[che-dev] Username and K8s namespace name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[che-dev] Username and K8s namespace name

From: Sergii Kabashniuk <skabashn@xxxxxxxxxx>
Date: Thu, 30 Jul 2020 15:31:58 +0300
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/che-dev>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>

Hello, devs.
I want to discuss with you one topic related to k8s namespace name of the workspace.
We noticed that situation when the username is incompatible with k8s namespace name isn't that rare [1].
And that is not very clear for the users what to do next [2].

Let's summarise the problem first.
By default we have che.infra.kubernetes.namespace.allow_user_defined=false and che.infra.kubernetes.namespace.default=<username>-che
That means that the user a not able to propose namespace by himself and we use his username in case if Che is going to explicitly create
k8s namespace for the workspace. Obviously the situation becomes complicated if the user chooses a username that is not k8s compatible [3].

Now let's talk about what we can do.
1. In case if Che is NOT controlling namespace creation we have limited number variants here. I can suggest adding more placeholders.
- <oc_user_label_name> - In case of OpenShift OAuth enabled we can use labels of user.openshift.io/v1 object.
- External http endpoint, which we can query with user id and which mast return k8s namespace name
- An extra field in JWT token. Need additional research here.

2. In case if Che is ALLOWED to create namespace and user is NOT allowed to suggest his variant
- On first login pre-create k8s namespace.
- Remove incompatible characters.
- In case of the namespace with such a name already exists - add 6 characters random suffix.

3. In case if Che is ALLOWED to create a namespace and user ALLOWED to suggest his variant.
- Ensure that the problem with namespace name exists for the given user
- Ask the user about the desired namespace before creating a workspace or accepting a factory on the dashboard
- In case if there are already existed workspace, we can use his k8s namespace as a first option.

Unconditional.
- Try to add validation on the Keycalok profile page to add extra validation of username.
- Synchronize username on each login. At this moment we are synchronizing the single field - email.

[1] Invalid default namespace name https://github.com/eclipse/che/issues/15323
[2] How to remove Che user https://github.com/eclipse/che/issues/17500
[3] rfc1035/rfc1123 label (DNS_LABEL) : An alphanumeric (a-z, and 0-9) string, with a maximum length of 63 characters,

with the '-' character allowed anywhere except the first or last character, suitable for use as a hostname or segment in a domain name

Sergii Kabashniuk

Principal Software Engineer, DevTools

Red Hat

skabashniuk@xxxxxxxxxx

Follow-Ups:
- Re: [che-dev] Username and K8s namespace name
  - From: Gorkem Ercan

Prev by Date: Re: [che-dev] How to configure new Single-host ?
Next by Date: Re: [che-dev] Username and K8s namespace name
Previous by thread: [che-dev] Reminder Community Call today (July 27th, 2020)
Next by thread: Re: [che-dev] Username and K8s namespace name
Index(es):
- Date
- Thread

Breadcrumbs