Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SAR checks for Kubernetes components to make it easier to use CRs in DevWorkspaces #1083

Open
amisevsk opened this issue Apr 11, 2023 · 0 comments
Open

Improve SAR checks for Kubernetes components to make it easier to use CRs in DevWorkspaces #1083

amisevsk opened this issue Apr 11, 2023 · 0 comments

Comments

@amisevsk
Copy link
Collaborator

Description

When a DevWorkspace with Kubernetes/OpenShift components is created or edited, the DevWorkspace Operator performs SAR checks to verify that both the user editing the DevWorkspace and the controller service account can operate on the inlined component. For the controller's service account, the webhook server checks if the SA has "*" permissions for the object.

This is not a problem for usual components (pods, services, etc.) but makes specifying CRs inlined within DevWorkspaces difficult, as "*" is checked literally rather than "all verbs", so even if the DWO serviceaccount can create/update/delete/etc. the resource, it still fails this check.

We should investigate whether this can be improved, to make using CRs in DevWorkspaces work without additional configuration.

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amisevsk