remove old controller roles #15364
remove old controller roles #15364
Conversation
|
Also, I'm betting it was me, but having my controllers rely on a particular way the server started is really ugly. |
|
/lgtm |
|
@Kargakis: changing LGTM is restricted to assignees, and only kubernetes org members may be assigned issues. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign |
heh |
|
The message is hardcoded, something else is going on here |
|
/assign |
|
/unassign |
pkg/cmd/server/origin/ensure.go
Outdated
| } | ||
| for _, roleBinding := range bootstrappolicy.ControllerRoleBindings() { | ||
| reconcileRoleBinding := &policy.ReconcileClusterRoleBindingsOptions{ | ||
| RolesToReconcile: []string{roleBinding.Name}, |
|
|
||
| role, _ := bootstrappolicy.InfraSAs.RoleFor(saName) | ||
|
|
||
| for _, role := range bootstrappolicy.ControllerRoles() { |
There was a problem hiding this comment.
doesn't this omit the kube bootstrappolicy.ControllerRoles()?
There was a problem hiding this comment.
doesn't this omit the kube bootstrappolicy.ControllerRoles()?
We should need any of this moving forward and those are particularly easy to chase. We should stay strict in 3.7
| RoleBindingAccessor: roleAccessor, | ||
| Subjects: []kapi.ObjectReference{{Namespace: ns, Name: saName, Kind: "ServiceAccount"}}, | ||
| } | ||
| for _, roleBinding := range bootstrappolicy.ControllerRoleBindings() { |
There was a problem hiding this comment.
same here for kube bootstrap controller role bindings
There was a problem hiding this comment.
We should need any of this moving forward and those are particularly easy to chase. We should stay strict in 3.7
|
|
system:openshift:template-service-broker is the problem role the test would be more helpful if it did this: |
|
ok, fix the roleref.name and test, then LGTM |
deads2k
force-pushed
the
auth-22-fix-controller
branch
from
84c4123 to
67e8491
Compare
|
[merge] |
| } | ||
| for _, roleBinding := range bootstrappolicy.ControllerRoleBindings() { | ||
| reconcileRoleBinding := &policy.ReconcileClusterRoleBindingsOptions{ | ||
| RolesToReconcile: []string{roleBinding.RoleRef.Name}, |
| @@ -46,7 +46,6 @@ var rolesToHide = sets.NewString( | |||
| "system:node-proxier", | |||
| "system:node-reader", | |||
| "system:oauth-token-deleter", | |||
| "system:openshift:template-service-broker", | |||
|
Evaluated for origin test up to 67e8491 |
|
continuous-integration/openshift-jenkins/merge Waiting: You are in the build queue at position: 15 |
|
Evaluated for origin merge up to 67e8491 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/3341/) (Base Commit: bfb45e9) (PR Branch Commit: 67e8491) |
|
green tests, prereq for #15353 which is blocking the queue, merging |
|
@openshift/security |
|
@benjaminapetersen in regards to Jordan's comment about test improvement. |
|
Oh NVM David took care of it 😁 |
| InfraPersistentVolumeRecyclerControllerServiceAccountName = "pv-recycler-controller" | ||
| InfraResourceQuotaControllerServiceAccountName = "resourcequota-controller" | ||
|
|
||
| InfraNodeBootstrapServiceAccountName = "node-bootstrapper" |
There was a problem hiding this comment.
Needs to be added back, this is the account that the node is using. Or needs an equivalent set of permissions so that we can merge the openshift-ansible node bootstrapping work. #15869
This pull shifts us over fully to the RBAC roles. It removes the old wiring, but does leave the
ensureblock (for now) to ensure give @mfojtik a chance to convince @liggitt he can pick it back instead of wiring a second path.We no longer need to create the SAs ahead of time, since the client-builder does that for us.
[test]