Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dedicated ServiceAccount for perftune jobs #1971

Merged
merged 3 commits into from
Jul 9, 2024
Merged

Add dedicated ServiceAccount for perftune jobs #1971

merged 3 commits into from
Jul 9, 2024

Conversation

tnozicka
Copy link
Contributor

@tnozicka tnozicka commented Jun 14, 2024
edited
Loading

Description of your changes:
This PR adds a dedicated ServiceAccount to use for perftune jobs which enhances security isolation and allows some platforms (like OpenShift) to grant it extra permissions.

Which issue is resolved by this Pull Request:
Resolves #1975

Requires:

@tnozicka tnozicka added kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jun 14, 2024
@scylla-operator-bot scylla-operator-bot bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 14, 2024
@scylla-operator-bot scylla-operator-bot bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 14, 2024
@tnozicka tnozicka force-pushed the perftune-sa branch 3 times, most recently from 81b5246 to 25f1cf9 Compare June 20, 2024 13:48
@tnozicka tnozicka changed the title [WIP] Add dedicated ServiceAccount for perftune jobs Add dedicated ServiceAccount for perftune jobs Jun 20, 2024
@scylla-operator-bot scylla-operator-bot bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 20, 2024
@tnozicka
Copy link
Contributor Author

@zimnx @rzetelskik ptal

zimnx
zimnx reviewed Jun 27, 2024
View reviewed changes
@scylla-operator-bot scylla-operator-bot bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 2, 2024
@rzetelskik rzetelskik self-requested a review July 2, 2024 12:48
rzetelskik
rzetelskik approved these changes Jul 2, 2024
View reviewed changes
Copy link
Member

@rzetelskik rzetelskik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm
/assign zimnx

@scylla-operator-bot scylla-operator-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rzetelskik, tnozicka

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

zimnx
zimnx reviewed Jul 2, 2024
View reviewed changes
pkg/controller/nodeconfig/sync_roles.go

// Delete any excessive Roles.
// Delete has to be the first action to avoid getting stuck on quota.
err := controllerhelpers.Prune(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't Prune complain about missing controllerref on deleted objects? We are not allowed to delete them. There should be an option to disable it on justified cases similar to apply functions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You already give it a set of claimed and pre-existing objects so it's assumed you own them by how you've claimed them in the fist place. If you were to do a patch or update instead you'd not have rechecked again. For the case of the helper it's cheap but I'd not couple it to this PR.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to add a safety check so we won't delete objects we weren't meant to delete. Filing an issue for future improvement is fine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#2010

@tnozicka tnozicka mentioned this pull request Jul 3, 2024
Closed
@tnozicka tnozicka changed the title Add dedicated ServiceAccount for perftune jobs [WIP] Add dedicated ServiceAccount for perftune jobs Jul 3, 2024
@scylla-operator-bot scylla-operator-bot bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 3, 2024
@tnozicka tnozicka changed the title [WIP] Add dedicated ServiceAccount for perftune jobs Add dedicated ServiceAccount for perftune jobs Jul 8, 2024
@scylla-operator-bot scylla-operator-bot bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 8, 2024
@tnozicka tnozicka requested review from zimnx and rzetelskik July 8, 2024 13:41
zimnx
zimnx reviewed Jul 8, 2024
View reviewed changes
pkg/controller/nodeconfig/sync_roles.go Outdated
},
ncc.eventRecorder)
if err != nil {
return fmt.Errorf("can't prune RoleBinding(s): %w", err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return fmt.Errorf("can't prune RoleBinding(s): %w", err)
return fmt.Errorf("can't prune Role(s): %w", err)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, thx

pkg/controller/nodeconfig/sync_roles.go

// Delete any excessive Roles.
// Delete has to be the first action to avoid getting stuck on quota.
err := controllerhelpers.Prune(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to add a safety check so we won't delete objects we weren't meant to delete. Filing an issue for future improvement is fine.

@tnozicka tnozicka mentioned this pull request Jul 9, 2024
Closed
@tnozicka tnozicka requested a review from zimnx July 9, 2024 06:16
@zimnx
Copy link
Collaborator

zimnx commented Jul 9, 2024
edited
Loading

Thanks for updates
/lgtm

@scylla-operator-bot scylla-operator-bot bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2024
@tnozicka
Copy link
Contributor Author

tnozicka commented Jul 9, 2024

#1996 (comment)
/retest

@tnozicka
Copy link
Contributor Author

tnozicka commented Jul 9, 2024

#1996 (comment)
/retest

@tnozicka
Copy link
Contributor Author

tnozicka commented Jul 9, 2024

#1996 (comment)
/retest

@scylla-operator-bot scylla-operator-bot bot merged commit c7e5090 into scylladb:master Jul 9, 2024
12 checks passed
@tnozicka tnozicka deleted the perftune-sa branch July 9, 2024 11:56
@mflendrich mflendrich mentioned this pull request Feb 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rzetelskik rzetelskik Awaiting requested review from rzetelskik

@zimnx zimnx Awaiting requested review from zimnx

Assignees

@zimnx zimnx

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Perftune jobs should use dedicated serviceaccount
3 participants
@tnozicka @zimnx @rzetelskik