Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added rules to ClusterRole #1036

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

rbaturov
Copy link
Contributor

@rbaturov rbaturov commented Oct 7, 2024

We need to modify the ClusterRole to grant the required permissions for the manager pod to access the /metrics endpoint. This is essential for e2e testing, as we will run curl commands from within the manager container to interact with the endpoint.

This is needed to support:
https://issues.redhat.com/browse/CNF-10142

Copy link
Contributor

openshift-ci bot commented Oct 7, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rbaturov
Once this PR has been reviewed and has the lgtm label, please assign ffromani for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link
Collaborator

@Tal-or Tal-or left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see that we're consuming the auth_proxy_role.yaml

[titzhak@fedora numaresources-operator]$ grep -R auth_proxy_role.yaml
config/rbac/kustomization.yaml:#- auth_proxy_role.yaml

Anyway, if this file is supposed to be consumed only on testing environment I would make sure it deployed only there and not on production.

@@ -62,7 +62,7 @@ metadata:
}
]
capabilities: Basic Install
createdAt: "2024-09-25T14:08:22Z"
createdAt: "2024-10-07T12:09:23Z"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not needed. you may commit without this file

We need to modify the ClusterRole to grant the required permissions for the manager pod to access the /metrics endpoint. This is essential for e2e testing, as we will run curl commands from within the manager container to interact with the endpoint.

Signed-off-by: Ronny Baturov <[email protected]>
@rbaturov
Copy link
Contributor Author

rbaturov commented Oct 7, 2024

I don't see that we're consuming the auth_proxy_role.yaml

[titzhak@fedora numaresources-operator]$ grep -R auth_proxy_role.yaml
config/rbac/kustomization.yaml:#- auth_proxy_role.yaml

Anyway, if this file is supposed to be consumed only on testing environment I would make sure it deployed only there and not on production.

Thanks for the fast reply.
I decided to add this to the default cluster role that is used for the operator, rather than the proxy ClusterRole as this is a more correct approach.

@Tal-or
Copy link
Collaborator

Tal-or commented Oct 7, 2024

I don't see that we're consuming the auth_proxy_role.yaml

[titzhak@fedora numaresources-operator]$ grep -R auth_proxy_role.yaml
config/rbac/kustomization.yaml:#- auth_proxy_role.yaml

Anyway, if this file is supposed to be consumed only on testing environment I would make sure it deployed only there and not on production.

Thanks for the fast reply. I decided to add this to the default cluster role that is used for the operator, rather than the proxy ClusterRole as this is a more correct approach.

But you said it's being used only for e2e tests isn't it?

@rbaturov
Copy link
Contributor Author

rbaturov commented Oct 7, 2024

I don't see that we're consuming the auth_proxy_role.yaml

[titzhak@fedora numaresources-operator]$ grep -R auth_proxy_role.yaml
config/rbac/kustomization.yaml:#- auth_proxy_role.yaml

Anyway, if this file is supposed to be consumed only on testing environment I would make sure it deployed only there and not on production.

Thanks for the fast reply. I decided to add this to the default cluster role that is used for the operator, rather than the proxy ClusterRole as this is a more correct approach.

But you said it's being used only for e2e tests isn't it?

Yes you are right. now that I think of this, @ffromani what do you guys think if I'll just use the ClusterRole auth_proxy_client_clusterrole which does the same and add a clusterorlebinding for this under kind-ci and close this PR?

@Tal-or
Copy link
Collaborator

Tal-or commented Oct 7, 2024

This or you can add the specific content you need using MergePatch:
https://stackoverflow.com/questions/71496560/kustomize-using-strategic-merge-patch-on-helmreleases

@rbaturov
Copy link
Contributor Author

rbaturov commented Oct 8, 2024

This or you can add the specific content you need using MergePatch: https://stackoverflow.com/questions/71496560/kustomize-using-strategic-merge-patch-on-helmreleases
Sounds good to me.
@ffromani WDYT about this idea?

@ffromani
Copy link
Member

ffromani commented Oct 8, 2024

@rbaturov this is the only missing RBAC changeset to enable the testing per our offline discussion?

@rbaturov
Copy link
Contributor Author

rbaturov commented Oct 8, 2024

@rbaturov this is the only missing RBAC changeset to enable the testing per our offline discussion?

Yes, this is the only change needed to test the operator metrics endpoint for (manager container).
For RTE metrics endpoint, (which is a separate discussion) we need to think of a different resolution to allow the worker pod to access its endpoint. here are two ideas I have:

  1. Add and apply a clusterrole and clusterorlebinding solely for accessing endpoint in the metrics test iteself
  2. Alternatively, apply both (clusterrole and clusterorlebinding) by default in pkg/metrics/manifests/yaml

@ffromani
Copy link
Member

ffromani commented Oct 8, 2024

@rbaturov this is the only missing RBAC changeset to enable the testing per our offline discussion?

Yes, this is the only change needed to test the operator metrics endpoint for (manager container). For RTE metrics endpoint, (which is a separate discussion) we need to think of a different resolution to allow the worker pod to access its endpoint. here are two ideas I have:

1. Add and apply a `clusterrole` and `clusterorlebinding` solely for accessing endpoint  in the metrics test iteself

2. Alternatively, apply both (`clusterrole` and `clusterorlebinding`) by default in `pkg/metrics/manifests/yaml`

ok then this is good to go in main branch for everyone, not just for CI/testing. If upgrade is no bother (as I expect, honestly) than this change can also be backported.

@rbaturov
Copy link
Contributor Author

rbaturov commented Oct 8, 2024

@rbaturov this is the only missing RBAC changeset to enable the testing per our offline discussion?

Yes, this is the only change needed to test the operator metrics endpoint for (manager container). For RTE metrics endpoint, (which is a separate discussion) we need to think of a different resolution to allow the worker pod to access its endpoint. here are two ideas I have:

1. Add and apply a `clusterrole` and `clusterorlebinding` solely for accessing endpoint  in the metrics test iteself

2. Alternatively, apply both (`clusterrole` and `clusterorlebinding`) by default in `pkg/metrics/manifests/yaml`

ok then this is good to go in main branch for everyone, not just for CI/testing. If upgrade is no bother (as I expect, honestly) than this change can also be backported.

So can we merge this?

@rbaturov
Copy link
Contributor Author

/hold
If we already decide to enable this permission by default to the main branch, I think a better approach would be to add this to the auth_proxy_role.yaml instead. Since we consume the auth_proxy_role.yaml also on RTE (lin #1035), this means that also the RTE worker pods would have same permission, thus preparing infrastructure to run these tests without any additional adjustments.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 10, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 15, 2024
@openshift-merge-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copy link
Contributor

openshift-ci bot commented Nov 7, 2024

@rbaturov: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ci-e2e-install-hypershift d078332 link true /test ci-e2e-install-hypershift
ci/prow/ci-index d078332 link true /test ci-index

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants