Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement cmpd's PolicyRules #8328

Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

feat: implement cmpd's PolicyRules #8328

wants to merge 19 commits into from

Conversation

cjc7373
Copy link
Contributor

@cjc7373 cjc7373 commented Oct 24, 2024
edited
Loading

Fixes #8310. Things done in this PR:

  • implements cmpd's PolicyRules
  • changes the semantics of serviceAccountName in cluster and component CR. KB now does not create rbac resources if user has specified a service account.
  • serviceaccount is now within a component's level, with a name of kb-<clusterName>-<compName>.

TODO:

  • update pg addon's cmpd policyRule since we removed kubeblocks-patroni-pod-role

@github-actions github-actions bot added the size/XL Denotes a PR that changes 500-999 lines. label Oct 24, 2024
@cjc7373 cjc7373 changed the title feature: implement cmpd's PolicyRules feat: implement cmpd's PolicyRules Oct 24, 2024
@codecov Codecov
Copy link

codecov bot commented Oct 25, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 72.30769% with 36 lines in your changes missing coverage. Please review.

Project coverage is 61.15%. Comparing base (7ec2c5c) to head (7581dc6).

Files with missing lines Patch % Lines
controllers/apps/transformer_component_rbac.go 76.14% 15 Missing and 11 partials ⚠️
pkg/controller/factory/builder.go 27.27% 8 Missing ⚠️
controllers/apps/transformer_cluster_deletion.go 0.00% 0 Missing and 1 partial ⚠️
pkg/controller/component/synthesize_component.go 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8328      +/-   ##
==========================================
- Coverage   61.27%   61.15%   -0.12%     
==========================================
  Files         351      352       +1     
  Lines       41752    41739      -13     
==========================================
- Hits        25584    25527      -57     
- Misses      13870    13900      +30     
- Partials     2298     2312      +14
Flag Coverage Δ
unittests 61.15% <72.30%> (-0.12%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cjc7373 cjc7373 marked this pull request as ready for review October 28, 2024 07:30
@cjc7373 cjc7373 requested review from leon-inf, Y-Rookie and a team as code owners October 28, 2024 07:30
@apecloud-bot apecloud-bot added the approved PR Approved Test label Oct 31, 2024
@apecloud-bot apecloud-bot removed the approved PR Approved Test label Nov 14, 2024
@cjc7373
Copy link
Contributor Author

cjc7373 commented Nov 14, 2024

relevant addon PR: apecloud/kubeblocks-addons#1197

leon-inf
leon-inf reviewed Nov 20, 2024
View reviewed changes
apis/apps/v1/cluster_types.go
// Users can override the automatic ServiceAccount assignment by explicitly setting the name of
// an existed ServiceAccount in this field.
// If the field is not empty, the specified ServiceAccount will be used. And KubeBlocks will not
// create a ServiceAccount, nor create RoleBinding accordingly.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the controller still need to bind these rules defined in kubeblocks-cluster-pod-role in case they are not bound by the user?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rules in cmpd are the same.

Copy link
Contributor

@leon-inf leon-inf Nov 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this field only involves the declaration of the service account (name) and does not pertain to the rules bound.

leon-inf
leon-inf reviewed Nov 20, 2024
View reviewed changes
apis/apps/v1/cluster_types.go
// The service account will be bound to a default role named "kubeblocks-cluster-pod-role" which is installed together with KubeBlocks.
// If not specified, KubeBlocks automatically assigns a default ServiceAccount named "kb-{cluster.name}"
// If not specified, KubeBlocks automatically creates a default ServiceAccount named
// "kb-{cluster.name}-{component.name}", bound to a role with rules defined in ComponentDefinition's
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a further improvement, components with the same cmp can share a default service account.

leon-inf
leon-inf reviewed Nov 20, 2024
View reviewed changes
controllers/apps/transformer_component_utils.go
@@ -59,28 +55,5 @@ func skipSetCompOwnershipNFinalizer(obj client.Object) bool {
}

func addFinalizer(obj client.Object, comp *appsv1.Component) {
Copy link
Contributor

@leon-inf leon-inf Nov 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be removed and use controllerutil.AddFinalizer directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leon-inf leon-inf leon-inf left review comments

@Y-Rookie Y-Rookie Y-Rookie left review comments

@zjx20 zjx20 zjx20 approved these changes

@realzyy realzyy Awaiting requested review from realzyy

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
area/user-interaction size/XL Denotes a PR that changes 500-999 lines.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Features] Implement ComponentDefinition's PolicyRules
5 participants
@cjc7373 @zjx20 @Y-Rookie @leon-inf @apecloud-bot