Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redesign the KubeClientRegistrationConfig for addonTemplate API #280

Closed
zhujian7 opened this issue Sep 15, 2023 · 2 comments
Closed

Redesign the KubeClientRegistrationConfig for addonTemplate API #280

zhujian7 opened this issue Sep 15, 2023 · 2 comments
Assignees
@zhujian7

Comments

@zhujian7
Copy link
Member

Now the KubeClientRegistrationConfig in addonTemplate API looks like:

type KubeClientRegistrationConfig struct {
	// HubPermissions represent the permission configurations of the addon agent to access the hub cluster
	// +optional
	HubPermissions []HubPermissionConfig `json:"hubPermissions,omitempty"`
}

// HubPermissionConfig configures the permission of the addon agent to access the hub cluster.
// Will create a RoleBinding in the same namespace as the managedClusterAddon to bind the user
// provided ClusterRole/Role to the "system:open-cluster-management:cluster:<cluster-name>:addon:<addon-name>"
// Group.
type HubPermissionConfig struct {
	// Type of the permissions setting. It defines how to bind the roleRef on the hub cluster. It can be:
	// - CurrentCluster: Bind the roleRef to the namespace with the same name as the managedCluster.
	// - SingleNamespace: Bind the roleRef to the namespace specified by SingleNamespaceBindingConfig.
	//
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Enum:=CurrentCluster;SingleNamespace
	Type HubPermissionsBindingType `json:"type"`

	// RoleRef is an reference to the permission resource. it could be a role or a cluster role,
	// the user must make sure it exist on the hub cluster.
	// +kubebuilder:validation:Required
	RoleRef rbacv1.RoleRef `json:"roleRef"`

	// SingleNamespace contains the configuration of SingleNamespace type binding.
	// It is required when the type is SingleNamespace
	SingleNamespace *SingleNamespaceBindingConfig `json:"singleNamespace,omitempty"`
}

We got some feedback:

  • the RoleRef field in HubPermissionConfig is very confusing, users do not if this field is needed or not in different HubPermissionsBindingType
  • when the HubPermissionsBindingType is CurrentCluster, if the RoleRef refers to a Role, it is very difficult to use as users need to create the role every time the addon is enabled for a managed cluster.

So we need to reconsider/refactor the KubeClientRegistrationConfig for addonTemplate API, and it is better to finish/implement this in OCM 0.12.0
@zhujian7 zhujian7 self-assigned this Sep 15, 2023
This was referenced Sep 20, 2023
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@zhujian7
Copy link
Member Author

/close

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 25, 2023

@zhujian7: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot closed this as completed Sep 25, 2023
TomerFi pushed a commit to TomerFi/OCM that referenced this issue Sep 27, 2023
@ldpliu
fix conversion webhook in hosted mode (open-cluster-management-io#280)
820d5b0 
Signed-off-by: ldpliu <daliu@redhat.com>

Signed-off-by: ldpliu <daliu@redhat.com>
TomerFi pushed a commit to TomerFi/OCM that referenced this issue Sep 27, 2023
@skeeey
ensure a cluster lease is updated after the cluster is restored (open…
d8dd248 
…-cluster-management-io#280)

Signed-off-by: Wei Liu <liuweixa@redhat.com>

Signed-off-by: Wei Liu <liuweixa@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhujian7 zhujian7

Labels
None yet
Projects
OCM releases
Status: Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhujian7