Bug 2091086: cli: don't insist on metal3 CRDs being present when cluster capabilities are None #26998
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
honza
changed the title
honza
force-pushed
the
bmh-crd-when-capabilities-none
branch
from
4e01590 to
3a4a875
Compare
wking
reviewed
Apr 28, 2022
wking
reviewed
Apr 28, 2022
wking
reviewed
Apr 28, 2022
Contributor
|
/approve this is a valid change/thing we need to do. but @wking's comments should be addressed prior to lgtm |
openshift-ci
bot
added
the
approved
honza
force-pushed
the
bmh-crd-when-capabilities-none
branch
2 times, most recently
from
8a0d081 to
94f2262
Compare
openshift-ci
bot
added
the
needs-rebase
When cluster version capabilities is set to None, the baremetal platform is disabled, and as such, the metal3 CRDs aren't present. Here, we load the cluster version CR, and only include the metal3 CRDs when the capabilities is set to anything other than None.
honza
force-pushed
the
bmh-crd-when-capabilities-none
branch
from
94f2262 to
6d1143a
Compare
openshift-ci
bot
removed
the
needs-rebase
Contributor
|
@honza: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Member
Author
|
/retest-required |
honza
changed the title
openshift-ci
bot
added
bugzilla/severity-low
Contributor
|
@honza: This pull request references Bugzilla bug 2091086, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Member
Author
|
/bugzilla refresh |
openshift-ci
bot
added
bugzilla/valid-bug
Contributor
|
@honza: This pull request references Bugzilla bug 2091086, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bparees, honza, wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Contributor
|
@honza: All pull requests linked via external trackers have merged: Bugzilla bug 2091086 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
wking
added a commit
to wking/origin
that referenced
this pull request
May 29, 2022
… is enabled Like 6d1143a (cli: remove metal3 CRDs when capabilities are none, 2022-04-08, openshift#26998), but catching up to openshift/api@d905557541 (fix: rename operatorhub crd manifest file, 2022-04-12, openshift/api#1178) and operator-framework/operator-marketplace@eca17739ed (chore(modules): bump openshift/api for new operatorhub crd, 2022-05-02, operator-framework/operator-marketplace#472) dancing the OperatorHub CRD over to the marketplace operator, and making it part of the 'marketplace' cluster-version capability.
wking
added a commit
to wking/origin
that referenced
this pull request
Jun 1, 2022
… is enabled Like 6d1143a (cli: remove metal3 CRDs when capabilities are none, 2022-04-08, openshift#26998), but catching up to openshift/api@d905557541 (fix: rename operatorhub crd manifest file, 2022-04-12, openshift/api#1178) and operator-framework/operator-marketplace@eca17739ed (chore(modules): bump openshift/api for new operatorhub crd, 2022-05-02, operator-framework/operator-marketplace#472) dancing the OperatorHub CRD over to the marketplace operator, and making it part of the 'marketplace' cluster-version capability.
wking
added a commit
to wking/origin
that referenced
this pull request
Jan 23, 2023
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
wking
added a commit
to wking/origin
that referenced
this pull request
Jan 23, 2023
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
wking
added a commit
to wking/origin
that referenced
this pull request
Jan 23, 2023
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled, and to
only add the snapshot-linked rules when `CSISnapshot` is enabled.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
wking
added a commit
to wking/origin
that referenced
this pull request
Jan 23, 2023
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled, and to
only add the snapshot-linked rules when `CSISnapshot` is enabled.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
wking
added a commit
to wking/origin
that referenced
this pull request
Jan 24, 2023
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled, and to
only add the snapshot-linked rules when `CSISnapshot` is enabled.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
wking
added a commit
to wking/origin
that referenced
this pull request
Feb 14, 2023
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled, and to
only add the snapshot-linked rules when `CSISnapshot` is enabled.
MicroShift won't have a ClusterVersion custom resource definition, but
the test is already failing there [2], so this pivot doesn't break
them any worse. Once they have a plan for how they would like to
handle it, they can come back and make those changes in follow-up
work.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
[2]: openshift#27681 (comment)
tjungblu
pushed a commit
to tjungblu/origin
that referenced
this pull request
Apr 11, 2023
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled, and to
only add the snapshot-linked rules when `CSISnapshot` is enabled.
MicroShift won't have a ClusterVersion custom resource definition, but
the test is already failing there [2], so this pivot doesn't break
them any worse. Once they have a plan for how they would like to
handle it, they can come back and make those changes in follow-up
work.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
[2]: openshift#27681 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When cluster version capabilities is set to None, the baremetal platform
is disabled, and as such, the metal3 CRDs aren't present. Here, we load
the cluster version CR, and only include the metal3 CRDs when the
capabilities is set to anything other than None.
The error in CI is: