fix: Use the latest image of vm-console-proxy #645
Conversation
kubevirt-bot
added
release-note
akrejcir
force-pushed
the
fix-proxy-image
branch
from
0b6885f
to
803a13f
Compare
|
/cc @codingben @0xFelix |
|
This needs more work. |
kubevirt-bot
added
the
do-not-merge/work-in-progress
akrejcir
force-pushed
the
fix-proxy-image
branch
from
803a13f
to
5aa8fc0
Compare
kubevirt-bot
added
size/XL
and removed
lgtm
akrejcir
force-pushed
the
fix-proxy-image
branch
2 times, most recently
from
77c61ec
to
64a42b5
Compare
config/rbac/role.yaml
Outdated
There was a problem hiding this comment.
Have you checked that these are the minimal required RBAC changes?
There was a problem hiding this comment.
Yes, they are minimal in the sense of groups:
- read permissions:
get,list,watch - write permissions:
create,update,patch,delete.
In my opinion it does not make sense to grant list permission and not get permission. Because list can be used to get a single element anyway. Similarly for update and patch.
There was a problem hiding this comment.
@jcanocan what was the logic you applied with your previous RBAC audits?
I tend to agree with @0xFelix here that we shouldn't be granting everything even if a list basically provides get etc but lets stay consistant with @jcanocan 's previous work here and maybe write down the resulting best practice somewhere.
There was a problem hiding this comment.
Ah @jcanocan is out this week, I'm okay leaving this as is for now if we write up a follow issue for next week to maybe reduce this down and document the best practice.
There was a problem hiding this comment.
If we want to be more precise, It's harder to know what permissions libraries require, without running and failing, or reading the library code.
There was a problem hiding this comment.
Yeah appreciate that, definitely a follow up task now given @jcanocan isn't around anyway.
There was a problem hiding this comment.
Hi all! The methodology used for auditing the rules is described here: #616. Basically, I've removed all verbs from all apiGroups, and I've added requested verbs. @akrejcir is right that it's hard to know in advance which permissions are required in advance. We are limited to trial and error in this sense.
| // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;rolebindings,verbs=list;watch;create;update;delete | ||
| // +kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=get;list;watch;create;update;delete | ||
|
|
||
| // Deprecated: | ||
| // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=list;watch;delete | ||
|
|
||
| // RBAC for created roles | ||
| // +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachineinstances,verbs=get;list;watch | ||
| // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch | ||
| // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;delete;patch | ||
| // +kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create | ||
| // +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachineinstances;virtualmachines,verbs=get;list;watch | ||
| // +kubebuilder:rbac:groups=subresources.kubevirt.io,resources=virtualmachineinstances/vnc,verbs=get | ||
| // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete;patch |
| route := &routev1.Route{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: routeName, | ||
| Namespace: namespace, |
There was a problem hiding this comment.
Same as above.
Do these test cases add any value compared to the same ones above?
There was a problem hiding this comment.
Yes, this case tests the Cleanup() method, and the above one tests Reconcile() method.
| @@ -17,6 +17,7 @@ jobs: | |||
| OUTPUT_FILE=./data/vm-console-proxy-bundle/vm-console-proxy.yaml | |||
| mkdir -p ./data/vm-console-proxy-bundle | |||
| curl -L https://github.com/kubevirt/vm-console-proxy/releases/download/${RELEASE_VERSION}/vm-console-proxy.yaml > ${OUTPUT_FILE} | |||
| sed -i "s/defaultVmConsoleProxyImageTag = .*$/defaultVmConsoleProxyImageTag = \"${RELEASE_VERSION}\"/" ./internal/operands/vm-console-proxy/defaults.go | |||
There was a problem hiding this comment.
IMHO, I don't think we should do that bump here.
- This workflow is used to update vm-console-proxy bundle only
- We try to change code during that workflow, what if
defaults.gowill be removed in the future?
Why not just use latest tag? if anyways this intended to be updated on every release to latest one, just use latest then: quay.io/kubevirt/vm-console-proxy:latest.
There was a problem hiding this comment.
- This workflow is used to update vm-console-proxy bundle only
This workflow is used to update SSP operator code, so that it uses the latest release of vm-cosole-proxy. It can update the image tag and bundle.
- We try to change code during that workflow, what if
defaults.gowill be removed in the future?
I will add a comment to defaults.go explaining how the file is used.
Why not just use
latesttag? if anyways this intended to be updated on every release to latest one, just uselatestthen:quay.io/kubevirt/vm-console-proxy:latest.
There is no latest tag. We would need to add automation to create and update it.
https://quay.io/repository/kubevirt/vm-console-proxy?tab=tags&tag=latest
Using the latest tag would probably not save us work, because we would need to fix the version when creating a release branch.
akrejcir
force-pushed
the
fix-proxy-image
branch
2 times, most recently
from
4dacb93
to
f533bb5
Compare
|
/lgtm |
|
/retest-required |
|
/retest |
akrejcir
force-pushed
the
fix-proxy-image
branch
from
ccdef89
to
e884e8c
Compare
|
/retest |
|
@ksimon1 , are the CI failures related to the CDI issue? |
akrejcir
force-pushed
the
fix-proxy-image
branch
from
e884e8c
to
e417a81
Compare
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
We cannot merge this yet. Holding until a fixed version of /hold |
kubevirt-bot
added
the
do-not-merge/hold
akrejcir
force-pushed
the
fix-proxy-image
branch
from
e417a81
to
67f795e
Compare
|
I've fixed the bug in /unhold |
kubevirt-bot
removed
the
do-not-merge/hold
- Updated data/vm-console-proxy-bundle/vm-console-proxy.yaml - Updated release script to change vm-console-proxy image tag. - csv-generator uses VM_CONSOLE_PROXY_IMAGE env variable to set the image. - Operator deploys new resources needed by vm-console-proxy. - Operator removes Route resource, that is no longer needed. Signed-off-by: Andrej Krejcir <[email protected]>
akrejcir
force-pushed
the
fix-proxy-image
branch
from
67f795e
to
c261521
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
|
/lgtm |
|
/lgtm |
|
/cherry-pick release-v0.18 |
|
@akrejcir: #645 failed to apply on top of branch "release-v0.18": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
vm-console-proxyimage tag.VM_CONSOLE_PROXY_IMAGEenvironment variable to set the image.Release note: