Skip to content

Introduce addressable resolver aggregated cluster role#1013

Merged
knative-prow-robot merged 3 commits into
knative:masterfrom
devguyio:addressable-resolver
Apr 2, 2019
Merged

Introduce addressable resolver aggregated cluster role#1013
knative-prow-robot merged 3 commits into
knative:masterfrom
devguyio:addressable-resolver

Conversation

@devguyio
Copy link
Copy Markdown
Contributor

@devguyio devguyio commented Apr 1, 2019

Fixes #916

Proposed Changes

  • Add addressable-resolver aggregated cluster role
  • Add broker addressable cluster role
  • Add channel addressable cluster role

Release Note

Introduce a new aggreagted ClusterRole for Addressable.

@googlebot googlebot added the cla: yes Indicates the PR's author has signed the CLA. label Apr 1, 2019
@knative-prow-robot knative-prow-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 1, 2019
@devguyio
Copy link
Copy Markdown
Contributor Author

devguyio commented Apr 1, 2019

/assign @Harwayne

Harwayne
Harwayne reviewed Apr 1, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@Harwayne Harwayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

I think we should add read permissons for K8s and Knative Services as well, as those tend to be the other things that need to be resolved.

@n3wscott
Copy link
Copy Markdown
Contributor

n3wscott commented Apr 1, 2019

Awesome!!

n3wscott
n3wscott reviewed Apr 1, 2019
View reviewed changes
Comment thread config/200-broker-addressable-clusterrole.yaml Outdated
n3wscott
n3wscott reviewed Apr 1, 2019
View reviewed changes
Comment thread config/200-addressable-resolver-clusterrole.yaml Outdated
n3wscott
n3wscott reviewed Apr 1, 2019
View reviewed changes
Comment thread config/200-channel-addressable-clusterrole.yaml Outdated
n3wscott
n3wscott reviewed Apr 1, 2019
View reviewed changes
Comment thread config/200-channel-addressable-clusterrole.yaml Outdated
@n3wscott
Copy link
Copy Markdown
Contributor

n3wscott commented Apr 1, 2019

I think eventing.knative.dev/addressable -> duck.knative.dev/addressable

@Harwayne what do you think?

@devguyio
Copy link
Copy Markdown
Contributor Author

devguyio commented Apr 1, 2019

@n3wscott I like duck.knative.dev/addressable more indeed. More generic, so not just eventing so can be used for non eventing addressable, and it conveys the addressable nature of being a duck typing interface.

vaikas
vaikas reviewed Apr 1, 2019
View reviewed changes
Comment thread config/200-broker-addressable-clusterrole.yaml Outdated
@Harwayne
Copy link
Copy Markdown
Contributor

Harwayne commented Apr 1, 2019

I missed Knative routes, which should also be included.

And we can remove part of 200-controller-clusterrole.yaml and add a binding for this new ClusterRole to eventing-controller in 201-clusterrolebinding.yaml.

@knative-prow-robot knative-prow-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 2, 2019
@devguyio devguyio force-pushed the addressable-resolver branch from 6263f09 to 20e174f Compare April 2, 2019 02:00
@knative-prow-robot knative-prow-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 2, 2019
@devguyio devguyio force-pushed the addressable-resolver branch 2 times, most recently from 0709563 to 38e69ef Compare April 2, 2019 02:02
@devguyio
Copy link
Copy Markdown
Contributor Author

devguyio commented Apr 2, 2019
edited
Loading

@Harwayne

I missed Knative routes, which should also be included.

Done

And we can remove part of 200-controller-clusterrole.yaml and add a binding for this new ClusterRole to eventing-controller in 201-clusterrolebinding.yaml.

After some thought I chose not to change the controller clusterrole defined in 200-controller-clusterrole.yaml since the addressable resolver ClusterRole is readonly , and basically this change would result in removing 3 lines for (kservices and routes), adding a whole new rolebinding AND have some overlapping rules between two role bindings for no real benefit :/ .

so I think for sake of simplicity and have all needed context in a single role, I think maybe it's better to keep it as it is.

@Harwayne
Copy link
Copy Markdown
Contributor

Harwayne commented Apr 2, 2019

After some thought I chose not to change the controller clusterrole defined in 200-controller-clusterrole.yaml since the addressable resolver ClusterRole is readonly , and basically this change would result in removing 3 lines for (kservices and routes), adding a whole new rolebinding AND have some overlapping rules between two role bindings for no real benefit :/ .

so I think for sake of simplicity and have all needed context in a single role, I think maybe it's better to keep it as it is.

My preference is the opposite. You're completely correct that it doesn't buy us much now, but I think it will be a great benefit in the medium term. I want all pieces that need to resolve Addressables to use the single aggregated role for that purpose. Then they can have their own unique roles for everything else they need. My reasoning is that the big benefit of the aggregated role is so that when new Addressable CRDs are created, then the existing infrastructure that needs to resolve them immediately gets the permission to do so, without needing to do any work.

For example, I create a new CRD named Foo that is Addressable and add a ClusterRole to read Foos that is aggregated into the aggregate ClusterRole. I then create a Subscription whose spec.subscriber.ref is a Foo.

In the current, single ClusterRoleBinding world, the Subscription controller can't process that Subscription, because it doesn't have permission to read Foos.

If instead, the Subscription controller had the aggregated ClusterRole, then it would work immediately, without needing to grant any new bindings.

@grantr grantr modified the milestone: v0.5.0 Apr 2, 2019
@knative-prow-robot knative-prow-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 2, 2019
Introduce addressable resolver aggregated cluster role
1db669f 
* Add addressable-resolver aggregated cluster role
* Add broker addressable cluster role
* Add channel addressable cluster role
@devguyio devguyio force-pushed the addressable-resolver branch from 72198c9 to 4cf7546 Compare April 2, 2019 20:28
@devguyio
Copy link
Copy Markdown
Contributor Author

devguyio commented Apr 2, 2019

@Harwayne done

Harwayne
Harwayne reviewed Apr 2, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@Harwayne Harwayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 2, 2019
@Harwayne
Copy link
Copy Markdown
Contributor

Harwayne commented Apr 2, 2019

/approve

@knative-prow-robot
Copy link
Copy Markdown
Contributor

knative-prow-robot commented Apr 2, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Abd4llA, Harwayne

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow-robot knative-prow-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 2, 2019
@knative-prow-robot knative-prow-robot merged commit d817bf6 into knative:master Apr 2, 2019
creydr pushed a commit to creydr/knative-eventing that referenced this pull request Feb 5, 2025
@serverless-qe
Update dependabot configurations (knative#1013)
722f9a0 
Co-authored-by: serverless-qe <serverless-support@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evankanderson evankanderson Awaiting requested review from evankanderson

@matzew matzew Awaiting requested review from matzew

3 more reviewers

@Harwayne Harwayne Harwayne left review comments

@vaikas vaikas vaikas left review comments

@n3wscott n3wscott n3wscott left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Harwayne Harwayne

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Aggregated ClusterRole for Addressables

7 participants

@devguyio @n3wscott @Harwayne @knative-prow-robot @vaikas @grantr @googlebot