Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Image change trigger must be able to create all build types #14792

Merged
merged 1 commit into from
Jun 27, 2017

Conversation

smarterclayton
Copy link
Contributor

Build admission prevents users who don't have access to the synthetic
kinds from mutating builds, which includes the image trigger controller
now that it is not using the privileged loopback client.

Fixes #14725

[test] @bparees

@deads2k we don't want admins to remove this binding, so putting it in the existing bindings for this didn't seem appropriate. If you want this somewhere else let me know.

@smarterclayton
Copy link
Contributor Author

[severity:bug] (not required for stage exit, but required for release)

@bparees
Copy link
Contributor

bparees commented Jun 21, 2017

lgtm

@smarterclayton smarterclayton force-pushed the trigger_policy branch 3 times, most recently from ff179d2 to 708a770 Compare June 21, 2017 04:30
@smarterclayton
Copy link
Contributor Author

Two flakes deployment scale to zero and an ovs rpm failure, [test]

@mfojtik
Copy link
Contributor

mfojtik commented Jun 21, 2017

👍 sorry for not having catching this

@smarterclayton
Copy link
Contributor Author

smarterclayton commented Jun 21, 2017 via email

@@ -7,6 +7,8 @@ import (

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
rbac "k8s.io/kubernetes/pkg/apis/rbac"

authorizationapi "github.com/openshift/origin/pkg/authorization/api"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to avoid this import since the bootstrap policy doesn't logically require an API type dependency.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already import this dependency into this package for the other use

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already import this dependency into this package for the other use

Yes, the mistake will be more obvious moving forward. I won't block on it, but it is a problem.

@@ -165,6 +167,15 @@ func init() {
rbac.NewRule("get", "update").Groups(batchGroup).Resources("cronjobs").RuleOrDie(),
rbac.NewRule("get", "update").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(),
rbac.NewRule("create").Groups(buildGroup, legacyBuildGroup).Resources("buildconfigs/instantiate").RuleOrDie(),
// trigger controller must be able to modify these build types
// TODO: move to a new custom binding that can be removed separately from end user access?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we're ok to add these powers here. The image trigger controller logically requires these to do its job.

@smarterclayton smarterclayton force-pushed the trigger_policy branch 2 times, most recently from ed42d30 to 8160d27 Compare June 22, 2017 23:20
@smarterclayton
Copy link
Contributor Author

[merge][severity:bug]

@openshift-bot
Copy link
Contributor

openshift-bot commented Jun 26, 2017

continuous-integration/openshift-jenkins/merge Waiting: You are in the build queue at position: 14

@openshift-bot
Copy link
Contributor

Evaluated for origin merge up to 8160d27

@deads2k
Copy link
Contributor

deads2k commented Jun 26, 2017

re[test]

Build admission prevents users who don't have access to the synthetic
kinds from mutating builds, which includes the image trigger controller
now that it is not using the privileged loopback client.
@smarterclayton
Copy link
Contributor Author

smarterclayton commented Jun 27, 2017 via email

@openshift-bot
Copy link
Contributor

Evaluated for origin test up to 74ba8ad

@openshift-bot
Copy link
Contributor

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2666/) (Base Commit: 955efb1) (PR Branch Commit: 74ba8ad)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants