Move rbac up to CVO. Drop admin perms #210
Conversation
|
cc @bison |
openshift-ci-robot
added
the
size/L
| name: cluster-api-manager-role | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: default |
There was a problem hiding this comment.
Can we create a dedicated service account? It's not much more trouble, and it means random pods started in the namespace don't get elevated permissions.
| kind: ClusterRole | ||
| metadata: | ||
| creationTimestamp: null | ||
| name: cluster-api-manager-role |
There was a problem hiding this comment.
This is a nit, but I don't think these names should end in -role etc. You already know that by the type, and it looks weird in the console. I would just call this machine-api or something.
| - kind: ServiceAccount | ||
| name: default | ||
| namespace: openshift-machine-api | ||
| name: cluster-api-manager-rolebinding |
There was a problem hiding this comment.
Same nit on the name including the type here.
enxebre
force-pushed
the
rbac
branch
2 times, most recently
from
301b5c6 to
3c97b2c
Compare
enxebre
added
the
do-not-merge/hold
enxebre
force-pushed
the
rbac
branch
2 times, most recently
from
d917e5c to
c5dcc98
Compare
|
/retest |
|
Before this merges, we need to make sure we add a validation for draining in this repo and we add the required permissions e.g manipulating daemonSets openshift/cluster-api-provider-aws#158 otherwise this would break draining cc @ingvagabund |
|
/test e2e-aws-operator |
|
/test e2e-aws-operator |
|
Looking at the logs now perms list seems ok. I'll update for:
|
|
let's wait until I introduce new test for the draining |
|
/test e2e-aws-operator |
3 similar comments
|
/test e2e-aws-operator |
|
/test e2e-aws-operator |
|
/test e2e-aws-operator |
|
/test e2e-aws |
|
/retest |
|
/test e2e-aws |
1 similar comment
|
/test e2e-aws |
|
/test e2e-aws-operator |
|
/retest |
|
/retest |
enxebre
removed
the
do-not-merge/hold
|
/test e2e-aws |
|
/test e2e-aws-operator |
|
/retest |
5 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
@ingvagabund @bison @frobware let's get this in. I'll add a specific SA in a follow up |
|
The draining test seems orthogonal to the purpose of the PR (given the description). Can we move the test to a separate PR? |
|
@frobware The perms has been made granular including the new draining featured added in aws actuator. This needs to be merged in one go, otherwise there is room for breaking draining. That's why they have a different commit |
OK, thanks for the explanation. |
|
/approve Agree with Andrew that the node draining test should go into separate PR and merged first before this PR is. Though, given the current state of the CI I agree with Alberto it's better to keep it as it is. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ingvagabund The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
| var machineDeletedEvent *corev1.Event | ||
| for _, eventItem := range eventList.Items { | ||
| if eventItem.Reason == "Deleted" && eventItem.Message == fmt.Sprintf("Node %q drained", nodeName) { | ||
| nodeDrainedEvent = &eventItem |
There was a problem hiding this comment.
We're taking the address of the local loop variable here - is this intentional?
There was a problem hiding this comment.
It is not, it should be changed actually. Though, ExpectNodeToBeDrainedBeforeDeletingMachine was superseded by ExpectNodeToBeDrainedBeforeMachineIsDeleted so it can be deleted.
There was a problem hiding this comment.
Thanks! Seems ok since this is not storing appended values or similar
This is just bringing @ingvagabund draining tests from aws. To validate the new rbac does not break current coverage
Right after this we can merge #219
and openshift/cluster-api-actuator-pkg#28
And start rewriting the e2e suite there addressing this specific concern and others
I think the key point is if you ever had to revert this PR would you also want to revert the test. If the answer is "no" then they should be separate commits. |
| } | ||
| for _, nodeItem := range nodeList.Items { | ||
| if nodeItem.Name == nodeName { | ||
| node = &nodeItem |
There was a problem hiding this comment.
This takes the address of a local variable which seems Ok-ish here given we break. But it may be clearer and more future proof to use &nodeList.Items[i].
|
As long as we follow up and address the issues RSN... /lgtm |
|
/retest |
1 similar comment
|
/retest |
Update machine.Spec.ProviderID field
7 participants
Move rbac up to CVO. Drop admin perms