-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deploy: fix the owner reference kind to be rc #13996
Changes from all commits
714f56a
bb7c275
aa35b69
8ca79b0
f10dae7
a622059
6ddf8dc
4bd76cf
c3d4af7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
package bootstrappolicy | ||
|
||
import ( | ||
"strings" | ||
|
||
"github.com/golang/glog" | ||
|
||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
rbac "k8s.io/kubernetes/pkg/apis/rbac" | ||
) | ||
|
||
const saRolePrefix = "system:openshift:controller:" | ||
|
||
var ( | ||
// controllerRoles is a slice of roles used for controllers | ||
controllerRoles = []rbac.ClusterRole{} | ||
// controllerRoleBindings is a slice of roles used for controllers | ||
controllerRoleBindings = []rbac.ClusterRoleBinding{} | ||
) | ||
|
||
func addControllerRole(role rbac.ClusterRole) { | ||
if !strings.HasPrefix(role.Name, saRolePrefix) { | ||
glog.Fatalf(`role %q must start with %q`, role.Name, saRolePrefix) | ||
} | ||
|
||
for _, existingRole := range controllerRoles { | ||
if role.Name == existingRole.Name { | ||
glog.Fatalf("role %q was already registered", role.Name) | ||
} | ||
} | ||
|
||
if role.Annotations == nil { | ||
role.Annotations = map[string]string{} | ||
} | ||
role.Annotations[roleSystemOnly] = roleIsSystemOnly | ||
|
||
controllerRoles = append(controllerRoles, role) | ||
|
||
controllerRoleBindings = append(controllerRoleBindings, | ||
rbac.NewClusterBinding(role.Name).SAs(DefaultOpenShiftInfraNamespace, role.Name[len(saRolePrefix):]).BindingOrDie()) | ||
} | ||
|
||
func eventsRule() rbac.PolicyRule { | ||
return rbac.NewRule("create", "update", "patch").Groups(kapiGroup).Resources("events").RuleOrDie() | ||
} | ||
|
||
func init() { | ||
// build-controller | ||
addControllerRole(rbac.ClusterRole{ | ||
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraBuildControllerServiceAccountName}, | ||
Rules: []rbac.PolicyRule{ | ||
rbac.NewRule("get", "list", "watch", "update", "delete").Groups(buildGroup, legacyBuildGroup).Resources("builds").RuleOrDie(), | ||
rbac.NewRule("get").Groups(buildGroup, legacyBuildGroup).Resources("buildconfigs").RuleOrDie(), | ||
rbac.NewRule("create").Groups(buildGroup, legacyBuildGroup).Resources("builds/docker", "builds/source", "builds/custom", "builds/jenkinspipeline").RuleOrDie(), | ||
rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams").RuleOrDie(), | ||
rbac.NewRule("get", "list", "create", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(), | ||
rbac.NewRule("get").Groups(kapiGroup).Resources("namespaces").RuleOrDie(), | ||
eventsRule(), | ||
}, | ||
}) | ||
|
||
// deployer-controller | ||
addControllerRole(rbac.ClusterRole{ | ||
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeployerControllerServiceAccountName}, | ||
Rules: []rbac.PolicyRule{ | ||
rbac.NewRule("create", "get", "list", "watch", "patch", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(), | ||
rbac.NewRule("get", "list", "watch", "update").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), | ||
eventsRule(), | ||
}, | ||
}) | ||
|
||
// deploymentconfig-controller | ||
addControllerRole(rbac.ClusterRole{ | ||
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeploymentConfigControllerServiceAccountName}, | ||
Rules: []rbac.PolicyRule{ | ||
rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("pods").RuleOrDie(), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We can remove this rule and anything related to pods in the DC controller after #14046 is merged. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. sure, I will update this PR. |
||
rbac.NewRule("create", "get", "list", "watch", "update", "delete").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), | ||
rbac.NewRule("update").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs/status").RuleOrDie(), | ||
rbac.NewRule("get", "list", "watch").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(), | ||
eventsRule(), | ||
}, | ||
}) | ||
|
||
// deployment-trigger-controller | ||
addControllerRole(rbac.ClusterRole{ | ||
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeploymentTriggerControllerServiceAccountName}, | ||
Rules: []rbac.PolicyRule{ | ||
rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We shouldn't need to list or watch RCs here, the only thing this controller needs is get. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. kcorelistersinternal.NewReplicationControllerLister(rcInformer.GetIndexer()) will this work only with get? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. List and watch are used by the informer but we have no use for the informer in the controller. We just GET rcs and compare their templates w/ the DC template. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I guess since we use the shared informer, we are bound to have list and watch for this controller? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. iow. when we run this as a standalone process in a pod, we will need these permissions to get the shared informer? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes. and I acknowledge that such a separation may be a long way off. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hard choice, both options have pros and cons. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. well given that this controller was on privileged loopback client before, I would leave this as it is for now? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, it's fine |
||
rbac.NewRule("get", "list", "watch").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(), | ||
rbac.NewRule("get", "list", "watch").Groups(imageGroup, legacyImageGroup).Resources("imagestreams").RuleOrDie(), | ||
|
||
rbac.NewRule("create").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs/instantiate").RuleOrDie(), | ||
eventsRule(), | ||
}, | ||
}) | ||
} | ||
|
||
// ControllerRoles returns the cluster roles used by controllers | ||
func ControllerRoles() []rbac.ClusterRole { | ||
return controllerRoles | ||
} | ||
|
||
// ControllerRoleBindings returns the role bindings used by controllers | ||
func ControllerRoleBindings() []rbac.ClusterRoleBinding { | ||
return controllerRoleBindings | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you find out why we have update and patch here? Is it event compaction?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deads2k @sttts ? no clue, but we have that in other controllers...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deads2k made a func for it so it must be useful ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it's still done client-side after all this time.