Bug 2052923:[release-4.13] remove all wildcard permissions in rbacs

[parth-gr]

remove all wildcard permissions in rbacs

[openshift-ci]

@parth-gr: This pull request references Bugzilla bug 2052923, which is valid.

No validations were run on this bug

No GitHub users were found matching the public email listed for the QA contact in Bugzilla ([email protected]), skipping review request.

In response to this:

Bug 2052923:[release-4.13] remove all wildcard permissions in rbac de…

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[parth-gr]

enum : - '*', still need to look upon

[travisn]

Two more verbs that may need to be considered:

• watch: Likely needed on many of the resources
• deletecollection: Not likely needed, unless the ocs operator is deleting multiple resources based on a label, or all resources in a namespace, etc.

[parth-gr]

Two more verbs that may need to be considered:

• watch: Likely needed on many of the resources
• deletecollection: Not likely needed, unless the ocs operator is deleting multiple resources based on a label, or all resources in a namespace, etc.

Sure

[travisn]

No need to add the permissions where wildcards were not being used before. In this case, there was no wilcard for the verb.

[iamniting]

+1

[travisn]

No need to duplicate some of these permissions that are already specified

[travisn]

these are still duplicated

[travisn]

@malayparida2000 Do you know of any places the OCS operator needs to delete multiple resources in a single API call? If not, the deletecollection would not be needed to add when removing the wildcard.

[parth-gr]

@iamniting ^^

[iamniting]

I dont beleive if we are deleting collections anywhere in the ocs-operator

[iamniting]

Could you please check the controller when removing the asterisk permissions? We should evaluate whether we actually require all of them, and if not, we can add only the necessary ones.

[iamniting]

+1

[iamniting]

I dont beleive if we are deleting collections anywhere in the ocs-operator

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: parth-gr
Once this PR has been reviewed and has the lgtm label, please ask for approval from iamniting. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[parth-gr]

Could you please check the controller when removing the asterisk permissions? We should evaluate whether we actually require all of them, and if not, we can add only the necessary ones.

With this change, we are planning for changing from * to all required permission and would think of restricting to specifics in the future.

[travisn]

watch is duplicated in several places here

[parth-gr]

Thanks for catching it,

Tried to update all the places, please have a look once again

[travisn]

these are still duplicated

[iamniting]

Could you please check the controller when removing the asterisk permissions? We should evaluate whether we actually require all of them, and if not, we can add only the necessary ones.

With this change, we are planning for changing from * to all required permission and would think of restricting to specifics in the future.

I think as of now it would be easy to do that as we will have to look for fewer permissions (only the ones where * is present) for now. If we decide to do it later we will have to look for all the permissions.

[iamniting]

Can you please fix the commit-msg as well? It looks like it is in 2 lines.

[iamniting]

These are duplicates too, All of these are already present here.

[iamniting]

Can you pls fix the indentation? There is one extra space.

[iamniting]

Can you fix the indentation here as well?

[iamniting]

Can you fix the indentation here as well?

[openshift-ci]

@parth-gr: This pull request references Bugzilla bug 2052923, which is valid.

No validations were run on this bug

No GitHub users were found matching the public email listed for the QA contact in Bugzilla ([email protected]), skipping review request.

In response to this:

Bug 2052923:[release-4.13] remove all wildcard permissions in rbacs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[travisn]

- watch looks indented an extra space in many places

[iamniting]

+1

[iamniting]

+1

[iamniting]

@parth-gr It looks like you are changing the files under deploy manually. That's why CI is failing. You can auto-generate the changes using make gen-latest-csv and FUSION=true make gen-latest-csv.

[parth-gr]

FUSION=true make gen-latest-csv

Running this make gen-latest-csv and FUSION=true make gen-latest-csv makes the changes back to use wildcard

[parth-gr]

So basically these look automated files,
So from where these files are generated so I can apply the changes there
@iamniting

[iamniting]

So basically these look automated files, So from where these files are generated so I can apply the changes there @iamniting

These files are generated from the config dir and the rook CSV. If the rook CSV has wildcards we need to solve there themselves. For now, let's not update the files under deploy manually. Updating them manually will not help us as they will be reverted back while generating a build. Also, CI won't allow us to merge such PR.

[parth-gr]

So basically these look automated files, So from where these files are generated so I can apply the changes there @iamniting

These files are generated from the config dir and the rook CSV. If the rook CSV has wildcards we need to solve there themselves. For now, let's not update the files under deploy manually. Updating them manually will not help us as they will be reverted back while generating a build. Also, CI won't allow us to merge such PR.

Thanks

[iamniting]

I am wondering if these resources really belongs to the monitoring.coreos.com. If I am not mistaken they belong to the ceph.rook.io. @umangachapagain Can you pls guide @parth-gr What resources should come under the monitoring.coreos.com

[umangachapagain]

We only care about servicemonitors and prometheusrules AFAIR for monitoring.
Link to CRD def: https://github.com/prometheus-operator/kube-prometheus/tree/main/manifests/setup

[parth-gr]

Okay thanks

[travisn]

The only wildcards were related to the prometheus resources? Previously your PR had many more wildcards updated.

[parth-gr]

The only wildcards were related to the prometheus resources? Previously your PR had many more wildcards updated.

If I am running make gen-latest-csv and FUSION=true make gen-latest-csv they all get reverted,
It because the deploy files are auto created

[iamniting]

Hi @parth-gr We will require few more changes

1. We need to remove permissions from the CSV merger tool here
2. We need to add the same permissions here

[iamniting]

Hi @parth-gr We will require few more changes

We need to remove permissions from the CSV merger tool here
We need to add the same permissions here

Let me know if you need help we can meet and get it sorted.

[parth-gr]

Hi @parth-gr We will require few more changes
We need to remove permissions from the CSV merger tool here
We need to add the same permissions here

Let me know if you need help we can meet and get it sorted.

Sure will meet you tmr, thanks

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@parth-gr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ci-bundle-ocs-operator-bundle	fd9fd0e	link	true	/test ci-bundle-ocs-operator-bundle
ci/prow/ocs-operator-bundle-e2e-aws	fd9fd0e	link	true	/test ocs-operator-bundle-e2e-aws

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.