Grant namespace list to global operators #764

ecordell · 2019-03-19T00:26:38Z

Operators that support both single and all namespace installation should
request the smallest scope of permissions they need. A single-namespace
operator shouldn't require any cluster-level permissions. When placing
it into an operatorgroup selecting all namespaces, it will need list
and watch on namespaces

to get namespace list permissions

namespaces are now granted namespace view roles (get/list/watch) operators that support both single and all namespace installation should request the smallest scope of permissions they need. A single-namespace operator shouldn't require any cluster-level permissions. When placing it into an operatorgroup selecting all namespaces, it will need list and watch on namespaces.

alecmerdler · 2019-03-19T01:20:42Z

test/e2e/operator_groups_e2e_test.go

@@ -1279,6 +1284,21 @@ func TestCSVCopyWatchingAllNamespaces(t *testing.T) {
 	require.EqualValues(t, "rbac.authorization.k8s.io", fetchedRoleBinding.RoleRef.APIGroup)
 	require.EqualValues(t, "ClusterRole", fetchedRoleBinding.RoleRef.Kind)

+	t.Log("ensure operator was granted namespace list permission")
+	res, err := c.KubernetesInterface().AuthorizationV1().SubjectAccessReviews().Create(&v1.SubjectAccessReview{


alecmerdler

/lgtm

openshift-ci-robot · 2019-03-19T01:20:56Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alecmerdler, ecordell

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [alecmerdler,ecordell]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ecordell · 2019-03-19T13:02:10Z

/retest

ecordell · 2019-03-19T16:10:13Z

/retest

…

On Tue, Mar 19, 2019 at 12:09 PM OpenShift CI Robot < ***@***.***> wrote: @ecordell <https://github.com/ecordell>: The following test *failed*, say /retest to rerun them all: Test name Commit Details Rerun command ci/prow/e2e-aws-olm aca9bfb <aca9bfb> link <https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/operator-framework_operator-lifecycle-manager/764/pull-ci-operator-framework-operator-lifecycle-manager-master-e2e-aws-olm/1332> /test e2e-aws-olm Full PR test history <https://openshift-gce-devel.appspot.com/pr/operator-framework_operator-lifecycle-manager/764>. Your PR dashboard <https://openshift-gce-devel.appspot.com/pr/ecordell>. Please help us cut down on flakes by linking to <https://github.com/kubernetes/community/blob/master/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/operator-framework/operator-lifecycle-manager/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://git.k8s.io/community/contributors/guide/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://go.k8s.io/bot-commands>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#764 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADix2lLx3W16fxK8B4hInhbXPbu-gOhks5vYQu3gaJpZM4b7CHU> .

ecordell · 2019-03-19T16:17:32Z

/retest

…

On Tue, Mar 19, 2019 at 12:16 PM OpenShift CI Robot < ***@***.***> wrote: @ecordell <https://github.com/ecordell>: The following tests *failed*, say /retest to rerun them all: Test name Commit Details Rerun command ci/prow/e2e-aws-olm aca9bfb <aca9bfb> link <https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/operator-framework_operator-lifecycle-manager/764/pull-ci-operator-framework-operator-lifecycle-manager-master-e2e-aws-olm/1332> /test e2e-aws-olm ci/prow/e2e-aws aca9bfb <aca9bfb> link <https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/operator-framework_operator-lifecycle-manager/764/pull-ci-operator-framework-operator-lifecycle-manager-master-e2e-aws/1548> /test e2e-aws Full PR test history <https://openshift-gce-devel.appspot.com/pr/operator-framework_operator-lifecycle-manager/764>. Your PR dashboard <https://openshift-gce-devel.appspot.com/pr/ecordell>. Please help us cut down on flakes by linking to <https://github.com/kubernetes/community/blob/master/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/operator-framework/operator-lifecycle-manager/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://git.k8s.io/community/contributors/guide/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://go.k8s.io/bot-commands>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#764 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADixwDa8gVZpPN6MBceHTTZ_XX8cAIMks5vYQ1rgaJpZM4b7CHU> .

ecordell · 2019-03-19T17:55:01Z

/retest

ecordell · 2019-03-19T20:25:11Z

/retest

ecordell added 3 commits March 18, 2019 20:18

test(e2e): add failing e2e test for operators in global operatorgroups

44a7ea9

to get namespace list permissions

fix(build): add some minor support for building locally with kind

aca9bfb

openshift-ci-robot requested review from alecmerdler and jpeeler March 19, 2019 00:26

openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 19, 2019

alecmerdler reviewed Mar 19, 2019

View reviewed changes

openshift-ci-robot assigned alecmerdler Mar 19, 2019

alecmerdler approved these changes Mar 19, 2019

View reviewed changes

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 19, 2019

ecordell added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 19, 2019

openshift-merge-robot merged commit 22691a7 into operator-framework:master Mar 19, 2019

ecordell deleted the ns-list-for-all branch March 20, 2019 17:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Grant namespace list to global operators #764

Grant namespace list to global operators #764

ecordell commented Mar 19, 2019

alecmerdler Mar 19, 2019

alecmerdler left a comment

openshift-ci-robot commented Mar 19, 2019

ecordell commented Mar 19, 2019

ecordell commented Mar 19, 2019 via email

ecordell commented Mar 19, 2019 via email

ecordell commented Mar 19, 2019

ecordell commented Mar 19, 2019

Grant namespace list to global operators #764

Grant namespace list to global operators #764

Conversation

ecordell commented Mar 19, 2019

alecmerdler Mar 19, 2019

Choose a reason for hiding this comment

alecmerdler left a comment

Choose a reason for hiding this comment

openshift-ci-robot commented Mar 19, 2019

ecordell commented Mar 19, 2019

ecordell commented Mar 19, 2019 via email

ecordell commented Mar 19, 2019 via email

ecordell commented Mar 19, 2019

ecordell commented Mar 19, 2019