Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNTRLPLANE-78: Move Group informer configuration to RestrictSubjectBindings plugin initialization #2157

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CNTRLPLANE-78: Move Group informer configuration to RestrictSubjectBindings plugin initialization #2157

wants to merge 1 commit into from

Conversation

everettraven
Copy link

@everettraven everettraven commented Dec 9, 2024
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR moves the configuration of the Group informer to the authorization.openshift.io/RestrictSubjectBindings admission plugin initialization process. This is necessary to prevent the startup of an informer for the Group API when the plugin is disabled, which will happen when the OpenShift OAuth stack is intentionally removed from the cluster based on the Authentication configuration.

See openshift/enhancements#1726 for additional information.

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Dec 9, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 9, 2024
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Dec 9, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Dec 12, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everettraven
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven force-pushed the feature/external-oidc-restrictusers branch from 80e26cb to e933af2 Compare January 24, 2025 19:15
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven force-pushed the feature/external-oidc-restrictusers branch from e933af2 to edf1675 Compare January 24, 2025 19:18
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven force-pushed the feature/external-oidc-restrictusers branch from 5e5552d to e25f667 Compare January 28, 2025 15:07
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven force-pushed the feature/external-oidc-restrictusers branch from e25f667 to b7800b2 Compare January 28, 2025 15:08
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven changed the title WIP: poc: OIDC patch for restrictusers CNTRLPLANE-78: Add configuration for the RestrictSubjectBindings admission plugin Jan 28, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 28, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 28, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-78 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 28, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-78 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR introduces a new configuration option to the authorization.openshift.io/RestrictSubjectBindings admission plugin to allow users and/or other OpenShift components to specify whether or not the OpenShift OAuth stack is desired on the cluster. When not desired, the admission plugin will be disabled as it relies on the OpenShift OAuth stack being present. When desired, the admission plugin will continue to initialize and operate as expected.

We need this change because taking down the OAuth stack without properly configuring this admission plugin can result in blocking permission management of namespaces using RoleBindings.

As the enablement of an external OIDC provider will result in bringing down the OAuth stack, this is important to support the introduction of this feature.

See openshift/enhancements#1726 for additional information.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven
UPSTREAM: <carry>: Move Group informer configuration into RestrictSub…
03e0545 
…jectBindings

admission plugin initialization to prevent Group informers being configured when
the plugin is disabled. This is necessary for when the OpenShift OAuth stack
is not present and the plugin is disabled as part of that.

Signed-off-by: Bryce Palmer <[email protected]>
@everettraven everettraven force-pushed the feature/external-oidc-restrictusers branch from 2eb96f0 to 03e0545 Compare January 29, 2025 18:09
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 29, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-78 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR moves the configuration of the Group informer to the authorization.openshift.io/RestrictSubjectBindings admission plugin initialization process. This is necessary to prevent the startup of an informer for the Group API when the plugin is disabled, which will happen when the OpenShift OAuth stack is intentionally removed from the cluster based on the Authentication configuration.

See openshift/enhancements#1726 for additional information.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@everettraven everettraven changed the title CNTRLPLANE-78: Add configuration for the RestrictSubjectBindings admission plugin CNTRLPLANE-78: Move Group informer configuration to RestrictSubjectBindings plugin initialization Jan 29, 2025
@everettraven everettraven marked this pull request as ready for review January 29, 2025 19:56
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 29, 2025
@openshift-ci openshift-ci bot requested review from p0lyn0mial and tkashem January 29, 2025 19:56
@everettraven
Copy link
Author

/retest

@everettraven
Copy link
Author

/retest-required

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 31, 2025

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-runc 03e0545 link true /test e2e-aws-ovn-runc
ci/prow/okd-scos-e2e-aws-ovn 03e0545 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-cgroupsv2 03e0545 link true /test e2e-aws-ovn-cgroupsv2
ci/prow/e2e-aws-ovn-serial 03e0545 link true /test e2e-aws-ovn-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@tkashem tkashem Awaiting requested review from tkashem

Assignees
No one assigned
Labels
backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@everettraven @openshift-ci-robot