Enabling custom actions to create new k8s resources #12174

reggie-k · 2023-01-27T12:04:57Z

Summary

Currently, custom actions are only updating the resource they are acting upon.
There is a need for them to be able to create new resources as well.

Motivation

#4116

Proposal

Custom actions will have the ability to return either a list of resources with an operation type to perform for each (just create, currently), or just a single resource, for backward compatibility.
It would be nice to have the ability to use yaml manifests/template files in Lua actions, but if io library is not considered safe for the use case, the Lua script will construct the yaml inline.

Lua libraries are of a limited use from security reasons.
So the actual creation of the new resources will have to be outside of Lua.

A permission check will have to take place, to ensure the NEW resources are allowed to be created for this app.
For example: if the custom action operates on a CronJob resource, and creates a new Job resource, the permission to create a Job resource kind has to be granted on Project level, either implicitly or explicitly.
If the user is rbac-allowed to invoke the action, the action can still FAIL upon invocation if no resource permissions are granted.

The operations that can be performed on resources, returned from Lua scripts, will be only "create" at this point.

Creating the new resource(s) will happen in the same component that currently performs the kubectl patch, resulting from the Lua action - the API Server.

Issues to decide on

Is there a use case to support also an "update" operation? If so, the "update" operation will require an additional check that the resource the action is performed on is the same resource the action is updating.
Updating another resource will not be supported at this point because of security considerations.
There are semantycs around update and patch - the current actions return a resource in an update format, but actually a kubectl patch is performed.
Do we want to support an explicit "patch" operation in addition, so that the users can specify a jsonPatch or merge snippet, instead of a full resource?
Is there such a use case?
For built in actions - do we wanna set a blacklist/whitelist boundaries on what kind of resources contributed Lua actions can create?

Tests:

Asserting that an action that creates a resource, the permissions for which are not granted, fails with permissions error.
If decided on boundaries for built-in actions, adding tests that would fail upon actions that violate those boundaries.
If decided on an "update" operation as well - asserting that an action that updates a resource different from the one it operates on fails with an error.

otherguy · 2023-02-20T12:37:28Z

This would be extremely useful. A first step would be just to allow creation of any resources as it would enable #4116

tuananh · 2023-03-14T06:41:37Z

This would be extremely helpful. Watching 👀

reggie-k · 2023-03-14T07:06:37Z

Apart from ad-hoc creation of Job from CronJob, what other uses of this feature are expected?

* Kind wildcard support in health customizations Signed-off-by: reggie <reginakagan@gmail.com> * Updated health customizations docs to using the correct field with a / Signed-off-by: reggie <reginakagan@gmail.com> * Updated health customizations docs to using the correct field with a / Signed-off-by: reggie <reginakagan@gmail.com> * Document resource kind wildcard for custom health check Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Added a custom create-from CronJob action Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * added a ns in the action.lua and fixed tests Signed-off-by: reggie <reginakagan@gmail.com> * create-job Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * more changes Signed-off-by: reggie <reginakagan@gmail.com> * full unit tests and action returning an array Signed-off-by: reggie <reginakagan@gmail.com> * cleanup Signed-off-by: reggie <reginakagan@gmail.com> * fix the custom tests Signed-off-by: reggie <reginakagan@gmail.com> * e2e tests Signed-off-by: reggie <reginakagan@gmail.com> * json marshaling annotations ImpactedResource, e2e tests and docs Signed-off-by: reggie <reginakagan@gmail.com> * more docs and tests Signed-off-by: reggie <reginakagan@gmail.com> * upstream sync Signed-off-by: reggie <reginakagan@gmail.com> * fix wrong return upon going over the impacted resources + docs + fixing e2e tests Signed-off-by: reggie <reginakagan@gmail.com> * docs Signed-off-by: reggie <reginakagan@gmail.com> * better error handling Signed-off-by: reggie <reginakagan@gmail.com> * K8SOperation as an enum Signed-off-by: reggie <reginakagan@gmail.com> * added dry-run for create operation Signed-off-by: reggie <reginakagan@gmail.com> * small changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * gitops engine dependency and test fixes Signed-off-by: reggie <reginakagan@gmail.com> * add workflows action Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * cronworkflow and workflowtemplate actions Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * update gitops-engine Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: reggie <reginakagan@gmail.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

…12925) * Kind wildcard support in health customizations Signed-off-by: reggie <reginakagan@gmail.com> * Updated health customizations docs to using the correct field with a / Signed-off-by: reggie <reginakagan@gmail.com> * Updated health customizations docs to using the correct field with a / Signed-off-by: reggie <reginakagan@gmail.com> * Document resource kind wildcard for custom health check Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Added a custom create-from CronJob action Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * added a ns in the action.lua and fixed tests Signed-off-by: reggie <reginakagan@gmail.com> * create-job Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * more changes Signed-off-by: reggie <reginakagan@gmail.com> * full unit tests and action returning an array Signed-off-by: reggie <reginakagan@gmail.com> * cleanup Signed-off-by: reggie <reginakagan@gmail.com> * fix the custom tests Signed-off-by: reggie <reginakagan@gmail.com> * e2e tests Signed-off-by: reggie <reginakagan@gmail.com> * json marshaling annotations ImpactedResource, e2e tests and docs Signed-off-by: reggie <reginakagan@gmail.com> * more docs and tests Signed-off-by: reggie <reginakagan@gmail.com> * upstream sync Signed-off-by: reggie <reginakagan@gmail.com> * fix wrong return upon going over the impacted resources + docs + fixing e2e tests Signed-off-by: reggie <reginakagan@gmail.com> * docs Signed-off-by: reggie <reginakagan@gmail.com> * better error handling Signed-off-by: reggie <reginakagan@gmail.com> * K8SOperation as an enum Signed-off-by: reggie <reginakagan@gmail.com> * added dry-run for create operation Signed-off-by: reggie <reginakagan@gmail.com> * small changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * gitops engine dependency and test fixes Signed-off-by: reggie <reginakagan@gmail.com> * add workflows action Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * cronworkflow and workflowtemplate actions Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * update gitops-engine Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: reggie <reginakagan@gmail.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

