-
Notifications
You must be signed in to change notification settings - Fork 832
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a prow.viewer custom org role #1061
Conversation
I want to empower others to see and troubleshoot whatever resources constraints (or lack thereof) the release-blocking jobs are running under Members of the k8s-infra-prow-viewers@kubernetes.io get this role on projects related to prow The role is a composite of: - roles/compute.viewer - roles/container.viewer - roles/logging.viewer - roles/monitoring.view It's defined by a file and will be updated anytime infra/gcp/ensure-e2e-projects.sh is run I've currently manually created it and applied it to the k8s-infra-prow-build project to verify access to expected resources
/cc @BenTheElder @liggitt |
cluster view maybe? |
fi | ||
} | ||
|
||
function custom_org_role_name() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could do with comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This all LGTM. I have waffled in my head about using custom roles more. It would clearly simplify a lot of logic, but the fact that you have to expand premade roles like compute.viewer into their constituent parts, means that any further updates to that role will not automatically propagate to this role.
It's probably fine in practice, it's just distasteful to me.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: spiffxp, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@spiffxp i can confirm that i can see both dashboard! (had to drop the |
I wasn't thrilled by this either. I didn't script creation of this role, which would be the next logical step. Could periodically re-run that script to re-generate the role, so updates would propagate, but on a schedule of our own making. I'll address the lack of comments in a followup, thanks. |
Ran |
I want to empower others to see and troubleshoot whatever resources
constraints (or lack thereof) the release-blocking jobs are running under
Members of the k8s-infra-prow-viewers@kubernetes.io get this role on
projects related to prow
The role is a composite of:
It's defined by a file and will be updated anytime
infra/gcp/ensure-e2e-projects.sh is run
I've currently manually created it and applied it to the
k8s-infra-prow-build project to verify access to expected resources
Members who have this role should be able to see two custom cloud
monitoring dashboards: