Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support custom service account for DevWorkspaces #20535

Closed
metlos opened this issue Sep 24, 2021 · 4 comments
Closed

Support custom service account for DevWorkspaces #20535

metlos opened this issue Sep 24, 2021 · 4 comments
Labels
area/che-server area/devworkspace-operator kind/enhancement A feature request - must adhere to the feature request template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system.

Comments

@metlos
Copy link
Contributor

metlos commented Sep 24, 2021

Is your enhancement related to a problem? Please describe

Che server can be configured to use a custom service account for workspaces. It can also be configured with custom set of cluster roles that it should bind to the workspace service account. This enables the users to give extra permissions to the workspace pods, should they need it.

We should add this capability to DevWorkspaces, too.

Describe the solution you'd like

IMHO it would work better in the devworkspace-operator "world" if we supported using a pre-existing labeled service account from the user's namespace for workspaces within (and auto-create the service account if no such SA exists).

This would gives us (or the cluster administrator) the ability to prepare the namespace for correct function before any DevWorkspace is deployed there.

From Che point of view we could use the existing configuration for the custom service account and custom (cluster)roles to prepare such service account in the user's namespace. This should be read from the CHE_INFRA_KUBERNETES_WORKSPACE__SA__CLUSTER__ROLES from customCheProperties and cheWorkspaceClusterRole properties in CheCluster v1 and should have some dedicated field(s) in CheCluster v2alpha1, too.

Describe alternatives you've considered

No response

Additional context

No response
@metlos metlos added the kind/enhancement A feature request - must adhere to the feature request template. label Sep 24, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Sep 24, 2021
@metlos metlos mentioned this issue Sep 24, 2021
Closed
9 tasks
@l0rd l0rd added area/che-server area/devworkspace-operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system. and removed kind/enhancement A feature request - must adhere to the feature request template. status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Sep 27, 2021
@amisevsk
Copy link
Contributor

amisevsk commented Dec 3, 2021

After some discussion this issue is being de-prioritized. Originally, custom service account support was added to enable building containers within a workspace using podman/buildah (which requires additional permissions on the cluster). This use case is supported more directly by DWO in devfile/devworkspace-operator#679

@amisevsk amisevsk added severity/P2 Has a minor but important impact to the usage or development of the system. and removed severity/P1 Has a major impact to usage or development of the system. labels Dec 3, 2021
@skabashnyuk
Copy link
Contributor

@l0rd should we remove this task from step3?

@l0rd
Copy link
Contributor

l0rd commented Dec 15, 2021

@skabashnyuk yes

@che-bot
Copy link
Contributor

che-bot commented Aug 3, 2022

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 3, 2022
@che-bot che-bot closed this as completed Aug 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-server area/devworkspace-operator kind/enhancement A feature request - must adhere to the feature request template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@metlos @l0rd @skabashnyuk @amisevsk @che-bot