argoproj#516) * separating kubectl and resource ops mocks Signed-off-by: reggie <reginakagan@gmail.com> * separating kubectl and resource ops mocks Signed-off-by: reggie <reginakagan@gmail.com> * separating kubectl and resource ops mocks Signed-off-by: reggie <reginakagan@gmail.com> * server dry-run for MockKubectlCmd Signed-off-by: reggie <reginakagan@gmail.com> * server dry-run for MockKubectlCmd Signed-off-by: reggie <reginakagan@gmail.com> * server dry-run for MockKubectlCmd Signed-off-by: reggie <reginakagan@gmail.com> * mock create noop Signed-off-by: reggie <reginakagan@gmail.com> * ctl create resource with createOptions Signed-off-by: reggie <reginakagan@gmail.com> --------- Signed-off-by: reggie <reginakagan@gmail.com>

…12925) * Kind wildcard support in health customizations Signed-off-by: reggie <reginakagan@gmail.com> * Updated health customizations docs to using the correct field with a / Signed-off-by: reggie <reginakagan@gmail.com> * Updated health customizations docs to using the correct field with a / Signed-off-by: reggie <reginakagan@gmail.com> * Document resource kind wildcard for custom health check Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Implemented wildcard * support in API Group and Resource Kind and updated docs Signed-off-by: reggie <reginakagan@gmail.com> * Added a custom create-from CronJob action Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * added a ns in the action.lua and fixed tests Signed-off-by: reggie <reginakagan@gmail.com> * create-job Signed-off-by: reggie <reginakagan@gmail.com> * in progress Signed-off-by: reggie <reginakagan@gmail.com> * more changes Signed-off-by: reggie <reginakagan@gmail.com> * full unit tests and action returning an array Signed-off-by: reggie <reginakagan@gmail.com> * cleanup Signed-off-by: reggie <reginakagan@gmail.com> * fix the custom tests Signed-off-by: reggie <reginakagan@gmail.com> * e2e tests Signed-off-by: reggie <reginakagan@gmail.com> * json marshaling annotations ImpactedResource, e2e tests and docs Signed-off-by: reggie <reginakagan@gmail.com> * more docs and tests Signed-off-by: reggie <reginakagan@gmail.com> * upstream sync Signed-off-by: reggie <reginakagan@gmail.com> * fix wrong return upon going over the impacted resources + docs + fixing e2e tests Signed-off-by: reggie <reginakagan@gmail.com> * docs Signed-off-by: reggie <reginakagan@gmail.com> * better error handling Signed-off-by: reggie <reginakagan@gmail.com> * K8SOperation as an enum Signed-off-by: reggie <reginakagan@gmail.com> * added dry-run for create operation Signed-off-by: reggie <reginakagan@gmail.com> * small changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * ref to my gitops-engine fork out Signed-off-by: reggie <reginakagan@gmail.com> * gitops engine dependency and test fixes Signed-off-by: reggie <reginakagan@gmail.com> * add workflows action Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * cronworkflow and workflowtemplate actions Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * update gitops-engine Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: reggie <reginakagan@gmail.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

reggie-k added the enhancement New feature or request label Jan 27, 2023

otherguy mentioned this issue Feb 20, 2023

Add option to create one-off job from cron job #4116

Closed

crenshaw-dev mentioned this issue Mar 9, 2023

Unable to delete pod from ArgoCD UI using the action #12777

Closed

3 tasks

crenshaw-dev mentioned this issue Mar 20, 2023

feat: Create job action (#12174 and #4116) #12925

Merged

12 tasks

reggie-k mentioned this issue Mar 25, 2023

Reimplementing custom actions #13007

Open

crenshaw-dev closed this as completed in #12925 Jun 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enabling custom actions to create new k8s resources #12174

Enabling custom actions to create new k8s resources #12174

reggie-k commented Jan 27, 2023 •

edited

Loading

otherguy commented Feb 20, 2023

tuananh commented Mar 14, 2023

reggie-k commented Mar 14, 2023

Enabling custom actions to create new k8s resources #12174

Enabling custom actions to create new k8s resources #12174

Comments

reggie-k commented Jan 27, 2023 • edited Loading

Summary

Motivation

Proposal

Issues to decide on

Tests:

otherguy commented Feb 20, 2023

tuananh commented Mar 14, 2023

reggie-k commented Mar 14, 2023

reggie-k commented Jan 27, 2023 •

edited

Loading