Closed mrogers950 closed 3 years ago
@mrogers950: This pull request references Bugzilla bug 1999374, which is valid. The bug has been moved to the POST state.
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (pdhamdhe@redhat.com), skipping review request.
@mrogers950: This pull request references Bugzilla bug 1999374, which is invalid:
Comment /bugzilla refresh
to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.
@JAORMX @jhrozek Some updates after more CSV testing:
Placing the rolebinding directly into manifests/ allows OLM to deploy the rolebinding without stepping on the subject namespace. This is good. Unfortunately, it also means that OLM does not update the reference to the correct role (which is created dynamically by OLM).
$ oc get rolebinding/prometheus-k8s-monitoring -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2021-09-07T18:33:22Z"
name: prometheus-k8s-monitoring
namespace: openshift-compliance
resourceVersion: "70279"
uid: a9e2de08-0ce5-4208-a1b5-f00d7c2c086b
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: prometheus-k8s
subjects:
- kind: ServiceAccount
name: prometheus-k8s
namespace: openshift-monitoring
$ oc get role/prometheus-k8s
Error from server (NotFound): roles.rbac.authorization.k8s.io "prometheus-k8s" not found
The OLM deployed role is instead:
$ oc get role
NAME CREATED AT
compliance-operator.v0.1.39 2021-09-07T18:33:21Z
compliance-operator.v0.1.39-api-resource-collector-5bfdbcc6d9 2021-09-07T18:33:23Z
compliance-operator.v0.1.39-compliance-operator-748c4bc79b 2021-09-07T18:33:25Z
compliance-operator.v0.1.39-profileparser-74c8c5d475 2021-09-07T18:33:24Z
compliance-operator.v0.1.39-prometheus-k8s-ff6bfd85c 2021-09-07T18:33:24Z <----
compliance-operator.v0.1.39-remediation-aggregator-565566f444 2021-09-07T18:33:23Z
compliance-operator.v0.1.39-rerunner-6f85c6c95 2021-09-07T18:33:24Z
compliance-operator.v0.1.39-resultscollector-5476bdc8bc 2021-09-07T18:33:25Z
compliance-operator.v0.1.39-resultserver-5f6bdc4687 2021-09-07T18:33:23Z
It's not possible to patch a rolebinding's roleRef, so the fix from this point is to manually create the Role under the expected name (I added a README blurb for this).
@JAORMX @jhrozek Some updates after more CSV testing:
[...]
It's not possible to patch a rolebinding's roleRef, so the fix from this point is to manually create the Role under the expected name (I added a README blurb for this).
I think this is fine at least for now, but I wonder if we're the only ones with this problem. Have you asked the operator-sdk/OLM developers if others have had the same problem as well?
@mrogers950: This pull request references Bugzilla bug 1999374, which is invalid:
Comment /bugzilla refresh
to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.
Updated again. With using a ClusterRole/ClusterRoleBinding permission set, it works without requiring a manual step (this is the same approach cluster-logging uses until OLM can support RoleBindings in the way we need)
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: jhrozek, mrogers950
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/bugzilla refresh
@mrogers950: This pull request references Bugzilla bug 1999374, which is valid.
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (pdhamdhe@redhat.com), skipping review request.
@mrogers950: All pull requests linked via external trackers have merged:
Bugzilla bug 1999374 has been moved to the MODIFIED state.
OLM doesn't support deploying Roles/RoleBindings that reference SAs outside of the operator namespace. To allow for out-of-the-box monitoring when deploying from OLM, this changes the permission objects to a ClusterRole and ClusterRoleBinding.
Also:
test-catalog
make target for local-cluster testing of the index.