New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HOSTEDCP-1536: feat(install): expose hypershift-readers ClusterRole at install time #3913
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: andreadecorte The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
/retitle HOSTEDCP-1536: feat(install): expose hypershift-readers ClusterRole at install time |
@andreadecorte: This pull request references HOSTEDCP-1536 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Hey @andreadecorte 👋🏻 - looks like you are failing |
Today, hypershift install exposes a flag: ```--enable-admin-rbac-generation``` which creates ClusterRoles and ClusterRoleBinding for Hosted cluster admins and readers. We want to start using the hypershift-readers ClusterRole in ROSA HCP to replace the one currently deployed on the Management Clusters by OSDFM, as it was already agreed that this is better located in HO, as it is close to the resources and the logic. To do that, we need to: * add a new install flag ```--enable-reader-rbac-generation``` that creates only the hypershift-readers ClusterRole (as the binding will be handled elsewhere), to avoid creating useless resources that could impact the exposure * align the ClusterRole with what we have on OSDFM in terms of role aggregation and also add the missing HyperShift API group for certificates which where added recently in HyperShift The existing flag --enable-admin-rbac-generation is kept unchanged in case we want to deploy both personas including ClusterRoleBindings. Related: HOSTEDCP-1536
3539a54
to
1d448a2
Compare
thanks for the hint, fixed! |
/test verify |
/test e2e-kubevirt-aws-ovn |
@andreadecorte: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@@ -1495,27 +1498,36 @@ func (o HyperShiftReaderClusterRole) Build() *rbacv1.ClusterRole { | |||
}, | |||
ObjectMeta: metav1.ObjectMeta{ | |||
Name: "hypershift-readers", | |||
Labels: map[string]string{ | |||
"managed.openshift.io/aggregate-to-dedicated-readers": "true", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having the names of roles that are used in one deployment of HyperShift hard-coded here seems like the wrong choice - perhaps expose which roles this should aggregate into as an option for the install command.
@@ -62,6 +62,9 @@ var ( | |||
// privileged is used to set the container security | |||
// context to run container as unprivileged. | |||
privileged = false | |||
|
|||
// readOnlyVerbs are RBAC related verbs limited to read actions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure that this change is necessary, you could reduce your diff by leaving it out. It's not like we will be changing the list at any time (and therefore benefiting from having a slice for it).
What this PR does / why we need it:
Today, hypershift install exposes a flag:
--enable-admin-rbac-generation
which creates ClusterRoles and ClusterRoleBinding for Hosted cluster admins and readers.
We want to start using the hypershift-readers ClusterRole in ROSA HCP to replace the one currently deployed on the Management Clusters by OSDFM, as it was already agreed that this is better located in HO, as it is close to the resources and the logic.
To do that, we need to:
--enable-reader-rbac-generation
that creates only the hypershift-readers ClusterRole (as the binding will be handled elsewhere), to avoid creating useless resources that could impact the exposure
The existing flag --enable-admin-rbac-generation is kept unchanged in case we want to deploy both personas including ClusterRoleBindings.
Which issue(s) this PR fixes:
Fixes #HOSTEDCP-1536
Checklist