Support spec.devEnvironments.podSchedulerName in CR

api/v2/checluster_types.go

@@ -114,6 +114,10 @@ type CheClusterDevEnvironments struct {
 	// Container build configuration.
 	// +optional
 	ContainerBuildConfiguration *ContainerBuildConfiguration `json:"containerBuildConfiguration,omitempty"`
+	// Pod scheduler for the workspace pods.
+	// If not specified, the pod scheduler is set to the default scheduler on the cluster.
+	// +optional
+	PodSchedulerName string `json:"podSchedulerName,omitempty"`
 }
 
 // Che components configuration.

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -77,7 +77,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.57.0-729.next
+  name: eclipse-che.v7.57.0-730.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1241,7 +1241,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.57.0-729.next
+  version: 7.57.0-730.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml

@@ -6980,6 +6980,10 @@ spec:
                       description: The node selector limits the nodes that can run
                         the workspace pods.
                       type: object
+                    podSchedulerName:
+                      description: Pod scheduler for the workspace pods. If not specified,
+                        the pod scheduler is set to the default scheduler on the cluster.
+                      type: string
                     secondsOfInactivityBeforeIdling:
                       default: 1800
                       description: Idle timeout for workspaces in seconds. This timeout

bundle/stable/eclipse-che/manifests/org.eclipse.che_checlusters.yaml

@@ -6980,6 +6980,10 @@ spec:
                       description: The node selector limits the nodes that can run
                         the workspace pods.
                       type: object
+                    podSchedulerName:
+                      description: Pod scheduler for the workspace pods. If not specified,
+                        the pod scheduler is set to the default scheduler on the cluster.
+                      type: string
                     secondsOfInactivityBeforeIdling:
                       default: 1800
                       description: Idle timeout for workspaces in seconds. This timeout

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -6790,6 +6790,10 @@ spec:
                     description: The node selector limits the nodes that can run the
                       workspace pods.
                     type: object
+                  podSchedulerName:
+                    description: Pod scheduler for the workspace pods. If not specified,
+                      the pod scheduler is set to the default scheduler on the cluster.
+                    type: string
                   secondsOfInactivityBeforeIdling:
                     default: 1800
                     description: Idle timeout for workspaces in seconds. This timeout

deploy/deployment/kubernetes/combined.yaml

@@ -4590,6 +4590,9 @@ spec:
                       type: string
                     description: The node selector limits the nodes that can run the workspace pods.
                     type: object
+                  podSchedulerName:
+                    description: Pod scheduler for the workspace pods. If not specified, the pod scheduler is set to the default scheduler on the cluster.
+                    type: string
                   secondsOfInactivityBeforeIdling:
                     default: 1800
                     description: Idle timeout for workspaces in seconds. This timeout is the duration after which a workspace will be idled if there is no activity. To disable workspace idling due to inactivity, set this value to -1.

deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -4585,6 +4585,9 @@ spec:
                       type: string
                     description: The node selector limits the nodes that can run the workspace pods.
                     type: object
+                  podSchedulerName:
+                    description: Pod scheduler for the workspace pods. If not specified, the pod scheduler is set to the default scheduler on the cluster.
+                    type: string
                   secondsOfInactivityBeforeIdling:
                     default: 1800
                     description: Idle timeout for workspaces in seconds. This timeout is the duration after which a workspace will be idled if there is no activity. To disable workspace idling due to inactivity, set this value to -1.

deploy/deployment/openshift/combined.yaml

@@ -4590,6 +4590,9 @@ spec:
                       type: string
                     description: The node selector limits the nodes that can run the workspace pods.
                     type: object
+                  podSchedulerName:
+                    description: Pod scheduler for the workspace pods. If not specified, the pod scheduler is set to the default scheduler on the cluster.
+                    type: string
                   secondsOfInactivityBeforeIdling:
                     default: 1800
                     description: Idle timeout for workspaces in seconds. This timeout is the duration after which a workspace will be idled if there is no activity. To disable workspace idling due to inactivity, set this value to -1.

deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -4585,6 +4585,9 @@ spec:
                       type: string
                     description: The node selector limits the nodes that can run the workspace pods.
                     type: object
+                  podSchedulerName:
+                    description: Pod scheduler for the workspace pods. If not specified, the pod scheduler is set to the default scheduler on the cluster.
+                    type: string
                   secondsOfInactivityBeforeIdling:
                     default: 1800
                     description: Idle timeout for workspaces in seconds. This timeout is the duration after which a workspace will be idled if there is no activity. To disable workspace idling due to inactivity, set this value to -1.

go.mod

@@ -5,8 +5,8 @@ go 1.16
 require (
 	github.com/Shopify/logrus-bugsnag v0.0.0-00010101000000-000000000000 // indirect
 	github.com/che-incubator/kubernetes-image-puller-operator v0.0.0-20210929175054-0128446f5af7
-	github.com/devfile/api/v2 v2.0.0-20220414122024-32cae1f8e42c
-	github.com/devfile/devworkspace-operator v0.15.2
+	github.com/devfile/api/v2 v2.0.0-20220928161623-fe7c10eaa530
+	github.com/devfile/devworkspace-operator v0.17.0
 	github.com/go-logr/logr v0.4.0
 	github.com/golang/mock v1.5.0
 	github.com/google/go-cmp v0.5.6
@@ -388,7 +388,6 @@ replace (
 	k8s.io/klog/v2 => k8s.io/klog/v2 v2.8.0
 	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.0.0-20180912235703-14b8d2d93fcb
 	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20200923105717-7eba4cbaebdf
-	k8s.io/utils => k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 	kubernetes/klog => kubernetes/klog v1.0.0
 	modernc.org/b => modernc.org/b v1.0.0
 	modernc.org/db => modernc.org/db v1.0.0
@@ -460,3 +459,5 @@ replace (
 )
 
 replace github.com/docker/docker => github.com/moby/moby v0.7.3-0.20190826074503-38ab9da00309 // Required by Helm
+
+replace github.com/devfile/devworkspace-operator => github.com/dkwon17/devworkspace-operator v0.2.1-0.20221114184800-62aa6f1d7c01

