-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[che-operator] - serviceaccount permissions for <username>-che as default namespace #15493
Labels
area/che-operator
Issues and PRs related to Eclipse Che Kubernetes Operator
kind/enhancement
A feature request - must adhere to the feature request template.
severity/P1
Has a major impact to usage or development of the system.
Milestone
Comments
sparkoo
added
the
kind/enhancement
A feature request - must adhere to the feature request template.
label
Dec 16, 2019
che-bot
added
the
status/need-triage
An issue that needs to be prioritized by the curator responsible for the triage. See https://github.
label
Dec 16, 2019
4 tasks
sparkoo
added
area/install
Issues related to installation, including offline/air gap and initial setup
area/che-operator
Issues and PRs related to Eclipse Che Kubernetes Operator
labels
Dec 16, 2019
ibuziuk
added
severity/P1
Has a major impact to usage or development of the system.
and removed
status/need-triage
An issue that needs to be prioritized by the curator responsible for the triage. See https://github.
labels
Dec 16, 2019
sparkoo
changed the title
[che-operator] - <username>-che as default namespace
[che-operator] - <username>-che as default namespace (+ sa permissions)
Dec 17, 2019
sparkoo
changed the title
[che-operator] - <username>-che as default namespace (+ sa permissions)
[che-operator] - serviceaccount permissions for <username>-che as default namespace
Dec 17, 2019
This was referenced Dec 17, 2019
tolusha
added
the
status/in-progress
This issue has been taken by an engineer and is under active development.
label
Jan 19, 2020
Detected issue for minishift #15780 |
Draft: che-incubator/chectl#469 |
4 tasks
4 tasks
tolusha
removed
the
status/in-progress
This issue has been taken by an engineer and is under active development.
label
Feb 17, 2020
tolusha
added
severity/P1
Has a major impact to usage or development of the system.
and removed
severity/P1
Has a major impact to usage or development of the system.
labels
Feb 17, 2020
tolusha
removed
the
area/install
Issues related to installation, including offline/air gap and initial setup
label
Mar 4, 2020
Closed
19 tasks
9 tasks
This was referenced Feb 8, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/che-operator
Issues and PRs related to Eclipse Che Kubernetes Operator
kind/enhancement
A feature request - must adhere to the feature request template.
severity/P1
Has a major impact to usage or development of the system.
Is your enhancement related to a problem? Please describe.
There is an effort to make
<username>-che
as a default namespace for workspaces (#14795). This should be default option also for che-operator.This would be quite easy task, but there is issue with permissions. To allow Che to create/use different namespaces for workspaces, than it's deployed to, it needs quite generous cluster-wide permissions. And for che-operator to be able to grant these permissions to
che
serviceaccount, it has to have this permissions as well. This is tricky as che-operator, to be fully flexible and support all namespace strategies, would have to have the widest permissions, even when it then uses for example OpenShift oAuth, where it does not need any extra permissions.We have to take in account che-operator deployment with yamls, chectl and OperatorHub. The tricky bit is OperatorHub, where we don't have control how che-operator is deployed and we must choose some reasonable default.
We've came up with this list of permissions https://gist.github.com/sparkoo/624bbd1e10c88b8ad8719b93bc847920
Describe the solution you'd like
deploy che-operator with widest permissions listed here https://gist.github.com/sparkoo/624bbd1e10c88b8ad8719b93bc847920 and create
che
serviceaccount with limited permissions by given namespace strategy configuration.We should document, what permissions are needed for chosen namespace strategy and how to remove unused permissions.
che-operator now creates
che-workspace
serviceaccount inche
namespace. Che-server is responsible for this serviceaccount so we should not create it in che-operator. It just has to grant enough permissions to che-server to manage this sa.Describe alternatives you've considered
<username>-che
as default with che-operator. This could be just documented.Additional context
#14795
#15300
che-dev mailing list thread: https://www.eclipse.org/lists/che-dev/msg03491.html
there is draft PR open for this: eclipse-che/che-operator#137
The text was updated successfully, but these errors were encountered: