Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for the customization of user roles in Che provisioned namespaces #22146

Closed
cgruver opened this issue Apr 12, 2023 · 7 comments
Closed

Allow for the customization of user roles in Che provisioned namespaces #22146

cgruver opened this issue Apr 12, 2023 · 7 comments
Assignees
@tolusha
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.66

Comments

@cgruver
Copy link

cgruver commented Apr 12, 2023

Is your enhancement related to a problem? Please describe

The permissions granted to a user on their Che provisioned namespace are not permissive enough to allow the user to create some objects in their namespace that might be needed for their development work.

For example: create Kafka or KafkaTopic CRs, create port-forward to access ports on pods (Kubedock needs this), etc...

Describe the solution you'd like

Allow for a ClusterRole to be specified in the CheCluster CR that gets applied to the user in the provisioned namespace.

For example: admin, edit, or custom ClusterRole.

If not specified, then default to the current behavior.

Describe alternatives you've considered

No response

Additional context

No response
@cgruver cgruver added the kind/enhancement A feature request - must adhere to the feature request template. label Apr 12, 2023
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Apr 12, 2023
@amisevsk amisevsk added severity/P1 Has a major impact to usage or development of the system. area/install Issues related to installation, including offline/air gap and initial setup area/che-server and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Apr 14, 2023
@tolusha
Copy link
Contributor

tolusha commented Apr 17, 2023
edited
Loading

No trivial, but it is possible even now:

  1. Declare env var:
ECLIPSE_CHE_NAMESPACE=eclipse-che
OPERATOR_NAMESPACE=eclipse-che
CHE_CLUSTER_NAME=eclipse-che
CUSTOM_ROLES_NAME=che-custom-roles
  1. Create needed roles:
kubectl apply -f - <<EOF
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${CUSTOM_ROLES_NAME}
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
rules:
  - verbs:
      - '*'
    apiGroups:
      - cert-manager.io
    resources:
      - certificates
EOF
  1. Ensure operator can delegate needed roles:
kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${CUSTOM_ROLES_NAME}
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
subjects:
  - kind: ServiceAccount
    name: che-operator
    namespace: ${OPERATOR_NAMESPACE}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${CUSTOM_ROLES_NAME}
EOF
  1. Patch CheCluster CR, to tell che-operator to add ClusterRoles to a che SA:
kubectl patch checluster/${CHE_CLUSTER_NAME} --patch '{"spec": {"components": {"cheServer": {"clusterRoles": ["che-custom-roles"]}}}}' --type=merge -n ${ECLIPSE_CHE_NAMESPACE}
  1. Patch CheCluster CR, to tell che-server to add ClusterRoles to a user:
# ${ECLIPSE_CHE_NAMESPACE}-cheworkspaces-clusterrole and ${ECLIPSE_CHE_NAMESPACE}-cheworkspaces-devworkspace-clusterrole are defaults user's clusterrole
USER_CLUSTER_ROLES="${CUSTOM_ROLES_NAME},${ECLIPSE_CHE_NAMESPACE}-cheworkspaces-clusterrole,${ECLIPSE_CHE_NAMESPACE}-cheworkspaces-devworkspace-clusterrole"

kubectl patch checluster/eclipse-che --patch '{"spec": {"components": {"cheServer": {"extraProperties": {"CHE_INFRA_KUBERNETES_USER__CLUSTER__ROLES": "'${USER_CLUSTER_ROLES}'"}}}}}' --type=merge -n eclipse-che

@tolusha tolusha added area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator and removed area/che-server labels Apr 17, 2023
@tolusha tolusha mentioned this issue Apr 17, 2023
Merged
10 tasks
@ibuziuk ibuziuk moved this to 📋 Backlog in Eclipse Che Team A Backlog Apr 17, 2023
@tolusha
Copy link
Contributor

tolusha commented Apr 17, 2023

This PR [1] will avoid using step 4
[1] eclipse-che/che-operator#1663

@tolusha tolusha removed the area/install Issues related to installation, including offline/air gap and initial setup label Apr 19, 2023
@tolusha tolusha mentioned this issue Apr 19, 2023
Merged
6 tasks
@ibuziuk ibuziuk moved this from 📋 Backlog to 🚧 In Progress in Eclipse Che Team A Backlog Apr 19, 2023
@l0rd
Copy link
Contributor

l0rd commented Apr 20, 2023

@tolusha does it make sense to add a specific field in the CheCluster CRD rather then using che-server extraProperties? Something like spec.devEnvironments.defaultNamespace.user.clusterRoles.

@tolusha
Copy link
Contributor

tolusha commented Apr 20, 2023

@l0rd
I completely agree.
More over, we used to have such a filed in CheCluster API v1 [1].
Unfortunately it was dropped while without any reasons :(
Is it better to add the user field directly into devEnvironments section?

[1] https://github.com/eclipse-che/che-operator/blob/main/api/v1/checluster_types.go#L130

@l0rd
Copy link
Contributor

l0rd commented Apr 20, 2023

Is it better to add the user field directly into devEnvironments section?

I was assuming that user clusterRoles are coupled to the defaultNamespace creation: the clusterRole is not created if the namespace autoProvision is set to false. But if I am wrong, if the clusterRole is created anyway, then yes user should be in devEnvironments.

@tolusha
Copy link
Contributor

tolusha commented Apr 21, 2023

che-doc PR eclipse-che/che-docs#2590

  1. Define the user roles name:
$ USER_ROLES=<name>
  1. Find out the namespace where the Che operator is deployed:
$ OPERATOR_NAMESPACE=$(kubectl get pods -l app.kubernetes.io/component=che-operator -o jsonpath={".items[0].metadata.namespace"} --all-namespaces)
  1. Create needed roles:
$ kubectl apply -f - <<EOF
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${USER_ROLES}
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
rules:
  - verbs:
      - <verbs> 
    apiGroups:
      - <apiGroups> 
    resources:
      - <resources> 
EOF
  1. Delegate the roles to the Che operator:
$ kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ${USER_ROLES}
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
subjects:
  - kind: ServiceAccount
    name: che-operator
    namespace: ${OPERATOR_NAMESPACE}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${USER_ROLES}
EOF
  1. Configure Che operator to delegate the roles to the che service account:
$ kubectl patch checluster eclipse-che \
  --patch '{"spec": {"components": {"cheServer": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
  --type=merge -n eclipse-che
  1. Configure che server to delegate the roles to a user:
$ kubectl patch checluster eclipse-che \
  --patch '{"spec": {"devEnvironments": {"user": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
  --type=merge -n eclipse-che
SHELL

Wait until the rollout of Che server components finishes.
The user has to log out and log in to have the new roles applied.

@tolusha tolusha closed this as completed Apr 21, 2023
@tolusha tolusha added this to the 7.66 milestone Apr 21, 2023
@tolusha tolusha moved this from 🚧 In Progress to ✅ Done in Eclipse Che Team A Backlog Apr 21, 2023
@cgruver
Copy link
Author

cgruver commented Apr 22, 2023

You guys rock!

Thanks for the quick turnaround. :-)

@ibuziuk ibuziuk moved this from Ready for Review to ✅ Done in Eclipse Che Team A Backlog May 11, 2023
@ibuziuk ibuziuk moved this from ✅ Done to Ready for Review in Eclipse Che Team A Backlog May 11, 2023
@ibuziuk ibuziuk moved this from Ready for Review to ✅ Done in Eclipse Che Team A Backlog May 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tolusha tolusha

Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.66
Development

No branches or pull requests
5 participants
@l0rd @tolusha @amisevsk @cgruver @che-bot