-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds a webhook to prevent regular users from creating a KubernetesImagePuller resource #493
Adds a webhook to prevent regular users from creating a KubernetesImagePuller resource #493
Conversation
Hi @dkwon17. Thanks for your PR. I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally we would like to have Che specific webhooks decoupled from the sandbox operators. That includes both CheCluster validator and the KubernetesImagePuller webhooks. And we can deploy them along with the Che operator through our CD tools.
Is there any specific reason for keeping them here?
I could be wrong but this seemed to be the easiest way to have the webhook, since there was already a similar webhook (checluster webhook) in this repository
I need to investigate if this works, but do you mean have the CD tool create a
And implement a new I'm still learning how webhooks work and are implemented, but AFAIK this will decouple Che/KubernetesImagePuller specific webhooks from this repo, and can still keep the same functionality |
Webhook is basically a service running in a namespace plus a webhook configuration ( So you would need to:
|
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #493 +/- ##
==========================================
+ Coverage 82.39% 82.46% +0.06%
==========================================
Files 29 29
Lines 3193 3188 -5
==========================================
- Hits 2631 2629 -2
+ Misses 426 424 -2
+ Partials 136 135 -1
|
/ok-to-test |
webhook Signed-off-by: David Kwon <[email protected]>
And could you please do not rebase, squash commits or push with force in PRs? Just keep adding new commits. It would make PR review easier since we could review new commits only instead of reviewing everything from scratch every time. |
/retest |
For the failing e2e test: Test result
Any idea where the checluster webhook is coming from? I have the updated tests here: https://github.com/dkwon17/toolchain-e2e/tree/kip_webhook |
@dkwon17 it's a known problem with our migration e2e tests for webhook.
So we can make sure that the operator upgrade from the current version to the newest one doesn't break anything. There is another PR to address this problem: codeready-toolchain/toolchain-e2e#836 so we don't have to disable the tests anymore. cc: @rajivnathan |
I see, thank you for clarification, I've made the e2e tests PR here, with the validation tests temporarily disabled: codeready-toolchain/toolchain-e2e#840 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexeykazakov, dkwon17 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
/retest |
1 similar comment
/retest |
082aed8
into
codeready-toolchain:master
This PR is for: https://redhat-internal.slack.com/archives/CHK0J6HT6/p1696522004380079
This PR is based on the same webhook, but for CheCluster: #377
In this screenshot, a regular user
sandboxdev-1
is unable to create a KubernetesImagePuller resource:This PR was tested by following these steps and running
make dev-deploy-latest
andmake dev-deploy-e2e-member-local
.Paired with codeready-toolchain/toolchain-e2e#840