Skip to content

Introduce ingress controller #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 1 commit into from
Mar 30, 2021
Merged

Introduce ingress controller #552

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
3 changes: 1 addition & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ require (
github.com/kevinburke/go-bindata v3.11.0+incompatible
github.com/onsi/ginkgo v1.14.0 // indirect
github.com/openshift/api v0.0.0-20210325163602-e37aaed4c278
github.com/openshift/library-go v0.0.0-20200423123937-d1360419413d
github.com/openshift/library-go v0.0.0-20210324013940-2cbb32340951
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.7.1
github.com/spf13/cobra v1.1.1
Expand All @@ -32,7 +32,6 @@ require (
gopkg.in/fsnotify.v1 v1.4.7
gopkg.in/yaml.v2 v2.3.0
k8s.io/api v0.20.0
k8s.io/apiextensions-apiserver v0.20.0 // indirect
k8s.io/apimachinery v0.20.0
k8s.io/apiserver v0.20.0
k8s.io/client-go v0.20.0
Expand Down
150 changes: 54 additions & 96 deletions go.sum
View file
Open in desktop

Large diffs are not rendered by default.

20 changes: 20 additions & 0 deletions manifests/01-role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,23 @@ roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: ingress-operator
---
# RoleBinding for the operator to delete Role and RoleBindings
# in the openshift-config namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress-operator
namespace: openshift-config
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
subjects:
- kind: ServiceAccount
name: ingress-operator
namespace: openshift-ingress-operator
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: ingress-operator
20 changes: 20 additions & 0 deletions manifests/01-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,23 @@ rules:
- services
verbs:
- "*"
---
# Role for the operator to delete Role and RoleBindings
# in the openshift-config namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress-operator
namespace: openshift-config
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- delete
Copy link

@sttts sttts Mar 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no creation?

Copy link
Contributor Author

@awgreene awgreene Mar 19, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The operator already has a clusterRole granting create, get, list, watch, and update permissions in all namespaces but I wanted to scope delete permissions to the openshift-config namespace.

Copy link

@sttts sttts Mar 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would add delete there too. The operator is already basically cluster admin with what it can do (assigning itself more roles). Adding delete is not making it worse.

Wondering for what does it use the rbac permissions today? Surprises me that it can work without delete.

Copy link
Contributor Author

@awgreene awgreene Mar 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with your assessment that the operator is effectively a cluster admin and that granting it delete permissions at the cluster level doesn't make anything worse.

However, I believe that by scoping these permissions to the openshift-config the purpose of rbac is better communicated to developers unfamiliar with this feature whereas the purpose is somewhat mystified if lumped into the clusterRole. If you do not believe that this information is valuable to other developers I can lump it into the clusterRole.

16 changes: 8 additions & 8 deletions pkg/manifests/bindata.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading