Skip to content

[OpenShift] Fix RBAC bugs #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tekton-robot merged 1 commit into from
Mar 4, 2022
Merged

[OpenShift] Fix RBAC bugs #634

tekton-robot merged 1 commit into from
Mar 4, 2022

Conversation

@nikhil-thomas
Copy link
Member

@nikhil-thomas nikhil-thomas commented Feb 25, 2022

Signed-off-by: Nikhil Thomas nikthoma@redhat.com

Changes

  • Rename rolebinding created by RBAC reconciler to
    'openshift-pipelines-edit' (was 'edit' earlier)

  • Add mechanism to ensure that missing RBAC resources are recreated if
    the RBAC installerSet is recreated during an upgrade.

    • this ensures that RBAC in the version label user
      namespaces are removed during an upgrade and the presence of RBAC
      resources are re-verified

  • Make TektonConfig reconciler listen to TektonInstallerSet events so
    that it can recreate RBAC InstallerSet if it is deleted manually from
    a cluster

  • Add a mechanism to remove ownerReference and 'pipeline' sa subject
    from 'edit' rolebinding in namespaces

    • This ensures that operator upgrades won't delete/reset 'edit'
      rolebinding in usernamespaces.
    • This mechanism will delete the edit role binding if the only subject is pipeline serviceaccount.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

Name of rolebinding which binds ClusterRole edit to 'pipeline' ServiceAccount in usernamespaces is now 'openshift-pipelines-edit' instead of 'edit'.

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Feb 25, 2022
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 25, 2022
@nikhil-thomas nikhil-thomas force-pushed the fix/rbac-management branch 2 times, most recently from 02595cf to 0d14f5e Compare February 25, 2022 13:46
@nikhil-thomas
Copy link
Member Author

nikhil-thomas commented Feb 25, 2022

/hold

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 25, 2022
sm43
sm43 reviewed Mar 1, 2022
View reviewed changes
@nikhil-thomas
Copy link
Member Author

nikhil-thomas commented Mar 1, 2022

/retest

vdemeester
vdemeester reviewed Mar 1, 2022
View reviewed changes
@nikhil-thomas
Copy link
Member Author

nikhil-thomas commented Mar 2, 2022

/retest

@nikhil-thomas nikhil-thomas force-pushed the fix/rbac-management branch 2 times, most recently from e49aabb to d9de7e5 Compare March 2, 2022 13:34
@nikhil-thomas
Copy link
Member Author

nikhil-thomas commented Mar 2, 2022

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 2, 2022
@sm43
Copy link
Member

sm43 commented Mar 4, 2022

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2022
@tekton-robot
Copy link
Contributor

tekton-robot commented Mar 4, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 4, 2022
@nikhil-thomas
[OpenShift] Fix RBAC bugs
86bdf96 
- Rename rolebinding created by RBAC reconciler to
  'openshift-pipelines-edit' (was 'edit' earlier)

- Add mechanism to ensure that missing RBAC resources are recreated if
  the RBAC installerSet is recreated during an upgrade.
  - this ensures that RBAC in the version label in RBAC reconciled
    namespaces are removed during an upgrade and the presence of RBAC
resources are verified

- Make TektonConfig reconciler listen to TektonInstallerSet events so
  that it can recreate RBAC InstallerSet if it is deleted manually from
a cluster

- Add a mechanism to remove ownerReference and 'pipeline' sa subject
  from 'edit' rolebinding in namespaces
  - This ensures that operator upgrades won't delete/reset 'edit'
    rolebinding in usernamespaces.

Signed-off-by: Nikhil Thomas <nikthoma@redhat.com>
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2022
@tekton-robot
Copy link
Contributor

tekton-robot commented Mar 4, 2022

New changes are detected. LGTM label has been removed.

@sm43 sm43 added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2022
@sm43
Copy link
Member

sm43 commented Mar 4, 2022

/test pull-tekton-operator-integration-tests

@tekton-robot tekton-robot merged commit ad4a42d into tektoncd:main Mar 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdemeester vdemeester vdemeester approved these changes

@concaf concaf Awaiting requested review from concaf

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12

+1 more reviewer

@sm43 sm43 sm43 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@sm43 sm43

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nikhil-thomas @sm43 @tekton-robot @vdemeester