-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[issue#306] Add missing ClusterRoles #465
Conversation
The Jenkins job timed out 😞 |
There is a bug. It times out on the validation because all components are not operational. Here is the first error I found in the STO logs:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we're mucking about in here, I'd like to take the opportunity to try to narrow this scope as much as possible. It looks pretty good right now, but I think there are still a few things than can move from the cluster scope to the namespaced scope.
@@ -22,6 +22,7 @@ rules: | |||
- watch | |||
- update | |||
- patch | |||
- delete |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noting that this should be transitional only and could be removed in a later version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was going to file an issue about this, but then I realized that if someone was somehow running STF 1.5.2 and moved to STF 1.5.4 they would need this.
Additionally, the latest changes I landed in 5d0210d will continually require the delete RBAC.
We could refine this though and break out the clusterroles
and clusterrolebindings
though to have the delete
resource only on the clusterrolebindings
. I'm also curious if we could further lock this down to just resources we manage and not all ClusterRoles and ClusterRoleBindings.
I am not going to do any of this at this point though, but I'm certainly interested about doing another RBAC focused review, and if we can make the scope even more restrictive and controlled for only objects we actually need to adjust and own.
Requesting final review prior to merge! |
ed7bc56
to
3d72920
Compare
CI timed out again. I think the Jenkins-based CI systems are just overwhelmed. |
3d72920
to
3f34a70
Compare
I'm skipping out on approving this since I landed a fair number of changes here, and it'd effectively be self-approving. Deferring to Chris and Victoria on this one, but I think we've all probably looked at this enough that if CI passes, landing it isn't going to be a problem for anyone. Thanks everyone for the patience and quick turn around on the reviews! |
The cluster-monitoring-operator is required for STF to install. It creates the required alertmanager-main and prometheus-k8s. ClusterRoles, and STF relies on these being present. These are not present when using CRC, so ClusterRoles need to be explicitly created. The names of the ClusterRoles have been updated, in case there is some conflict when cluster-monitoring-operator is installed after STF. This is a workaround for not having cluster-monitoring-operator installed: #306 resolves #306
Fix up the RBAC changes to fully get prometheus-stf working and decoupled from prometheus-k8s. Changes to using a separate prometheus-stf ClusterRole, ClusterRoleBinding, and ServiceAccount, along with a Role and RoleBinding, all using prometheus-stf as the ServiceAccount. Also updates the Alertmanager configuration to use alertmanager-stf instead of alertmanager-main.
* Refactor smoketest script Perform a bit of smoketest refactoring and fix up a few bugs. * Update alert trigger to use startsAt in order to potentially speed up delivery of the alerts. Failures in the SNMP_WEBHOOK_STATUS seems to be primarily to delayed alert notification through prometheus-snmp-webhook. * Add an alert clean up task as part of the clean up logic at the end. * Update openssl x509 to not use the -in flag which seems unnecessary and on some systems causes a failure. * Add new SMOKETEST_VERBOSE boolean so local testing can skip massive amounts of information dumped to stdout. * Remove curl pod using label selector for slightly cleaner output. * Update failure check to combine RET and SNMP_WEBHOOK_STATUS since testing seems to show changes are slightly more reliable. * Show logs from curl
As part of least priviledge work, remove the nodes/metrics permission as we're not scraping nodes for information. Everything appears to continue working in STF without this permission.
Working on simplifying and reducing our access scope as much as possible. It appears moving SCC RBAC from ClusterRole to Role allows things to continue to work with Prometheus. It's possible further testing may reveal this will need to reverted.
Convert alertmanager-stf Role to ClusterRole as the tokenreviews and subjectaccessreviews resources need to be accessable at the cluster scope.
* Create ClusterRoleBinding and Role for alertmanager Create appropriate ClusterRoleBinding and Role for alertmanager-stf, breaking out SCC into a Role vs ClusterRole to keep things in alignment to prometheus-stf RBAC setup. * Adjust smoketest.sh for SNMP webhook test failures Adjust the smoketest script to also fail when the SNMP webhook test has failed. Add a wait condition for the curl pod to complete so logs can be retrieved. * Add *RoleBinding rescue capabilities If changes happen to the ClusterRoleBinding or RoleBinding then generally the system is not going to allow you to patch the object. Adds block/rescue logic to remove the existing ClusterRoleBinding or RoleBinding before creating it when patching the object fails.
ed684b9
to
abe966b
Compare
LET'S GO!!!!!!! |
The cluster-monitoring-operator is required for STF to install. It creates the required alertmanager-main and prometheus-k8s. ClusterRoles, and STF relies on these being present. These are not present when using CRC, so ClusterRoles need to be explicitly created.
The names of the ClusterRoles have been updated, in case there is some conflict when cluster-monitoring-operator is installed after STF.
This is a workaround for not having cluster-monitoring-operator installed: #306
resolves #306