From 8225c4750d87926f4e5a72bfb5dc3650cb69f16d Mon Sep 17 00:00:00 2001 From: Jon Donovan Date: Tue, 24 Mar 2020 18:08:42 -0700 Subject: [PATCH 1/3] Install from the manifest in a strict order. This order, Roles -> RoleBindings -> The Rest, prevents the operand from needing to structure their manifest such that this ordering exists, while allowing the Operator to use the bootstrapping mechanism described in https://github.com/knative/serving-operator/pull/291 to 'escalate' itself into management of the Knative Serving installation without a *** clusterrole. --- .../knativeserving_controller.go | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/reconciler/knativeserving/knativeserving_controller.go b/pkg/reconciler/knativeserving/knativeserving_controller.go index e22f5234..e3b4d283 100644 --- a/pkg/reconciler/knativeserving/knativeserving_controller.go +++ b/pkg/reconciler/knativeserving/knativeserving_controller.go @@ -47,6 +47,11 @@ const ( deletionChange = "deletion" ) +var ( + role mf.Predicate = mf.Any(mf.ByKind("ClusterRole"), mf.ByKind("Role")) + rolebinding mf.Predicate = mf.Any(mf.ByKind("ClusterRoleBinding"), mf.ByKind("RoleBinding")) +) + // Reconciler implements controller.Reconciler for Knativeserving resources. type Reconciler struct { *reconciler.Base @@ -191,7 +196,18 @@ func (r *Reconciler) initStatus(_ *mf.Manifest, instance *servingv1alpha1.Knativ // Apply the manifest resources func (r *Reconciler) install(manifest *mf.Manifest, instance *servingv1alpha1.KnativeServing) error { r.Logger.Debug("Installing manifest") - if err := manifest.Apply(); err != nil { + // The Operator needs a higher level of permissions if it 'bind's non-existent roles. + // To avoid this, we strictly order the manifest application as (Cluster)Roles, then + // (Cluster)RoleBindings, then the rest of the manifest. + if err := manifest.Filter(role).Apply(); err != nil { + instance.Status.MarkInstallFailed(err.Error()) + return err + } + if err := manifest.Filter(rolebinding).Apply(); err != nil { + instance.Status.MarkInstallFailed(err.Error()) + return err + } + if err := manifest.Filter(mf.None(mf.Any(role, rolebinding))).Apply(); err != nil { instance.Status.MarkInstallFailed(err.Error()) return err } From 61284fbd6cfe2656c303d34b51713345766ec077 Mon Sep 17 00:00:00 2001 From: Jon Donovan Date: Tue, 24 Mar 2020 18:12:11 -0700 Subject: [PATCH 2/3] Fixing golint --- pkg/reconciler/knativeserving/knativeserving_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/reconciler/knativeserving/knativeserving_controller.go b/pkg/reconciler/knativeserving/knativeserving_controller.go index e3b4d283..a6a87f24 100644 --- a/pkg/reconciler/knativeserving/knativeserving_controller.go +++ b/pkg/reconciler/knativeserving/knativeserving_controller.go @@ -48,7 +48,7 @@ const ( ) var ( - role mf.Predicate = mf.Any(mf.ByKind("ClusterRole"), mf.ByKind("Role")) + role mf.Predicate = mf.Any(mf.ByKind("ClusterRole"), mf.ByKind("Role")) rolebinding mf.Predicate = mf.Any(mf.ByKind("ClusterRoleBinding"), mf.ByKind("RoleBinding")) ) From f4fa5fe59ee5b9fdb277a7aa1e76c9439b3645ea Mon Sep 17 00:00:00 2001 From: Jon Donovan Date: Wed, 25 Mar 2020 12:07:28 -0700 Subject: [PATCH 3/3] Just update the manifest as a final step. --- pkg/reconciler/knativeserving/knativeserving_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/reconciler/knativeserving/knativeserving_controller.go b/pkg/reconciler/knativeserving/knativeserving_controller.go index a6a87f24..d9982e5b 100644 --- a/pkg/reconciler/knativeserving/knativeserving_controller.go +++ b/pkg/reconciler/knativeserving/knativeserving_controller.go @@ -207,7 +207,7 @@ func (r *Reconciler) install(manifest *mf.Manifest, instance *servingv1alpha1.Kn instance.Status.MarkInstallFailed(err.Error()) return err } - if err := manifest.Filter(mf.None(mf.Any(role, rolebinding))).Apply(); err != nil { + if err := manifest.Apply(); err != nil { instance.Status.MarkInstallFailed(err.Error()) return err }