Skip to content

chore: kyverno to assign roles to users from user group #9482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Omeramsc wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: kyverno to assign roles to users from user group #9482

Omeramsc wants to merge 3 commits into from
+550 −0

Conversation

@Omeramsc
Copy link
Member

@Omeramsc Omeramsc commented Dec 4, 2025

Add a new policy that watches the konflux-support Group and automatically creates/updates a ClusterRoleBinding with individual User subjects.

This enables the namespace-lister service to grant access based on users in the group.

@openshift-ci openshift-ci bot requested review from filariow and sadlerap December 4, 2025 16:38
@github-actions
Copy link
Contributor

github-actions bot commented Dec 4, 2025

🤖 Gemini AI Assistant Available

Hi @Omeramsc! I'm here to help with your pull request. You can interact with me using the following commands:

Available Commands

  • @gemini-cli /review - Request a comprehensive code review

    • Example: @gemini-cli /review Please focus on security and performance

  • @gemini-cli <your question> - Ask me anything about the codebase

    • Example: @gemini-cli How can I improve this function?
    • Example: @gemini-cli What are the best practices for error handling here?

How to Use

  1. Simply type one of the commands above in a comment on this PR
  2. I'll analyze your code and provide detailed feedback
  3. You can track my progress in the workflow logs

Permissions

Only OWNER, MEMBER, or COLLABORATOR users can trigger my responses. This ensures secure and appropriate usage.

This message was automatically added to help you get started with the Gemini AI assistant. Feel free to delete this comment if you don't need assistance.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 4, 2025

🤖 Hi @Omeramsc, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

filariow
filariow requested changes Dec 4, 2025
View reviewed changes
Copy link
Member

@filariow filariow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for implementing this. This PR is updating dev/stg and prod environments at the same time. We should split it in two: one for dev/stg and a follow up one for prod

@Omeramsc Omeramsc requested a review from filariow December 8, 2025 15:31
sadlerap
sadlerap reviewed Dec 8, 2025
View reviewed changes
Copy link
Contributor

@sadlerap sadlerap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Policy looks good, but I think we may want some chainsaw tests to ensure future changes to this policy doesn't break our use-cases.

@Omeramsc Omeramsc force-pushed the remove_kyverno branch 6 times, most recently from a2142d1 to 4c6f051 Compare December 10, 2025 11:30
filariow
filariow requested changes Dec 10, 2025
View reviewed changes
...flux-support-nslister-access/generate-support-nslister-clusterrolebinding-clusterpolicy.yaml Outdated
subjects: "{{ userSubjects }}"
roleRef:
kind: ClusterRole
name: view
Copy link
Member

@filariow filariow Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if we should use this one or the everyone-can-view. @hugares may I ask your feedback here?

Copy link
Contributor

@hugares hugares Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought the plan was to give kflux permissions to the support people. Either konflux-contributor-user-actions or konflux-viewer-user-actions. All people in konflux development teams already have the view and view-everything clusterrole, those 2 are not what is needed so namespace lister return the NS in the list

Copy link
Member Author

@Omeramsc Omeramsc Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to konflux-viewer-user-actions, I believe this should be good enough, isn't it?

@Omeramsc
Copy link
Member Author

Omeramsc commented Dec 10, 2025

I'm not sure about the chainsaw tests; they fail as it seems Kyverno on CI cannot generate cluster-scoped resource. the other policies on infra check namespaced resources. is there a solution we can develop for it? should we create manual tests? @filariow

@filariow filariow mentioned this pull request Dec 10, 2025
Closed
@Omeramsc Omeramsc force-pushed the remove_kyverno branch 2 times, most recently from 87bcc0e to f0e7168 Compare December 10, 2025 15:18
@Omeramsc Omeramsc force-pushed the remove_kyverno branch 2 times, most recently from 1ad9704 to 92bed8f Compare December 10, 2025 16:05
@Omeramsc
chore: kyverno to assign roles to users from user group in dev/stg
e84f397 
Add a new policy that watches the konflux-support Group
and automatically creates/updates a ClusterRoleBinding with
individual User subjects.

This enables the namespace-lister service to grant access based
on users in the group.

This change reflects on dev and stg envs only

Signed-off-by: Omer Turner <[email protected]>
@Omeramsc Omeramsc requested a review from filariow December 15, 2025 10:57
@openshift-ci
Copy link

openshift-ci bot commented Dec 15, 2025

@Omeramsc: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/appstudio-e2e-tests 0922dbd link true /test appstudio-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

filariow
filariow approved these changes Dec 15, 2025
View reviewed changes
Copy link
Member

@filariow filariow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Dec 15, 2025
@openshift-ci
Copy link

openshift-ci bot commented Dec 15, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: filariow, Omeramsc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@filariow
Copy link
Member

filariow commented Dec 15, 2025

overall the PR looks good to me. However e2e tests are failing with

 policies-in-cluster-local                           OutOfSync   Healthy
Waiting 10 seconds for application sync

Do we have the Group CRD as part of e2e tests?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hugares hugares hugares left review comments

@sadlerap sadlerap sadlerap left review comments

@filariow filariow filariow approved these changes

Assignees

@filariow filariow

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Omeramsc @filariow @hugares @sadlerap