go.sum

@@ -112,13 +112,13 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/daviddengcn/go-colortext v0.0.0-20160507010035-511bcaf42ccd/go.mod h1:dv4zxwHi5C/8AeI+4gX4dCWOIvNi7I6JCSX0HvlKPgE=
 github.com/deislabs/oras v0.8.1/go.mod h1:Mx0rMSbBNaNfY9hjpccEnxkOqJL6KGjtxNHPLC4G4As=
 github.com/denisenkom/go-mssqldb v0.0.0-20190204142019-df6d76eb9289/go.mod h1:xN/JuLBIz4bjkxNmByTiV1IbhfnYb6oo99phBn4Eqhc=
-github.com/devfile/api/v2 v2.0.0-20220414122024-32cae1f8e42c h1:yyidoxal8ngJWDxRuVZMNh4PBwqDIzOkTeOagtmRiy0=
-github.com/devfile/api/v2 v2.0.0-20220414122024-32cae1f8e42c/go.mod h1:kLX/nW93gigOHXK3NLeJL2fSS/sgEe+OHu8bo3aoOi4=
-github.com/devfile/devworkspace-operator v0.15.2 h1:CcLGHtuBOKdwpeYV8Iy7ZwUSgavcMbjuPA9ejupM7BE=
-github.com/devfile/devworkspace-operator v0.15.2/go.mod h1:fM3/GhPWEL8JZOEImCnpyxTYEf9dN6PsjzJq+ffcD1k=
+github.com/devfile/api/v2 v2.0.0-20220928161623-fe7c10eaa530 h1:pZvf4AZrf/ZwV2AwQnTInlUpns+Wj9JYtPRtBDiFHzk=
+github.com/devfile/api/v2 v2.0.0-20220928161623-fe7c10eaa530/go.mod h1:dN7xFrOVG+iPqn4UKGibXLd5oVsdE8XyK9OEb5JL3aI=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dhui/dktest v0.3.2/go.mod h1:l1/ib23a/CmxAe7yixtrYPc8Iy90Zy2udyaHINM5p58=
+github.com/dkwon17/devworkspace-operator v0.2.1-0.20221114184800-62aa6f1d7c01 h1:qK27w9VKhAXSBXLAvCt0LiS+Du79ijEp5Fs7bvkOU2I=
+github.com/dkwon17/devworkspace-operator v0.2.1-0.20221114184800-62aa6f1d7c01/go.mod h1:xLELAolfebwROqGSvOWhdC0eH7S+V7iVFzHxtm3Jf2A=
 github.com/docker/cli v0.0.0-20200130152716-5d0cf8839492 h1:FwssHbCDJD025h+BchanCwE1Q8fyMgqDr2mOQAWOLGw=
 github.com/docker/cli v0.0.0-20200130152716-5d0cf8839492/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
@@ -706,8 +706,10 @@ k8s.io/kube-openapi v0.0.0-20200923105717-7eba4cbaebdf h1:7RCqblb9HTvcWeOYwrt1SV
 k8s.io/kube-openapi v0.0.0-20200923105717-7eba4cbaebdf/go.mod h1:bfCVj+qXcEaE5SCvzBaqpOySr6tuCcpPKqF6HD8nyCw=
 k8s.io/kubectl v0.0.0-20201218185502-10b66c3fd14b/go.mod h1:2bE0JLYTRDVKDiTREFsjLAx4R2GvUtL/mGYFXfFFMzY=
 k8s.io/metrics v0.20.2/go.mod h1:yTck5nl5wt/lIeLcU6g0b8/AKJf2girwe0PQiaM4Mwk=
-k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471 h1:DnzUXII7sVg1FJ/4JX6YDRJfLNAC7idRatPwe07suiI=
+k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 modernc.org/b v1.0.0/go.mod h1:uZWcZfRj1BpYzfN9JTerzlNUnnPsV9O2ZA8JsRcubNg=
 modernc.org/db v1.0.0/go.mod h1:kYD/cO29L/29RM0hXYl4i3+Q5VojL31kTUVpVJDw0s8=
 modernc.org/file v1.0.0/go.mod h1:uqEokAEn1u6e+J45e54dsEA/pw4o7zLrA2GwyntZzjw=

helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -4585,6 +4585,9 @@ spec:
                       type: string
                     description: The node selector limits the nodes that can run the workspace pods.
                     type: object
+                  podSchedulerName:
+                    description: Pod scheduler for the workspace pods. If not specified, the pod scheduler is set to the default scheduler on the cluster.
+                    type: string
                   secondsOfInactivityBeforeIdling:
                     default: 1800
                     description: Idle timeout for workspaces in seconds. This timeout is the duration after which a workspace will be idled if there is no activity. To disable workspace idling due to inactivity, set this value to -1.

pkg/common/constants/constants.go

@@ -12,6 +12,11 @@
 
 package constants
 
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
+)
+
 const (
 	// PostgresSQL
 	DefaultPostgresUser              = "pgche"
@@ -138,4 +143,14 @@ var (
 		"app":       "che",
 		"component": "che-gateway-config",
 	}
+
+	DefaultWorkspaceContainerSecurityContext = corev1.SecurityContext{
+		Capabilities: &corev1.Capabilities{
+			Add: []corev1.Capability{
+				"SETGID",
+				"SETUID",
+			},
+		},
+		AllowPrivilegeEscalation: pointer.BoolPtr(false),
+	}
 )

pkg/deploy/dev-workspace-config/dev_workspace_config.go

@@ -54,7 +54,7 @@ func (d *DevWorkspaceConfigReconciler) Reconcile(ctx *chetypes.DeployContext) (r
 	if dwoc.Config == nil {
 		dwoc.Config = &controllerv1alpha1.OperatorConfiguration{}
 	}
-	err := updateOperatorConfig(ctx.CheCluster.Spec.DevEnvironments.Storage, dwoc.Config)
+	err := updateOperatorConfig(ctx.CheCluster, dwoc.Config)
 	if err != nil {
 		return reconcile.Result{}, false, err
 	}
@@ -71,8 +71,9 @@ func (d *DevWorkspaceConfigReconciler) Finalize(ctx *chetypes.DeployContext) boo
 	return true
 }
 
