Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reducing the snapshot.storage.k8s.io group privileges #2774

Merged
merged 1 commit into from
Sep 2, 2024
Merged

Reducing the snapshot.storage.k8s.io group privileges #2774

merged 1 commit into from
Sep 2, 2024

Conversation

OdedViner
Copy link
Contributor 


Procedure:
1. Deploy OCP4.17 [4.17.0-0.nightly-2024-08-31-032707]

2. Deploy ODF4.17 [odf-operator.v4.17.0-53.stable]

3.Verify storagecluster in Ready State
$ oc get storagecluster
NAME                 AGE   PHASE   EXTERNAL   CREATED AT             VERSION
ocs-storagecluster   20h   Ready              2024-09-01T11:48:56Z   4.17.0

4.Check clusterrole status:
// +kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshots;volumesnapshotclasses,verbs=*

5. Add "create" and "delete" verbs
delete: https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/volumesnapshotterclasses.go#L174
create: https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/volumesnapshotterclasses.go#L108
$ oc edit clusterrole ocs-operator.v4.17.0-53.-1QHgeXms7btcF6mudj63wa1ngH5P094kD8jAtR
- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  - volumesnapshots
  verbs:
  - '*'

- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  - volumesnapshots
  verbs:
  - create
  - delete


6.Delete ocs-operator pod and check ocs-operator pod logs:
$ oc delete pod ocs-operator

$ oc logs ocs-operator
[No errors]

7.Delete ocs-operator pod and check ocs-operator pod logs:
$ oc delete pod ocs-operator

8. Ruuning OCS-CI test:
tests/functional/pv/pvc_snapshot/test_restore_snapshot_using_different_sc.py [pass]

9.Add get [based code]
https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/volumesnapshotterclasses.go#L103

10. Change code:
// +kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshots;volumesnapshotclasses,verbs=get;create;delete

11.make gen-latest-csv:
export REGISTRY_NAMESPACE=ocs-dev
export IMAGE_TAG=latest
make gen-latest-csv

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 2, 2024
iamniting
iamniting requested changes Sep 2, 2024
View reviewed changes
Copy link
Member

@iamniting iamniting left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do need a watch as well

https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 2, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 2, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: OdedViner
Once this PR has been reviewed and has the lgtm label, please ask for approval from iamniting. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 2, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit b2c67c1 into red-hat-storage:main Sep 2, 2024
11 checks passed
@iamniting
Copy link
Member

We do need a watch as well

https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232

@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.

@Nikhil-Ladha
Copy link
Member

We do need a watch as well
https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232

@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.

I think we need this verb for VolumeSnapshotClass.
IIUC, we don't create a VolumeSnapshotClass by default, so we never came across any error.
But, still interesting to see that no error is reported during the reconcile, if appropriate permission is not there 🤔

@OdedViner
Copy link
Contributor Author

OdedViner commented Sep 2, 2024
edited
Loading

We do need a watch as well
https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232

@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.

I think we need this verb for VolumeSnapshotClass. IIUC, we don't create a VolumeSnapshotClass by default, so we never came across any error. But, still interesting to see that no error is reported during the reconcile, if appropriate permission is not there 🤔

Because we have 2 roles for volumesnapshotclasses resource:

oc get clusterrole ocs-operator.v4.17
- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  - volumesnapshots
  verbs:
  - '*'

https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/reconcile.go#L117

https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagerequest/storagerequest_controller.go#L80

So I tested only volumesnapshots resource and not volumesnapshotclasses resource.
volumesnapshotclasses got the watch permission from here https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagerequest/storagerequest_controller.go#L80
@Nikhil-Ladha @iamniting

@iamniting
Copy link
Member

We do need a watch as well
https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232

@Nikhil-Ladha Can you pls help @OdedViner figure out if we need this permission or not, Unfortunately, the Pr is merged, If required we can get it added into the new PR.

I think we need this verb for VolumeSnapshotClass. IIUC, we don't create a VolumeSnapshotClass by default, so we never came across any error. But, still interesting to see that no error is reported during the reconcile, if appropriate permission is not there 🤔

Because we have 2 roles for volumesnapshotclasses resource:

oc get clusterrole ocs-operator.v4.17
- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  - volumesnapshots
  verbs:
  - '*'

https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/reconcile.go#L117

https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagerequest/storagerequest_controller.go#L80

So I tested only volumesnapshots resource and not volumesnapshotclasses resource. volumesnapshotclasses got the watch permission from here https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagerequest/storagerequest_controller.go#L80 @Nikhil-Ladha @iamniting

I believe we should have permission in both of the places. If for some reason we may alter the code or delete the code. There will be a regression. Can you pls raise the PR which adds watch permission in the storagecluster controller as well?

@OdedViner
Copy link
Contributor Author

OdedViner commented Sep 3, 2024
edited
Loading

https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/storagecluster/storagecluster_controller.go#L232
Done
#2782 @Nikhil-Ladha @iamniting

@OdedViner OdedViner mentioned this pull request Sep 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iamniting iamniting iamniting requested changes

Assignees

@iamniting iamniting

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@OdedViner @iamniting @Nikhil-Ladha