search

eclipse-che / che

Kubernetes based Cloud Development Environments for Enterprise Teams
http://eclipse.org/che
Eclipse Public License 2.0
6.96k stars 1.19k forks source link

Avoid automatic creation of users namespaces through a configuration option #21582

Closed l0rd closed 2 years ago

l0rd commented 2 years ago

Is your enhancement related to a problem? Please describe

In some cases administrators want to pre-create their namespaces and don't want to have Eclispe Che to automatically create them.

Describe the solution you'd like

Add a new property in CheCluster CR:

spec:
   components
   containerRegistry
   devEnvironments:
     defaultNamespace:
+      autoProvision: true   # <= true by default
       template
   networking

If spec.devEnvironments.defaultNamespace.disabled: true then Eclispe Che should not create namespaces if it doesn't exist. Eclispe Che should fail to start the workspace if the namespace doesn't exist:

⚠️ You are allowed to start a workspace as there is no Kubernetes Namespace assigned to user <username> and the automatic creation of Namespaces is disabled in Che ( CheCluster spec.devEnvironments.defaultNamespace.autoProvision is set to false).

Read the documentation to create Namespaces in advance or contact your administrator to fix that.

Current workaround

To disable the automatic creation of users namespaces:

spec:
  components:
    cheServer:
      extraProperties:
        CHE_INFRA_KUBERNETES_NAMESPACE_CREATION__ALLOWED: 'false'

Release Notes Text

A new field in CheCluster has been added to avoid that users namespaces get created automatically. If devEnvironments.defaultNamespace.autoProvision is set to false and a user doesn't have a Che namespace, workspace creation will fail. autoProvision is set to true by default.

ibuziuk commented 2 years ago

In order to prevent namespace creation currently one can specify the following CR property:

spec:
  components:
    cheServer:
      extraProperties:
        CHE_INFRA_KUBERNETES_NAMESPACE_CREATION__ALLOWED: 'false'

When a user starts the workspace the following error will be shown if the admin has not provisioned the namespace for the user in advance:

image

Also, in CheCluster v1 we had a dedicated property allowUserDefinedWorkspaceNamespaces: false but it looks like it cease to exist in v2

In general, as part of this issue, we can probably improve the error message to make it more intuitive e.g. Failed to create a workspace. Namespace for 'username' has not been provisioned. Please, contact the cluster administrator

From the semantics perspective, we can also have a dedicated property autoProvision (true by default) in DevEnvironments (I personally find disabled proposal unintuitive)

 devEnvironments:
    defaultNamespace:
      autoProvision: false
      template: <username>-devspaces
l0rd commented 2 years ago

+1 to autoProvision: false. I have updated the description.

devstudio-release commented 1 year ago

sync'd to Red Hat JIRA https://issues.redhat.com/browse/CRW-3317