Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Add ClusterRoleBinding for instancetype:view ClusterRole #11025

Merged

Conversation

0xFelix
Copy link
Member

@0xFelix 0xFelix commented Jan 16, 2024

What this PR does / why we need it:

This adds a ClusterRolebinding which grants every authorized user read
access to VirtualMachineCluster{Instancetype,Preference} CRs.

This allows unprivileged users to make use of
VirtualMachineCluster{Instancetypes,Preferences} by default.

Also previously the wrong constant for ClusterInstancetypes was used instead, so fix that.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes https://issues.redhat.com/browse/CNV-36300

Special notes for your reviewer:

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

Release note:

Allow unprivileged users read-only access to VirtualMachineCluster{Instancetypes,Preferences} by default.

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. size/M labels Jan 16, 2024
@0xFelix
Copy link
Member Author

0xFelix commented Jan 16, 2024

/cc @tiraboschi
/cc @xpivarc

@0xFelix
Copy link
Member Author

0xFelix commented Jan 17, 2024

/retest

@fabiand
Copy link
Member

fabiand commented Jan 18, 2024

@0xFelix please complete the checklist.

Why is this prefixed with "feat:" isn't it rather a fix to allow cluster ITs to be viewed?

@0xFelix
Copy link
Member Author

0xFelix commented Jan 18, 2024

IMO you could consider it both. Isn't it a feature to provide access to something which unprivileged users didn't have access to before by adding a new ClusterRoleBinding?

@fabiand
Copy link
Member

fabiand commented Jan 18, 2024

I'd say that one of the inheritn goals of having ITs on the cluster level is to make them available to all usres (privileged or not) in order to align on this set of ITs.

IOW ITs which can not be accessed by unprivileged users seem to be useless.

@0xFelix 0xFelix force-pushed the instancetype-view-cluster-role-binding branch from 03f79e6 to 0c096af Compare January 18, 2024 14:46
@0xFelix 0xFelix changed the title feat: Add ClusterRoleBinding for instancetype:view ClusterRole fix: Add ClusterRoleBinding for instancetype:view ClusterRole Jan 18, 2024
@0xFelix
Copy link
Member Author

0xFelix commented Jan 18, 2024

Let's consider it a fix then.

@kubevirt-bot kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 19, 2024
Previously the wrong constant for ClusterInstancetypes was used instead.

Signed-off-by: Felix Matouschek <fmatouschek@redhat.com>
This adds a ClusterRolebinding which grants every authorized user read
access to VirtualMachineCluster{Instancetype,Preference} CRs.

This allows unprivileged users to make use of
VirtualMachineCluster{Instancetypes,Preferences} by default.

Signed-off-by: Felix Matouschek <fmatouschek@redhat.com>
@0xFelix 0xFelix force-pushed the instancetype-view-cluster-role-binding branch from 0c096af to 2d215db Compare January 19, 2024 08:52
@kubevirt-bot kubevirt-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 19, 2024
@0xFelix
Copy link
Member Author

0xFelix commented Jan 19, 2024

/retest

@@ -715,3 +720,33 @@ func newInstancetypeViewClusterRole() *rbacv1.ClusterRole {
},
}
}

func newInstancetypeViewClusterRoleBinding() *rbacv1.ClusterRoleBinding {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't you aggregate to the kubernetes view role like kubevirt.io:view does? This saves you from creating an additional binding.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the aggregated kubevirt.io:view role is bound with a RoleBinding, which does not grant access to cluster wide resources.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #10437 for reference

@acardace
Copy link
Member

/approve

@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: acardace

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 19, 2024
@0xFelix
Copy link
Member Author

0xFelix commented Jan 22, 2024

/cherry-pick release-1.1
/cherry-pick release-1.0

@kubevirt-bot
Copy link
Contributor

@0xFelix: once the present PR merges, I will cherry-pick it on top of release-1.1 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.1
/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@0xFelix
Copy link
Member Author

