Move retry
Pod deletions out of Server and into Controller for proper separation of duties
#12538
Labels
area/controller
Controller issues, panics
area/retry-manual
Manual workflow "Retry" Action (API/CLI/UI). See retryStrategy for template-level retries
area/server
solution/suggested
A solution to the bug has been suggested. Someone needs to implement it.
type/feature
Feature request
type/security
Security related
Summary
Currently, the Server and Controller are architected & intended to be independent, with the Server not being strictly necessary for any operations. Most of the Server's functionality is to be a simple CRUD wrapper where a user could replicate that functionality themselves via
kubectl
. When the Server has to communicate with the Controller, it typically signals to it by adding a label to a Workflow.This separation of duties is important to keep consistent and is currently true for all but one case: the
retry
operation currently has the Server delete Pods of a Workflow, which is something that the Controller should do instead. The Server shouldn't need permissions to delete Pods either as it currently does.Use Cases
I (and then others) noticed this in #12105 (comment) and #12419 (comment) and were pretty surprised when we saw this.
Removing this functionality from the Server will make it more secure by not having
delete
pods
permissions which the Controller already has.It will also make it possible to do a
retry
with justkubectl
by adding a label to the Workflow CR, as is intended and as was thought as possible per #12027 (comment).Implementation details
delete
pods
permissionsMessage from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritize the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: