Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

separate SAs for controller/webhook deployment to allow for different permission sets #818

Merged
merged 1 commit into from
Nov 16, 2020
Merged

separate SAs for controller/webhook deployment to allow for different permission sets #818

merged 1 commit into from
Nov 16, 2020

Conversation

gabemontero
Copy link
Contributor

Fixes #807

Changes

See #807 (comment)

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes tests (if functionality changed/added)
  • Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

NONE

/assign @dibyom

fyi - I have not tried this on a clean installed cluster yet ... will unhold after I do so

/hold

@tekton-robot tekton-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. release-note-none Denotes a PR that doesnt merit a release note. labels Oct 30, 2020
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 30, 2020
@gabemontero
Copy link
Contributor Author

/hold cancel

ok @dibyom I've confirmed these changes in a new cluster that did not previously have pipelines/triggers

interestingly again, my prior commit with this PR did not work as is ... I had to make additional changes

as we talked about last time, there definitely does seem to be a clean up issue, most likely I would think around *Role and *RoleBindings, since removing permissions does not seem to get reflected in the CI runs, which were clean on my first push

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 2, 2020
gabemontero
gabemontero commented Nov 2, 2020
View reviewed changes
config/200-role.yaml Outdated Show resolved Hide resolved
@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 2, 2020
@gabemontero
Copy link
Contributor Author

/hold cancel

ok @dibyom .... tested on a clean cluster with the right, non-overlapping set of role/rolebinding and clusterrole/clusterrolebinding

the high level jist:

  • clusterrole / clusterrolebinding to allow for reading configmaps, services, and events applied to both controller/webhook SAs to facilitate reconciler/controllers' watches
  • only the webhook can read secrets to facilitate the knative auto cert stuff
  • the trigger controller comes up fine without secrets, which lines up with my searches finding no access to secrets there ... only in the sink/EL, which has a different set of RBAC

I'm still curious about
a) how apparently RBAC seems to survive across e2e/pr runs
b) perhaps I am paranoid, but I half wonder if you should trying installing pipelines/triggers on a "clean cluster" in case the "flavor" of k8s you use has some unknown difference with mine

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 3, 2020
@dibyom
Copy link
Member

dibyom commented Nov 10, 2020

a) how apparently RBAC seems to survive across e2e/pr runs

Hmm, my best guess is that we clean up the namespace but maybe not cluster resources (like cluster roles?). Though I was under the impression that we used fresh clusters for each e2e test....would have to look into it

b) perhaps I am paranoid, but I half wonder if you should trying installing pipelines/triggers on a "clean cluster" in case the "flavor" of k8s you use has some unknown difference with mine

Sure, will try this out on my setup.

@dibyom
Copy link
Member

dibyom commented Nov 16, 2020

Tried it out on GKE. Works fine.

/lgtm
/approve

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 16, 2020
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 16, 2020
@tekton-robot tekton-robot merged commit c4e57cd into tektoncd:master Nov 16, 2020
@gabemontero
Copy link
Contributor Author

Tried it out on GKE. Works fine.

/lgtm
/approve

thanks @dibyom

@gabemontero gabemontero deleted the issue807 branch November 16, 2020 17:26
@gabemontero gabemontero mentioned this pull request Feb 4, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

@iancoffey iancoffey Awaiting requested review from iancoffey

Assignees

@dibyom dibyom

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

separate SAs for controller/webhook deployment to allow for different permission sets
3 participants
@gabemontero @dibyom @tekton-robot