pkg/scaffold/role,pkg/operator-sdk/new.go: generate role rules from helm chart #1188
Conversation
joelanford
requested review from
AlexNPavel,
lilic,
hasbro17,
theishshah and
estroz
openshift-ci-robot
added
the
size/L
|
EDIT: Both of these issues are now solved in the PR, which now uses the discovery API to lookup all the resources to get their scope and plural name. |
There was a problem hiding this comment.
Did a quick review and left some suggestions.
I am not sure if we can somehow make use of https://github.com/liggitt/audit2rbac to generate the RBAC? Or at least have a look what the project does, as it solves a similar problem, but guess that would be more for go operators.
pkg/scaffold/helm/chart.go
Outdated
| func GenerateRoleRules(chart *chart.Chart) ([]rbacv1.PolicyRule, []error) { | ||
| helmOperatorRules := []rbacv1.PolicyRule{ | ||
| // We need this rule so tiller can read namespaces to ensure they exist | ||
| { |
There was a problem hiding this comment.
Should we document the following "default" rules we have in place so the user understands and doesn't remove them?
There was a problem hiding this comment.
That's a good idea. Unfortunately, the comments get stomped out by scaffold.UpdateRoleForResource because of the marshaling and unmarshaling that happens.
Kubernetes has an open issue addressing this problem: kubernetes/kubernetes#15157
pkg/scaffold/helm/chart.go
Outdated
| } | ||
|
|
||
| // Skip templates that don't look like Kubernetes resources | ||
| if apiVersion == "" && kind == "" { |
There was a problem hiding this comment.
What if we just do:
if apiVersion == "" || kind == "" {
errs = append(errs, fmt.Errorf("could not find resource kind or apiVersion %s[%d]", name, i))
continue
}There was a problem hiding this comment.
This has also been slightly reworked. I left the separate checks for apiVersion and kind so that the logged warning would be more specific.
pkg/scaffold/helm/chart.go
Outdated
| rules = append(rules, rbacv1.PolicyRule{ | ||
| APIGroups: []string{group}, | ||
| Resources: resources, | ||
| Verbs: []string{rbacv1.VerbAll}, |
There was a problem hiding this comment.
So if I understand correctly we are just giving it *, I understand we can't fine tune this, but maybe we can document that the user double checks the generated rules?
There was a problem hiding this comment.
I think * is reasonable for these rules because the Helm operator needs to create, get, update, and delete all of the templated resources.
However, since the code now renders the default manifest and uses that to build rules, it is possible that some resources require custom values to be set so that they are present in the release manifest. I'll add a log at the end, that says something along the lines of:
Double check deploy/role.yaml to verify correct RBAC policy rules. The existing rules were created from the default chart manifest, so some rules may be overly broad or missing.
joelanford
force-pushed
the
helm-generate-role
branch
from
68ef514 to
49f4e44
Compare
openshift-ci-robot
added
size/XL
joelanford
force-pushed
the
helm-generate-role
branch
2 times, most recently
from
f73232e to
1d1800e
Compare
…g/scaffold/constants.go to avoid unnecessary dep imports in non-helm projects
joelanford
force-pushed
the
helm-generate-role
branch
from
1d1800e to
fc556e8
Compare
When fetching chart dependencies, collect the Helm output in a buffer. If an error occurs, output the buffer before returning the error.
…ernal/pkg/scaffold/constants.go to avoid unnecessary dep imports in non-helm projects" This reverts commit fc556e8.
| } | ||
| if err := man.Build(); err != nil { | ||
| fmt.Println(out.String()) | ||
| return err |
There was a problem hiding this comment.
Nit but can we wrap this and other errors like in Line 148. Either here or in the caller.
Otherwise we could end up with error messages that aren't too clear like in #1281
Right now I think this could end up showing something like:
failed to create helm chart: requirements.yaml cannot be opened: ....https://github.com/helm/helm/blob/master/pkg/downloader/manager.go#L83
whereas I'd prefer to see:
failed to create helm chart: failed to fetch/build chart dependencies: requirements.yaml cannot be opened: ....
|
New changes are detected. LGTM label has been removed. |
Description of the change:
When creating a helm-based project, parse the Helm chart templates to generate the role
Motivation for the change:
Instead of scaffolding a static role, which will likely have unnecessary rules and be missing necessary rules, we can generate the role rules dynamically from the chart templates.
This will enable operators to be generated with the correct RBAC rules for nearly all existing Helm charts.
/cc @dmesser @robszumski