Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Made changes for clusteradm accept to create role and policies on hub #819

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

✨ Made changes for clusteradm accept to create role and policies on hub #819

wants to merge 12 commits into from

Conversation

alex0chan
Copy link

@alex0chan alex0chan commented Jan 31, 2025
edited by mikeshng
Loading

Summary

This PR has the enhancement for clusteradm accept to create roles and policies on the hub

Related issue(s)

Ref: #514

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 31, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alex0chan
Once this PR has been reviewed and has the lgtm label, please assign qiujian16 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jaswalkiranavtar
jaswalkiranavtar reviewed Feb 4, 2025
View reviewed changes
manifests/managed-cluster-policy/AccessPolicy.tmpl
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these permissions are not needed as we are copying cert authority data from bootstrap kubeconfig.

jaswalkiranavtar
jaswalkiranavtar reviewed Feb 4, 2025
View reviewed changes
pkg/common/helpers/helpers.go Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we have a similar method used by kluster-agent, can we reuse it?

jaswalkiranavtar
jaswalkiranavtar reviewed Feb 4, 2025
View reviewed changes
pkg/registration/hub/managedcluster/controller.go
@@ -203,6 +210,21 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn
}
}

// Only create new IAM roles when status is not present
if !meta.IsStatusConditionTrue(managedCluster.Status.Conditions, v1.ManagedClusterConditionHubAccepted) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to remove this if condition and overwrite role, policy and access entry on every reconciliation? This would also ensure that the IAM resources are repaired if somebody accidentally or intentionally changes them manually.

Also suggesting to overwrite directly instead of making a get call first and them comparing, to save an api call.

mikeshng
mikeshng reviewed Feb 4, 2025
View reviewed changes
Copy link
Member

@mikeshng mikeshng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you check and maybe address some of the workflow errors if they are valid? Thanks.

@jaswalkiranavtar
Copy link
Contributor

Could you check and maybe address some of the workflow errors if they are valid? Thanks.

Yes I guess this is still WIP, we created PR to get early feedback.

jaswalkiranavtar
jaswalkiranavtar reviewed Feb 4, 2025
View reviewed changes
pkg/registration/hub/managedcluster/controller.go Outdated
@@ -203,6 +210,21 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn
}
}

// Only create new IAM roles when status is not present
if !meta.IsStatusConditionTrue(managedCluster.Status.Conditions, v1.ManagedClusterConditionHubAccepted) {
clusterManager, err := c.operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
Copy link
Contributor

@jaswalkiranavtar jaswalkiranavtar Feb 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of making this API server call and adding another permission to clusterrole, can we instead pass this info from clustermanager CR to registration-controller on hub through these command line options similar to this?

@suvaanshkumar
adding get policy logic
76289f7 
Signed-off-by: suvaanshkumar <[email protected]>
@suvaanshkumar suvaanshkumar force-pushed the GWCP-65858-clusteradm-accept_bkp branch from 63faa0b to 76289f7 Compare February 5, 2025 03:38
@qiujian16
Copy link
Member

I am wondering whether we need to import aws sdk here, or we just ask user to install aws cli as the prereq?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaswalkiranavtar jaswalkiranavtar jaswalkiranavtar left review comments

@mikeshng mikeshng mikeshng left review comments

@suvaanshkumar suvaanshkumar Awaiting requested review from suvaanshkumar

@xuezhaojun xuezhaojun Awaiting requested review from xuezhaojun

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@alex0chan @jaswalkiranavtar @qiujian16 @mikeshng @jeffw17 @suvaanshkumar @ramekris3163