-func updateOperatorConfig(storage chev2.WorkspaceStorage, operatorConfig *controllerv1alpha1.OperatorConfiguration) error {
+func updateOperatorConfig(cheCluster *chev2.CheCluster, operatorConfig *controllerv1alpha1.OperatorConfiguration) error {
 	var pvc *chev2.PVC
+	storage := cheCluster.Spec.DevEnvironments.Storage
 
 	pvcStrategy := utils.GetValue(storage.PvcStrategy, constants.DefaultPvcStorageStrategy)
 	switch pvcStrategy {
@@ -88,35 +89,43 @@ func updateOperatorConfig(storage chev2.WorkspaceStorage, operatorConfig *contro
 		}
 	}
 
-	if pvc != nil {
-		if operatorConfig.Workspace == nil {
-			operatorConfig.Workspace = &controllerv1alpha1.WorkspaceConfig{}
-		}
-		return updateWorkspaceConfig(pvc, pvcStrategy == constants.PerWorkspacePVCStorageStrategy, operatorConfig.Workspace)
+	if operatorConfig.Workspace == nil {
+		operatorConfig.Workspace = &controllerv1alpha1.WorkspaceConfig{}
 	}
-	return nil
-}
 
-func updateWorkspaceConfig(pvc *chev2.PVC, isPerWorkspacePVCStorageStrategy bool, workspaceConfig *controllerv1alpha1.WorkspaceConfig) error {
-	if pvc.StorageClass != "" {
-		workspaceConfig.StorageClassName = &pvc.StorageClass
-	}
+	return updateWorkspaceConfig(pvc, pvcStrategy == constants.PerWorkspacePVCStorageStrategy, cheCluster.IsContainerBuildCapabilitiesEnabled(), cheCluster.Spec.DevEnvironments.PodSchedulerName, operatorConfig.Workspace)
+}
 
-	if pvc.ClaimSize != "" {
-		if workspaceConfig.DefaultStorageSize == nil {
-			workspaceConfig.DefaultStorageSize = &controllerv1alpha1.StorageSizes{}
+func updateWorkspaceConfig(pvc *chev2.PVC, isPerWorkspacePVCStorageStrategy bool, enabledContainerBuildCapabilities bool, podSchedulerName string, workspaceConfig *controllerv1alpha1.WorkspaceConfig) error {
+	if pvc != nil {
+		if pvc.StorageClass != "" {
+			workspaceConfig.StorageClassName = &pvc.StorageClass
 		}
 
-		pvcSize, err := resource.ParseQuantity(pvc.ClaimSize)
-		if err != nil {
-			return err
+		if pvc.ClaimSize != "" {
+			if workspaceConfig.DefaultStorageSize == nil {
+				workspaceConfig.DefaultStorageSize = &controllerv1alpha1.StorageSizes{}
+			}
+
+			pvcSize, err := resource.ParseQuantity(pvc.ClaimSize)
+			if err != nil {
+				return err
+			}
+
+			if isPerWorkspacePVCStorageStrategy {
+				workspaceConfig.DefaultStorageSize.PerWorkspace = &pvcSize
+			} else {
+				workspaceConfig.DefaultStorageSize.Common = &pvcSize
+			}
 		}
+	}
 
-		if isPerWorkspacePVCStorageStrategy {
-			workspaceConfig.DefaultStorageSize.PerWorkspace = &pvcSize
-		} else {
-			workspaceConfig.DefaultStorageSize.Common = &pvcSize
-		}
+	workspaceConfig.ContainerSecurityContext = nil
+	if enabledContainerBuildCapabilities {
+		workspaceConfig.ContainerSecurityContext = constants.DefaultWorkspaceContainerSecurityContext.DeepCopy()
 	}
+
+	workspaceConfig.SchedulerName = podSchedulerName
+
 	return nil
 }