0xFelix commented Jan 22, 2024

/cherry-pick release-1.0

@kubevirt-bot
Copy link
Contributor

@0xFelix: once the present PR merges, I will cherry-pick it on top of release-1.0 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jcanocan
Copy link
Contributor

Nice job @0xFelix! Thanks a lot!
/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 22, 2024
@kubevirt-commenter-bot
Copy link

Required labels detected, running phase 2 presubmits:
/test pull-kubevirt-e2e-k8s-1.27-ipv6-sig-network

@0xFelix
Copy link
Member Author

0xFelix commented Jan 22, 2024

/retest

1 similar comment
@0xFelix
Copy link
Member Author

0xFelix commented Jan 22, 2024

/retest

@kubevirt-bot
Copy link
Contributor

@0xFelix: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubevirt-e2e-k8s-1.29-sig-compute 2d215db link unknown /test pull-kubevirt-e2e-k8s-1.29-sig-compute
pull-kubevirt-e2e-k8s-1.27-sig-compute 2d215db link unknown /test pull-kubevirt-e2e-k8s-1.27-sig-compute

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@kubevirt-commenter-bot
Copy link

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@kubevirt-bot kubevirt-bot merged commit 2ad6146 into kubevirt:main Jan 23, 2024
35 of 37 checks passed
@kubevirt-bot
Copy link
Contributor

@0xFelix: #11025 failed to apply on top of branch "release-1.1":

Applying: fix: Use correct constant in ClusterPreference access test
Applying: fix: Add ClusterRoleBinding for instancetype:view ClusterRole
Using index info to reconstruct a base tree...
M	pkg/virt-operator/kubevirt_test.go
M	pkg/virt-operator/resource/generate/rbac/cluster.go
M	pkg/virt-operator/resource/generate/rbac/cluster_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/virt-operator/resource/generate/rbac/cluster_test.go
Auto-merging pkg/virt-operator/resource/generate/rbac/cluster.go
CONFLICT (content): Merge conflict in pkg/virt-operator/resource/generate/rbac/cluster.go
Auto-merging pkg/virt-operator/kubevirt_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 fix: Add ClusterRoleBinding for instancetype:view ClusterRole
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.1
/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kubevirt-bot
Copy link
Contributor

@0xFelix: #11025 failed to apply on top of branch "release-1.0":

Applying: fix: Use correct constant in ClusterPreference access test
Applying: fix: Add ClusterRoleBinding for instancetype:view ClusterRole
Using index info to reconstruct a base tree...
M	pkg/virt-operator/kubevirt_test.go
M	pkg/virt-operator/resource/generate/rbac/cluster.go
A	pkg/virt-operator/resource/generate/rbac/cluster_test.go
M	tests/access_test.go
Falling back to patching base and 3-way merge...
Auto-merging tests/access_test.go
CONFLICT (modify/delete): pkg/virt-operator/resource/generate/rbac/cluster_test.go deleted in HEAD and modified in fix: Add ClusterRoleBinding for instancetype:view ClusterRole. Version fix: Add ClusterRoleBinding for instancetype:view ClusterRole of pkg/virt-operator/resource/generate/rbac/cluster_test.go left in tree.
Auto-merging pkg/virt-operator/resource/generate/rbac/cluster.go
CONFLICT (content): Merge conflict in pkg/virt-operator/resource/generate/rbac/cluster.go
Auto-merging pkg/virt-operator/kubevirt_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 fix: Add ClusterRoleBinding for instancetype:view ClusterRole
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@lyarwood
Copy link
Member

/area instancetype

@0xFelix
Copy link
Member Author

0xFelix commented Jan 24, 2024

/cherry-pick release-1.1

@kubevirt-bot
Copy link
Contributor

@0xFelix: new pull request created: #11077

In response to this:

/cherry-pick release-1.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/instancetype dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants