Cannot create web-terminals as kubeadmin on OpenShift 4.15

[AObuchow]

Prior to OCP 4.15, the OpenShift console expected the devworkspace's controller.devfile.io/creator label to be set to an empty string when logged in to the cluster as kubeadmin due to https://github.com/openshift/origin/issues/24950. In essence, the kubeadmin user does not have a uid, and thus DevWorkspace-Operator sets the controller.devfile.io/creator label to an empty string when logged in as kubeadmin.

However, due to a recent change made to the OpenShift Console for 4.15, the OpenShift console is now expecting the controller.devfile.io/creator label to be set to kubeadmin's username, instead of its (empty string) uid, resulting in users not being able to access their web terminal instances when logged in as kubeadmin: "Error Loading OpenShift command line terminal: User is not a owner of the requested workspace".

Would it be possible to revert https://github.com/openshift/console/commit/e87dc6fc852d23e8fca211cd0d3862b07cefa79e? And how quickly (if at all) would this change land in OCP 4.15?

Here is the related Web Terminal Operator bug.

Thank you :)

[stlaz]

https://github.com/openshift/console/commit/e87dc6fc852d23e8fca211cd0d3862b07cefa79e cannot be reverted. We'll need to see what else we can do.

[stlaz]

@AObuchow which values do you set the controller.devfile.io/creator label to in a world where none of the users of the cluster have any UID, yet they are each different (different usernames)?

[ibuziuk]

@stlaz could you clarify why it can not be reverted and why it was implemented that way. another topic is e2e tests - why https://github.com/openshift/console/pull/12922 has not been merged since mid 2023 that should have caught that problem earlier before the release cc: @musienko-maxim

[stlaz]

https://github.com/openshift/console/pull/13719#pullrequestreview-1976329813 has the clarification. I don't know anything about any e2e tests, I'm not a member of the console team.

[jerolimov]

/assign @musienko-maxim @jerolimov @vikram-raj

[AObuchow]

I've been working on resolving this issue on the DevWorkspace Operator side, and have made a few findings:

• Setting the controller.devfile.io/creator value to a plain-text username can result in an invalid Kubernetes label that does not comply with the RFCs used. This is problematic for the case of kube:admin, where the : is not accepted as a Kubernetes label value.
  • Changes need to be made in how we store (on the DWO side) and retrieve (on the Console side) usernames in the controller.devfile.io/creator, perhaps through some agreed-upon encoding process.
• The OpenShift Console's frontend is still hard-coded to expect the controller.devfile.io/creator label to be an empty string "" when kubeadmin creates a web terminal.
  • Changes will have to be made to the frontend in order to match the appropriate controller.devfile.io/creator value when a username (instead of a UID) is used.
  • For fixing the kubeadmin case alone, it'd be a matter of using the agreed-upon encoding process to use an encoded version of kube:admin as the label selector.

If anyone has any input on my proposal, please share your thoughts.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[AObuchow]

/remove-lifecycle stale

[AObuchow]

This issue will be resolved once https://github.com/openshift/console/pull/14114 is merged.