WIP: Add delete annotation to default crb#1366
WIP: Add delete annotation to default crb#1366DavidHurta wants to merge 2 commits intoopenshift:mainfrom
Conversation
To ensure the default SA does not have cluster admin permissions. To achieve this, rendering logic needs to be updated as well. During cluster bootstrap, the installer calls rendering commands of specific components required for the bootstrap [1]. These rendered manifests are then applied by the cluster-bootstrap component [2]. The cluster-bootstrap component applies all the non-bootstrap manifests as they are [3]. At no stage is the delete annotation [4] taken into account, and thus the CRB would keep getting applied during installations and getting removed only during cluster upgrades due to the annotation. This would prohibit us from ever removing the manifest file from the repository, as a freshly installed cluster upgrading to a version where manifest does not exist would result in the CRB being applied till manually removed, causing a security concern. Teach the rendering command to respect the delete annotation to allow us to remove such manifests. [1]: https://github.com/openshift/installer/blob/c93ae9fc74d7fa0f478fa250de2ba702f84a0a21/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template [2]: https://github.com/openshift/installer/blob/c93ae9fc74d7fa0f478fa250de2ba702f84a0a21/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L576 [3]: https://github.com/openshift/cluster-bootstrap/blob/b23c6ce3df43aed15158e999239694ec75371f18/pkg/start/start.go#L142 [4]: https://github.com/openshift/enhancements/blob/master/enhancements/update/object-removal-manifest-annotation.md
The installer renders the CVO bootstrap manifests into its bootstrap-manifests directory [1], where bootstrap manifests of other related componenets are rendered as well by their respective bootstrap commands. The directory is then consumed by the cluster-bootstrap component [2]. The cluster-bootstrap component copies these manifests to the static Pod path of the node's kubelet [3]. As such, static Pods have some notable details, such as: > The spec of a static Pod cannot refer to other API objects > (e.g., ServiceAccount, ConfigMap, Secret, etc). [4] Mention this in the manifest to save some time for future developers. [1]: https://github.com/openshift/installer/blob/c93ae9fc74d7fa0f478fa250de2ba702f84a0a21/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L192 [2]: https://github.com/openshift/installer/blob/c93ae9fc74d7fa0f478fa250de2ba702f84a0a21/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L576 [3]: https://github.com/openshift/cluster-bootstrap/blob/dc0d4a5cdaf8a7477cab584208dc99352f46efe2/pkg/start/bootstrap.go#L52-L60 [4]: https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
/test all |
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: DavidHurta The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@DavidHurta: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1 participant
No description provided.