Re: [che-dev] extra cluster-wide permissions for che-operator to support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [che-dev] extra cluster-wide permissions for che-operator to support `<username>-che` namespace

From: Michal Vala <mvala@xxxxxxxxxx>
Date: Mon, 16 Dec 2019 12:53:39 +0100
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/che-dev>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>

I've updated list of permissions[1] to match kubernetes needs. In addition to OpenShift, we need permissions to namespaces and ingresses. On the other hand, we don't need OpenShift permissions for routes and projects, but I don't think it makes much sense to split the roles. With listed ClusterRoles, we should be ok for both Kubernetes and OpenShift.

[1] - https://gist.github.com/sparkoo/624bbd1e10c88b8ad8719b93bc847920

On Wed, Dec 11, 2019 at 3:17 PM Michal Vala <mvala@xxxxxxxxxx> wrote:

Hello team,

working on "Support workspace namespace configuration in che-operator"[0], we've hit an issue with permissions for `che-operator` and `che` serviceaccounts (sa).

TLDR: we want to use `<username>-che` [1] as default namespace for workspaces. For that, we need che-operator to have these extra cluster-wide permissions [2] to be able to grant it to `che` sa, even if we might not actually need it.

Longer version

Current state
We have 4 namespace scenarios we need to support:
1] all in one namespace
2] use pre-created namespaces for workspaces
3] create new namespaces
4] use OpenShift oauth (we can further split this scenario, but as we delegate permissions to openshift user, we don't need to deal with any sa or permissions from che-operator)

Currently, che-operator default deployment support 1] and 4] and it sets default namespace for workspaces to same namespace as it is deployed.

Desired state
We want to have `<username>-che` as default namespace for workspaces[1] and che server should be able to create that namespace. This should be default deployment for che-operator and thus must work out of the box, including installation from OperatorHub or with chectl.
(please correct me if I'm wrong)

Issue
To allow che server to create and use different namespaces, we need to grant `che` sa extra cluster-wide permissions[2]. In che-operator, we can decide what permissions grant to `che` sa, because we have CheCluster CR. HOWEVER, to allow che-operator grant permissions to `che` sa, `che-operator` sa has to have these permissions as well. This is the issue, because in che-operator deployment time, we don't know what namespace scenario will be used. If we want `<username>-che` as default, we need all listed permissions for che-operator as default. Even if then we deploy CR with for example oauth, so we end-up with `che-operator` sa with a lot of permissions that we don't actually need.

So what are our options? (with little comments)
- Grant all listed permissions to che-operator by default and grant needed permissions to `che` sa by namespace set in CR. We can then document how to remove unnecessary permissions for used namespace scenario.
- che-operator will support all scenarios, but we need all these permissions only for scenario 3]
- Don't grant any cluster-wide permissions to che-operator, keep all in one namespace by default and document what is needed for another scenarios.
- to achieve `<username>-che`, extra manual steps are needed.
- Don't grant any cluster-wide permissions to che-operator, have `<username>-che` as default and document the extra manual steps needed + good error message in che-operator.
- does not work out of the box, but allow admin to tune up the permissions and strategy as needed.
- Grant all listed permissions to che-operator, then when it deploys Che, it decides from CR what permissions it doesn't need and remove them.
- we cut-off the option to go back to higher permissions scenario without extra manual steps. Also I'm not sure if it is even possible to remove oneself permissions.

There is currently draft PR open[3] and it's issue[0] contains interesting discussion. The PR currently follows first option.

There is a very similar issue[4] that is focused on chectl. I believe it should be solved on che-operator level, because we have to support installation from operator hub as well.

[0] - https://github.com/eclipse/che/issues/15300
[1] - https://github.com/eclipse/che/issues/14795
[2] - https://gist.github.com/sparkoo/624bbd1e10c88b8ad8719b93bc847920
[3] - https://github.com/eclipse/che-operator/pull/137
[4] - https://github.com/eclipse/che/issues/14662

--
Michal Vala
Software Engineer, Eclipse Che
Red Hat Czech

Michal Vala
Software Engineer, Eclipse Che
Red Hat Czech

References:
- [che-dev] extra cluster-wide permissions for che-operator to support `<username>-che` namespace
  - From: Michal Vala

Prev by Date: [che-dev] devfile's previewUrl to stable
Next by Date: [che-dev] Fwd: [StackOverflow] che.openshift.io - Run the terminal of as SUDO
Previous by thread: [che-dev] extra cluster-wide permissions for che-operator to support `<username>-che` namespace
Next by thread: Re: [che-dev] Migrating openshiftio-cico-jobs to app-interface
Index(es):
- Date
- Thread

Breadcrumbs