Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement cmpd's PolicyRules #8328

Merged
merged 40 commits into from
Jan 20, 2025
Merged

feat: implement cmpd's PolicyRules #8328

merged 40 commits into from
Jan 20, 2025

Conversation

cjc7373
Copy link
Contributor

@cjc7373 cjc7373 commented Oct 24, 2024
edited
Loading

Fixes #8310. Things done in this PR:

  • implements cmpd's PolicyRules
  • changes the semantics of serviceAccountName in cluster and component CR. KB now does not create rbac resources if user has specified a service account.
  • serviceaccount is now within a component's level, with a name of kb-<clusterName>-<compName>.

Addon changes (like update pg addon's cmpd policyRule since we removed kubeblocks-patroni-pod-role) will be addressed in apecloud/kubeblocks-addons#1197.

@github-actions github-actions bot added the size/XL Denotes a PR that changes 500-999 lines. label Oct 24, 2024
@cjc7373 cjc7373 changed the title feature: implement cmpd's PolicyRules feat: implement cmpd's PolicyRules Oct 24, 2024
@apecloud-bot apecloud-bot requested a review from realzyy October 24, 2024 15:05
@codecov Codecov
Copy link

codecov bot commented Oct 25, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 67.48768% with 66 lines in your changes missing coverage. Please review.

Project coverage is 60.65%. Comparing base (982672d) to head (d1262f4).
Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
...llers/apps/component/transformer_component_rbac.go 75.40% 19 Missing and 11 partials ⚠️
...s/apps/component/transformer_component_deletion.go 57.40% 15 Missing and 8 partials ⚠️
pkg/controller/factory/builder.go 21.42% 11 Missing ⚠️
...llers/apps/cluster/transformer_cluster_deletion.go 50.00% 0 Missing and 1 partial ⚠️
pkg/controller/component/synthesize_component.go 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8328      +/-   ##
==========================================
+ Coverage   60.34%   60.65%   +0.30%     
==========================================
  Files         381      382       +1     
  Lines       46215    46502     +287     
==========================================
+ Hits        27889    28204     +315     
+ Misses      15654    15619      -35     
- Partials     2672     2679       +7
Flag Coverage Δ
unittests 60.65% <67.48%> (+0.30%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cjc7373 cjc7373 marked this pull request as ready for review October 28, 2024 07:30
@cjc7373 cjc7373 requested review from leon-inf, Y-Rookie and a team as code owners October 28, 2024 07:30
@apecloud-bot apecloud-bot added the approved PR Approved Test label Oct 31, 2024
leon-inf
leon-inf reviewed Dec 3, 2024
View reviewed changes
pkg/controller/factory/builder.go Outdated
return nil
}
return builder.NewRoleBuilder(synthesizedComp.Namespace, saName).
AddLabelsInMap(constant.GetCompLabels(synthesizedComp.ClusterName, synthesizedComp.Name)).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And these labels become meaningless because they do not belong to any specific object.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually they do belong to one component. When this component is being deleted:

  1. if there's no other component use the cmpd it uses, these rbac resources will be deleted.
  2. if there is, these rbac resources' ownership will be transfered to another component.

@cjc7373 cjc7373 force-pushed the feature/rbac-for-component branch from 31d6fc0 to 3851918 Compare January 20, 2025 07:06
@apecloud-bot apecloud-bot added the approved PR Approved Test label Jan 20, 2025
@apecloud-bot apecloud-bot removed the approved PR Approved Test label Jan 20, 2025
@apecloud-bot apecloud-bot added the approved PR Approved Test label Jan 20, 2025
@cjc7373 cjc7373 merged commit cf9d59b into main Jan 20, 2025
35 checks passed
@cjc7373 cjc7373 deleted the feature/rbac-for-component branch January 20, 2025 09:44
@github-actions github-actions bot added this to the Release 0.9.3 milestone Jan 20, 2025
@cjc7373
Copy link
Contributor Author

cjc7373 commented Jan 20, 2025

/cherry-pick release-1.0-beta

@apecloud-bot
Copy link
Collaborator

🤖 says: cherry pick action finished successfully 🎉!
See: https://github.com/apecloud/kubeblocks/actions/runs/12866639328

apecloud-bot pushed a commit that referenced this pull request Jan 20, 2025
@cjc7373
feat: implement cmpd's PolicyRules (#8328)
9d0a1c9 
(cherry picked from commit cf9d59b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wangyelei wangyelei wangyelei left review comments

@Y-Rookie Y-Rookie Y-Rookie left review comments

@leon-inf leon-inf leon-inf approved these changes

@zjx20 zjx20 zjx20 approved these changes

@realzyy realzyy Awaiting requested review from realzyy

Assignees
No one assigned
Labels
approved PR Approved Test area/user-interaction size/XXL Denotes a PR that changes 1000+ lines.
Projects
None yet
Milestone
Release 0.9.3
Development

Successfully merging this pull request may close these issues.

[Features] Implement ComponentDefinition's PolicyRules
6 participants
@cjc7373 @apecloud-bot @zjx20 @Y-Rookie @wangyelei @leon-inf