Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[che-operator] - serviceaccount permissions for <username>-che as default namespace #15493

Closed
sparkoo opened this issue Dec 16, 2019 · 2 comments
Closed

[che-operator] - serviceaccount permissions for <username>-che as default namespace #15493

sparkoo opened this issue Dec 16, 2019 · 2 comments
Assignees
@AndrienkoAleksandr
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.26

Comments

@sparkoo
Copy link
Member

sparkoo commented Dec 16, 2019
edited
Loading

Is your enhancement related to a problem? Please describe.

There is an effort to make <username>-che as a default namespace for workspaces (#14795). This should be default option also for che-operator.

This would be quite easy task, but there is issue with permissions. To allow Che to create/use different namespaces for workspaces, than it's deployed to, it needs quite generous cluster-wide permissions. And for che-operator to be able to grant these permissions to che serviceaccount, it has to have this permissions as well. This is tricky as che-operator, to be fully flexible and support all namespace strategies, would have to have the widest permissions, even when it then uses for example OpenShift oAuth, where it does not need any extra permissions.

We have to take in account che-operator deployment with yamls, chectl and OperatorHub. The tricky bit is OperatorHub, where we don't have control how che-operator is deployed and we must choose some reasonable default.

We've came up with this list of permissions https://gist.github.com/sparkoo/624bbd1e10c88b8ad8719b93bc847920

Describe the solution you'd like

deploy che-operator with widest permissions listed here https://gist.github.com/sparkoo/624bbd1e10c88b8ad8719b93bc847920 and create che serviceaccount with limited permissions by given namespace strategy configuration.

We should document, what permissions are needed for chosen namespace strategy and how to remove unused permissions.

che-operator now creates che-workspace serviceaccount in che namespace. Che-server is responsible for this serviceaccount so we should not create it in che-operator. It just has to grant enough permissions to che-server to manage this sa.

Describe alternatives you've considered

  • don't use <username>-che as default with che-operator. This could be just documented.
  • deploy che-operator with widest permissions, but after CheCluster is deployed, reduce these permissions on itself (I don't know if this is possible. Even if it is, it might be very tricky to not break anything). This would lock the way back to higher-permission namespace strategy.

Additional context

#14795
#15300
che-dev mailing list thread: https://www.eclipse.org/lists/che-dev/msg03491.html
there is draft PR open for this: eclipse-che/che-operator#137
@sparkoo sparkoo added the kind/enhancement A feature request - must adhere to the feature request template. label Dec 16, 2019
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Dec 16, 2019
@sparkoo sparkoo mentioned this issue Dec 16, 2019
Closed
4 tasks
@sparkoo sparkoo added area/install Issues related to installation, including offline/air gap and initial setup area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator labels Dec 16, 2019
@ibuziuk ibuziuk added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Dec 16, 2019
@sparkoo sparkoo changed the title [che-operator] - <username>-che as default namespace [che-operator] - <username>-che as default namespace (+ sa permissions) Dec 17, 2019
@sparkoo sparkoo changed the title [che-operator] - <username>-che as default namespace (+ sa permissions) [che-operator] - serviceaccount permissions for <username>-che as default namespace Dec 17, 2019
@tolusha tolusha added this to the Backlog - Deploy milestone Dec 17, 2019
This was referenced Dec 17, 2019
Closed
Closed
@johnmcollier johnmcollier mentioned this issue Dec 17, 2019
Open
@tolusha tolusha mentioned this issue Dec 18, 2019
Closed
12 tasks
@tolusha tolusha mentioned this issue Jan 8, 2020
Closed
16 tasks
@tolusha tolusha added the status/in-progress This issue has been taken by an engineer and is under active development. label Jan 19, 2020
@AndrienkoAleksandr AndrienkoAleksandr mentioned this issue Jan 21, 2020
Closed
@AndrienkoAleksandr
Copy link
Contributor

Detected issue for minishift #15780

@AndrienkoAleksandr
Copy link
Contributor

Draft: che-incubator/chectl#469

@tolusha tolusha mentioned this issue Jan 27, 2020
Closed
35 tasks
@AndrienkoAleksandr AndrienkoAleksandr mentioned this issue Jan 27, 2020
Closed
4 tasks
@AndrienkoAleksandr AndrienkoAleksandr mentioned this issue Feb 5, 2020
Merged
4 tasks
@tolusha tolusha mentioned this issue Feb 17, 2020
Closed
46 tasks
@tolusha tolusha removed the status/in-progress This issue has been taken by an engineer and is under active development. label Feb 17, 2020
@tolusha tolusha removed this from the Backlog - Deploy milestone Feb 17, 2020
@tolusha tolusha added severity/P1 Has a major impact to usage or development of the system. and removed severity/P1 Has a major impact to usage or development of the system. labels Feb 17, 2020
@tolusha tolusha removed the area/install Issues related to installation, including offline/air gap and initial setup label Mar 4, 2020
@tolusha tolusha mentioned this issue Mar 5, 2020
Closed
45 tasks
@tolusha tolusha added this to the Backlog - Deploy milestone Mar 21, 2020
@tolusha tolusha mentioned this issue Mar 26, 2020
Closed
43 tasks
@tolusha tolusha removed this from the Backlog - Deploy milestone May 6, 2020
@asavin-cl asavin-cl mentioned this issue Aug 18, 2020
Closed
19 tasks
@sparkoo sparkoo mentioned this issue Nov 16, 2020
Closed
@tolusha tolusha added this to the 7.25 milestone Dec 16, 2020
@tolusha tolusha mentioned this issue Dec 24, 2020
Closed
79 tasks
@tolusha tolusha mentioned this issue Jan 4, 2021
Closed
9 tasks
@tolusha tolusha modified the milestones: 7.25, 7.26 Jan 13, 2021
@tolusha tolusha mentioned this issue Jan 15, 2021
Closed
54 tasks
@tolusha tolusha modified the milestones: 7.26, 7.27 Feb 2, 2021
@tolusha tolusha mentioned this issue Feb 5, 2021
Closed
57 tasks
@tolusha tolusha closed this as completed Feb 8, 2021
@tolusha tolusha modified the milestones: 7.27, 7.26 Feb 8, 2021
This was referenced Feb 8, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndrienkoAleksandr AndrienkoAleksandr

Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.26
Development

No branches or pull requests
6 participants
@l0rd @sparkoo @ibuziuk @tolusha @AndrienkoAleksandr @che-bot