OdedViner
commented
2 months ago Closed OdedViner closed 2 months ago
OdedViner
commented
2 months ago 
openshift-ci[bot]
commented
2 months ago [APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: OdedViner Once this PR has been reviewed and has the lgtm label, please ask for approval from iamniting. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
iamniting
commented
2 months ago We do need a watch as well
@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.
Nikhil-Ladha
commented
2 months ago We do need a watch as well https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232
@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.
I think we need this verb for VolumeSnapshotClass. IIUC, we don't create a VolumeSnapshotClass by default, so we never came across any error. But, still interesting to see that no error is reported during the reconcile, if appropriate permission is not there 🤔
OdedViner
commented
2 months ago We do need a watch as well https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232
@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.
I think we need this verb for VolumeSnapshotClass. IIUC, we don't create a VolumeSnapshotClass by default, so we never came across any error. But, still interesting to see that no error is reported during the reconcile, if appropriate permission is not there 🤔
Because we have 2 roles for volumesnapshotclasses resource:
oc get clusterrole ocs-operator.v4.17
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotclasses
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotclasses
- volumesnapshots
verbs:
- '*'So I tested only volumesnapshots resource and not volumesnapshotclasses resource.
volumesnapshotclasses got the watch permission from here https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagerequest/storagerequest_controller.go#L80
@Nikhil-Ladha @iamniting
iamniting
commented
2 months ago We do need a watch as well https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232
@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.
I think we need this verb for VolumeSnapshotClass. IIUC, we don't create a VolumeSnapshotClass by default, so we never came across any error. But, still interesting to see that no error is reported during the reconcile, if appropriate permission is not there 🤔
Because we have 2 roles for
volumesnapshotclassesresource:oc get clusterrole ocs-operator.v4.17 - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshotclasses verbs: - create - delete - get - list - watch - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshotclasses - volumesnapshots verbs: - '*'So I tested only
volumesnapshotsresource and notvolumesnapshotclassesresource.volumesnapshotclassesgot thewatchpermission from here https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagerequest/storagerequest_controller.go#L80 @Nikhil-Ladha @iamniting
I believe we should have permission in both of the places. If for some reason we may alter the code or delete the code. There will be a regression. Can you pls raise the PR which adds watch permission in the storagecluster controller as well?
OdedViner
commented
2 months ago