it provides e.g. client.namespaces().withName(name).get() is called twice. I like the original version more

[tolusha]

To label and to annotation, we need a new fresh namespace object.
Otherwise adding annotation removes previously added labels.

[ibuziuk]

sorry, for not following
I looked at the label method and it seems to merge the existing and new labels - https://github.com/eclipse-che/che-server/pull/355/files#diff-2e663cdd99b84ca2ecf99c9d2df6edc6f1036866f87a175a2a7d8ae05f9aad7bR196

Could you clarify how this change is relevant to the PR?

[ibuziuk]

wondering why this configurator was not applied before? from what I see it falls back on che.infra.kubernetes.user_cluster_roles property. In the context of https://issues.redhat.com/browse/CRW-3328 it is not clear for me how this would help

[tolusha]

To be honest I don't know as well.

[ibuziuk]

so, do we really need this change? e.g. why would you like to bind this configurator as part of this PR?

[ibuziuk]

This looks like the main change relevant to the project creation and role provisioning, but I'm not sure if this what we would like to achieve. e.g. by design user gets admin permissions in the namespace and this should be just fine.

[tolusha]

That's legacy code.
Basically I make OpenShift Infrastructure project creation codebase similar to Kuberntes infrastructure.

[ibuziuk]

@tolusha my understanding was that we would restrict CR creation via webhook - eclipse-che/che-operator#1517
This change looks risky for me, and changes the default behaviour where admin rights are provisioned to user by default

[l0rd]

• restricting the privileges of the developer to just what's needed to run a dev environment is good in general: admins are happy, developers are not affected.
• webhook are a more robust solution to the root problem we want to solve: no one, not even an admin, can create multiple CheClusters by mistake
• in the future we may get the request to support multiple CheClusters in the same cluster (i.e. one Che operator but multiple Che instances in one cluster) but that's not something we need to worry right now.

So I think both approach brings value although using a webhook is probably more effective and more urgent now so +1 to prioritize that.

[l0rd]

@ibuziuk why do you think that the changes in this PR are risky? Why do we require that the developer is an admin in his namespace? (this is a question I already got from customers)

[ibuziuk]

why do you think that the changes in this PR are risky?

Because I do not know why admin was provided in the first place when namespaces are provisioned using the SA and what impact it could have on the user flow. Would be nice to get the review from @skabashnyuk @metlos @sparkoo

[skabashnyuk]

I do not know why admin was provided in the first place when namespaces are provisioned using the SA and what impact it could have on the user flow.

I don't remember either That is quite an old piece of code.
In general, pr looks good to me.

[amisevsk]

I believe the reason admin was chosen for the binding was to reduce the differences between Kubernetes and OpenShift. On OpenShift, if a user uses oc new-project the namespace is created with a rolebinding to the admin clusterrole for that user. Using something different for Kubernetes would potentially introduce bugs (though it may be unlikely). The previous issue here was eclipse-che/che#21171 (which should likely be closed seeing as we're having the issue of users having too many permissions 🙂)

[ibuziuk]

LGTM, verified against crc, after the change user can not remove the *-che project provisioned during the signup, the only suggestion would be to remove the wildcard imports.