Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(profile-controller): propagate labels from CR to namespace #7481

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(profile-controller): propagate labels from CR to namespace #7481

wants to merge 1 commit into from

Conversation

droctothorpe
Copy link

@droctothorpe droctothorpe commented Feb 22, 2024
edited
Loading

Resolves kubeflow/dashboard#51.

We noticed that there were no tests for the Reconcile function in profile_controller_test.go, otherwise we would have extended those tests to validate this specific scenario, even though it's just one line of code with very limited impact. We'd potentially be open, bandwidth permitting, to contributing broader tests for Reconcile down the road.

Confirmed working E2E on our clusters. Labels applied to profile CRs are propagated to the corresponding namespaces.

@google-cla Google CLA
Copy link

google-cla bot commented Feb 22, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign thesuperzapper for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@droctothorpe droctothorpe force-pushed the labels branch 2 times, most recently from 829655b to 116b665 Compare February 23, 2024 17:39
@droctothorpe @jsonmp-k8
@tarat44 @moorthy156
feat(profile-controller): propagate labels from CR to namespace
e2e8780 
Signed-off-by: droctothorpe <mythicalsunlight@gmail.com>
Co-authored-by: jsonmp-k8 <paul.jaison@gmail.com>
Co-authored-by: tarat44 <32471142+tarat44@users.noreply.github.com>
Co-authored-by: moorthy156 <narayanamoorthy.mari@gmail.com>
@droctothorpe
Copy link
Author

@thesuperzapper per the WG meeting, let me know if you think it makes more sense to add something like namespaceLabels to the profile CR spec. We tested to confirm that, at present, no labels are applied to profile CRs. The main advantage of this approach is that it's a much smaller lift since it doesn't require updating the CRD, but easy doesn't necessarily mean right.

@droctothorpe
Copy link
Author

Bump.

@thesuperzapper
Copy link
Member

I think this PR is a security issue for many users, holding for review.

/hold

@thesuperzapper thesuperzapper mentioned this pull request May 11, 2024
Open
@thesuperzapper thesuperzapper added this to the v1.9.1 milestone May 11, 2024
@thesuperzapper
Copy link
Member

I am really not sure how (or even if) we can do this safely without causing the following issues:

  1. We can't replicate the labels from the profile resource, because this will break GitOps apps like ArgoCD (which use labels to track resources)
  2. We can't add a new spec.namespaceLabels to the Profile CRD, because that might be a security risk, and allow users to arbitrarily label Namespaces to avoid some restrictions. (But I am more open to be convinced on this one).

@droctothorpe
Copy link
Author

Thanks, @thesuperzapper. Regarding (1), could I trouble you to clarify your concerns with the first option? Is the concern that if profiles are created used ArgoCD, the labels will be propagated to the namespace? Why would that be a problem? Regarding (2), in our use case, end users don't have permission to edit namespaces or profiles directly. It's hard to imagine a scenario where namespace CRUD access would be disabled but profile CRUD access would be enabled, except via the UI as a privileged service. In addition, what if we contributed this feature but disabled it by default and made it contingent on a specific env var being set (that can be configured via the chart)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

@thesuperzapper thesuperzapper Awaiting requested review from thesuperzapper

Assignees
No one assigned
Labels
do-not-merge/hold size/XS
Projects
None yet
Milestone
v1.9.4
Development

Successfully merging this pull request may close these issues.

Propagate labels from profile custom resource to controller-generated namespace
2 participants
@droctothorpe @thesuperzapper