Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically create the container build SCC if containerBuildCapability is enabled #21768

Closed
l0rd opened this issue Oct 13, 2022 · 0 comments
Closed

Automatically create the container build SCC if containerBuildCapability is enabled #21768

l0rd opened this issue Oct 13, 2022 · 0 comments
Assignees
@tolusha
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.56

Comments

@l0rd
Copy link
Contributor

l0rd commented Oct 13, 2022
edited
Loading

Is your enhancement related to a problem? Please describe

Even if disableContainerBuildCapabilities: false an admin still requires to manually create a container-build SCC and grant privileges to get and update it to the DevWorkspace controller SA as mentioned here.

Describe the solution you'd like

We should introduce a new devEnvironments.containerBuildConfiguration section in CheCluster spec with the following defaults:

spec:
  devEnvironments:
    containerBuildConfiguration:
       openShiftSecurityContextConstraint: 'container-build'

When disableContainerBuildCapabilities: false then if the openShiftSecurityContextConstraint...

  • ...doesn't exist: Che should create it and add a role binding to get and update it to the DevWorkspace controller SA.
  • ...exists: Che should not override it, but should still add a role binding to get and update it to the DevWorkspace controller SA.

When disableContainerBuildCapabilities: true then if the openShiftSecurityContextConstraint:

  • ...exists: Che should delete it along with the DevWorkspace controller SA role binding.
  • ...doesn't exist: Che should do nothing.

If the SCC has been crated manually by the admin then Che should not delete it if disableContainerBuildCapabilities: true. For that when Che creates the SCC and the role bindings it should label them with app.kubernetes.io/managed-by: eclipse-che.
@l0rd l0rd added the kind/enhancement A feature request - must adhere to the feature request template. label Oct 13, 2022
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Oct 13, 2022
@l0rd l0rd mentioned this issue Oct 13, 2022
Closed
@l0rd l0rd changed the title Automatically create a container-build SCC if containerBuildCapability is enabled Automatically create the container build SCC if containerBuildCapability is enabled Oct 13, 2022
@l0rd l0rd mentioned this issue Oct 13, 2022
Closed
@l0rd l0rd added severity/P1 Has a major impact to usage or development of the system. area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Oct 13, 2022
@l0rd l0rd mentioned this issue Oct 13, 2022
Closed
67 tasks
@tolusha tolusha self-assigned this Oct 14, 2022
This was referenced Oct 14, 2022
Merged
Merged
Merged
@tolusha tolusha closed this as completed Oct 18, 2022
@tolusha tolusha modified the milestones: 7.55, 7.56 Oct 18, 2022
@tolusha tolusha mentioned this issue Oct 25, 2022
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tolusha tolusha

Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.56
Development

No branches or pull requests
3 participants
@l0rd @tolusha @che-bot