Support Global Operators in Console #326
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awgreene The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
awgreene
force-pushed
the
disabled-copied-csv-console-bug
branch
from
5b3a8cf to
6b51648
Compare
Problem: Users rely on Copied CSVs in order to understand which operators are available in a given namespace. When installing All Namespace operators, a Copied CSV is created in every namespace which can place a huge performance strain on clusters with many namespaces. OLM introduced the ability to disable Copied CSVs for All Namespace mode operators in an effort to resolve the performance issues on large clusters, unfortunately removing the ability for users to identify which operators are available in a given namespace. Solution: The protectedCopiedCSVNamespaces runtime flag can be used to prevent Copied CSVs from being deleted even when Copied CSVs are disabled. An admin can then provide users with the proper RBAC to view which operators are running in All Namespace mode. Signed-off-by: Alexander Greene <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: 6c4e779554c892494921c1bc9a00ba547cb6a431
Problem: After disabling Copied CSVs, the openshift console can no longer communicate to users which operators are available globally across the cluster. Solution: Configure OLM to ensure that Copied CSVs for operators scoped to All Namespaces appear in the openshift namespace. Update the OLM manifests to include RBAC for authenticated users to view CSVs in this namespace.
awgreene
force-pushed
the
disabled-copied-csv-console-bug
branch
from
6b51648 to
c2ec825
Compare
|
/test all |
|
/retest |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-ci
bot
requested review from
dinhxuanvu and
exdx
and removed request for
njhale
There was a problem hiding this comment.
I'm looking at the second commit changes, and I just want to make sure I'm understanding it correctly:
- --protectedCopiedCSVNamespaces
- openshiftIs "openshift" the right value here, or do we need to specify something like "openshift-operators", "openshift-console", etc.?
|
/retest |
| subjects: | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Group | ||
| name: system:authenticated |
There was a problem hiding this comment.
It looks like this might be related to the CI failures:
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:232]: Jul 27 20:24:39.743: system:authenticated has extra permissions in namespace "openshift":
{APIGroups:["operators.coreos.com"], Resources:["clusterserviceversions"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
There was a problem hiding this comment.
I've opened openshift/origin#27326 to address this.
There was a problem hiding this comment.
Note: The PR that Alex had linked is now merged. Looking at the e2e-gcp check, it looks like those changes worked, and we're back in business.
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
| - command: update | ||
| path: spec.template.spec.containers[0].args[+] | ||
| value: | ||
| --protectedCopiedCSVNamespaces | ||
| - command: update | ||
| path: spec.template.spec.containers[0].args[+] | ||
| value: | ||
| openshift |
There was a problem hiding this comment.
I kept hitting formatting errors when attempting to add 2 lines to the array with a single update command, if anyone knows how to do this in a single update please chime in.
|
/test all |
|
/test unit-olm |
| } | ||
|
|
||
| csvs, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(og.GetNamespace()).List(labels.NewSelector().Add(*nonCopiedCSVRequirement)) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| namespaces, err := a.lister.CoreV1().NamespaceLister().List(labels.Everything()) |
There was a problem hiding this comment.
This List() might be quite expensive. Is there an implementation where we don't rely on knowing all namespaces on the cluster, just the ones that are in the flag?
There was a problem hiding this comment.
Oh wait, it's hitting the cache. This is likely fine then.
|
@awgreene: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
openshift-ci
bot
removed
the
do-not-merge/hold
Problem: Users rely on Copied CSVs in order to understand which
operators are available in a given namespace. When installing All
Namespace operators, a Copied CSV is created in every namespace which
can place a huge performance strain on clusters with many namespaces.
OLM introduced the ability to disable Copied CSVs for All Namespace mode
operators in an effort to resolve the performance issues on large clusters,
unfortunately removing the ability for console to communicate which global
operators are available in a given namespace.
Solution: The protectedCopiedCSVNamespaces runtime flag can be used to
prevent Copied CSVs from being deleted in certain namespaces even when
Copied CSVs are disabled. OLM has been configured to ensure that Copied CSVs
are protected in the openshift namespace. OLM's manifest yaml has also been
updated to provide authenticated users with the RBAC to view CSVs in the
openshift namespace, which console can then use to communicate which operators
are available globally.