✨ Made changes for clusteradm accept to create role and policies on hub #819
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: alex0chan The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| "Effect": "Allow", | ||
| "Action": [ | ||
| "eks:DescribeCluster", | ||
| "eks:ListClusters" |
There was a problem hiding this comment.
I think these permissions are not needed as we are copying cert authority data from bootstrap kubeconfig.
There was a problem hiding this comment.
Shall we not have any permissions policy attached then?
Theoretically seems fine but have not tested this yet.
pkg/common/helpers/helpers.go
Outdated
There was a problem hiding this comment.
If we have a similar method used by kluster-agent, can we reuse it?
There was a problem hiding this comment.
We don't have this method anywhere else for the changes in this branch. If there will be more declarations coming up as a part of other PRs, We can con reuse there.
| @@ -203,6 +210,21 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn | |||
| } | |||
| } | |||
|
|
|||
| // Only create new IAM roles when status is not present | |||
| if !meta.IsStatusConditionTrue(managedCluster.Status.Conditions, v1.ManagedClusterConditionHubAccepted) { | |||
There was a problem hiding this comment.
Would it make sense to remove this if condition and overwrite role, policy and access entry on every reconciliation? This would also ensure that the IAM resources are repaired if somebody accidentally or intentionally changes them manually.
Also suggesting to overwrite directly instead of making a get call first and them comparing, to save an api call.
There was a problem hiding this comment.
This seems to be a valid comment and we can take this in an upcoming change.
We will have to add some logic to check role, trust policy and permissions policy and if they have been modified or not. It might be a little bit more complicated as compared to checking kubernetes Roles and Rolebindings created because we can simply be reapply the yaml on them where as over here we might have to check the resources using sdk.
There was a problem hiding this comment.
Is the intention to only create permission once? It might not work since the condition patch might fail, and the is called again. Can we ensure that the createPermission can be called multiple times when the accept=true which is better to tolerate error.
Yes I guess this is still WIP, we created PR to get early feedback. |
| @@ -203,6 +210,21 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn | |||
| } | |||
| } | |||
|
|
|||
| // Only create new IAM roles when status is not present | |||
| if !meta.IsStatusConditionTrue(managedCluster.Status.Conditions, v1.ManagedClusterConditionHubAccepted) { | |||
| clusterManager, err := c.operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{}) | |||
There was a problem hiding this comment.
Instead of making this API server call and adding another permission to clusterrole, can we instead pass this info from clustermanager CR to registration-controller on hub through these command line options similar to this?
suvaanshkumar
force-pushed
the
GWCP-65858-clusteradm-accept_bkp
branch
from
63faa0b to
76289f7
Compare
|
I am wondering whether we need to import aws sdk here, or we just ask user to install aws cli as the prereq? |
Yes we need to use aws sdk here to create IAM roles and policies when hub admin approves registration as part of registration controller on hub. Preferring sdk over cli as with cli, we would have to run shell commands from within go and handling errors would be complicated. |
suvaanshkumar
force-pushed
the
GWCP-65858-clusteradm-accept_bkp
branch
2 times, most recently
from
9eda489 to
354054e
Compare
jaswalkiranavtar
force-pushed
the
GWCP-65858-clusteradm-accept_bkp
branch
from
a6c455a to
3ae3841
Compare
Signed-off-by: Gaurav Jaswal <[email protected]>
jaswalkiranavtar
force-pushed
the
GWCP-65858-clusteradm-accept_bkp
branch
from
3ae3841 to
6aa4d68
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #819 +/- ##
==========================================
- Coverage 63.82% 63.74% -0.09%
==========================================
Files 193 194 +1
Lines 18667 18897 +230
==========================================
+ Hits 11914 12045 +131
- Misses 5772 5859 +87
- Partials 981 993 +12
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: Gaurav Jaswal <[email protected]>
| // Only create new IAM roles when status is not present | ||
| if !meta.IsStatusConditionTrue(managedCluster.Status.Conditions, v1.ManagedClusterConditionHubAccepted) { | ||
| if err != nil { | ||
| log.Printf("Failed to get cluster manager %v", err) |
There was a problem hiding this comment.
we do not use log in controller. You have to use klog.FromContext to get the logger and set the correct log level. Actually, since it returns error, you might not need to output log.
| @@ -87,3 +87,9 @@ type Approver interface { | |||
| // deletes rolebindings for the agent, and then this is the additional operation a driver should process. | |||
| Cleanup(ctx context.Context, cluster *clusterv1.ManagedCluster) error | |||
| } | |||
|
|
|||
| type RegisterDriverForHub interface { | |||
There was a problem hiding this comment.
Maybe only HubDriver, and also add some comment for this interface. And why it is not in the approver interface?
|
|
||
| err = c.registerDriverForHub.CreatePermissions(ctx, managedCluster) | ||
| if err != nil { | ||
| log.Printf("Failed to create permissions %v", err) |
| csrApprover, err := csr.NewCSRApprover(kubeClient, kubeInformers, m.ClusterAutoApprovalUsers, controllerContext.EventRecorder) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| approver := register.NewAggregatedApprover(csrApprover) | ||
|
|
||
| awsIRSADriverForHub := awsirsa.NewAWSIRSADriverForHub(m.HubClusterArn) | ||
| csrDriverForHub := csr.NewCSRDriverForHub() | ||
| registerDriverForHub := register.NewAggregatedDriverForHub(csrDriverForHub, awsIRSADriverForHub) |
There was a problem hiding this comment.
shouldn't we start this based on the flags of which drivers should be enabled?
| // This function creates: | ||
| // 1. IAM Roles and Policies in the hub cluster IAM | ||
| // 2. Returns the hubclustername and the roleArn to be used for Access Entry creation | ||
| func CreateIAMRoleAndPolicy(ctx context.Context, hubClusterArn string, managedCluster *v1.ManagedCluster, iamClient *iam.Client) (string, string, error) { |
There was a problem hiding this comment.
why it is public? do you need to call it outside of this package?
| return nil | ||
| } | ||
| //Creating config for aws | ||
| cfg, err := config.LoadDefaultConfig(context.TODO()) |
There was a problem hiding this comment.
Do we need to load the config everytime this func is called, or you can init the config when the driver is newed?
| } | ||
| } | ||
| ] | ||
| } |
| @@ -203,6 +210,21 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn | |||
| } | |||
| } | |||
|
|
|||
| // Only create new IAM roles when status is not present | |||
| if !meta.IsStatusConditionTrue(managedCluster.Status.Conditions, v1.ManagedClusterConditionHubAccepted) { | |||
There was a problem hiding this comment.
Is the intention to only create permission once? It might not work since the condition patch might fail, and the is called again. Can we ensure that the createPermission can be called multiple times when the accept=true which is better to tolerate error.
Summary
This PR has the enhancement for clusteradm accept to create roles and policies on the hub
Related issue(s)
Ref: #514