Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PMR: Create or Delete RoleBindings in create_or_update_profiles() #36

Merged
merged 23 commits into from
Jan 27, 2025
Merged

PMR: Create or Delete RoleBindings in create_or_update_profiles() #36

merged 23 commits into from
Jan 27, 2025

Conversation

kimwnasptd
Copy link
Contributor

@kimwnasptd kimwnasptd commented Jan 17, 2025
edited
Loading

Resolves #11

This PR extends the create_or_update_profiles(pmr) function to:

  1. create RoleBindings, for Contributors in the PMR if their RB doesn't exist
  2. delete RoleBindings that don't match the Contributors in the PMR

Changes

  • Updated has_kfam_annotations() to also ensure that the values of role annotation are correct (either admin, edit or view)
  • Added a get_annotations() helper, to reduce a bit the pain of checking constantly for None in metadata
  • Added a private attribute in the Profile class, in order to have a dict for contributors with username as a key. This would help to significantly reduce the checks needed when checking if a user with a role is a Contributor defined in the Profile
  • Refactored integration tests to use a common apply_profile_and_resources() function, to avoid repetition
  • Function for handling the creation / deletion of RoleBindings in a Profile

Review Notes

  1. Suggested review order: create_or_update.py and then the helper functions
  2. A user in the cluster could be defined with multiple roles (i.e. a RoleBinding giving them view access and another one for admin).
    4. In general, edit is a superset of view and admin a superset of edit
    5. still the code should be able to keep this in mind when cleaning up RoleBindings
  3. Can't update roleRef in RoleBindings since the field is immutable, thus the need for deleting and not updating RoleBindings

Lastly, I pondered a lot on the functions and whether we should have RoleBinding specific functions or generalise them. In the end, I went with separate ones as AuthorizationPolicies will need slightly different handling (PTAL in #31)

@kimwnasptd kimwnasptd requested a review from a team as a code owner January 17, 2025 11:42
@kimwnasptd kimwnasptd changed the base branch from main to kf-6595-create-update-profiles January 17, 2025 11:42
@kimwnasptd kimwnasptd changed the title WIP: PMR: Create or Delete RoleBindings in create_or_update_profiles() PMR: Create or Delete RoleBindings in create_or_update_profiles() Jan 17, 2025
@kimwnasptd kimwnasptd force-pushed the kf-6596-remove-contributor-rolebindings branch 2 times, most recently from 3e714d4 to 5801682 Compare January 17, 2025 18:00
Base automatically changed from kf-6595-create-update-profiles to main January 20, 2025 08:52
@kimwnasptd kimwnasptd force-pushed the kf-6596-remove-contributor-rolebindings branch 3 times, most recently from 557595a to e8d2713 Compare January 20, 2025 13:26
DnPlas
DnPlas reviewed Jan 20, 2025
View reviewed changes
Copy link
Contributor

@DnPlas DnPlas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kimwnasptd ! A couple comments.

src/profiles_management/helpers/k8s.py Outdated Show resolved Hide resolved
src/profiles_management/helpers/k8s.py Outdated Show resolved Hide resolved
src/profiles_management/create_or_update.py Outdated Show resolved Hide resolved
src/profiles_management/create_or_update.py Outdated Show resolved Hide resolved
src/profiles_management/create_or_update.py Outdated Show resolved Hide resolved
src/profiles_management/helpers/kfam.py Outdated Show resolved Hide resolved
src/profiles_management/helpers/kfam.py Outdated Show resolved Hide resolved
src/profiles_management/helpers/kfam.py Outdated Show resolved Hide resolved
src/profiles_management/helpers/kfam.py Outdated Show resolved Hide resolved
src/profiles_management/helpers/kfam.py Show resolved Hide resolved
@kimwnasptd
Copy link
Contributor Author

Thanks for the review @DnPlas! I went over all the comments.

A small summary of open discussions:

  1. Exception handling on delete_many, let me know what you had in mind in your comment
  2. Exception handling on client.apply, let me know what you had in mind in your comment
  3. I would not rename has_valid_kfam_annotations to get_valid_kfam_annotations, but let me know in the comment if you feel strongly about this
  4. Didn't raise an exception, when parsing empty profile contributors

DnPlas
DnPlas previously approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@DnPlas DnPlas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @kimwnasptd !

@kimwnasptd kimwnasptd force-pushed the kf-6596-remove-contributor-rolebindings branch from dff9d58 to 65cabe0 Compare January 27, 2025 07:21
@kimwnasptd kimwnasptd force-pushed the kf-6596-remove-contributor-rolebindings branch 2 times, most recently from e8d2713 to 65cabe0 Compare January 27, 2025 07:28
mvlassis
mvlassis approved these changes Jan 27, 2025
View reviewed changes
Copy link
Collaborator

@mvlassis mvlassis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

@kimwnasptd kimwnasptd force-pushed the kf-6596-remove-contributor-rolebindings branch from 65cabe0 to 1cf2476 Compare January 27, 2025 09:12
kimwnasptd and others added 20 commits January 27, 2025 09:16
@kimwnasptd
Integration tests
076d6ca
@kimwnasptd
review(nit): Update log message
fb80f7e
@kimwnasptd
review: Remove redundant KFPResource class
0385ffe
@kimwnasptd @DnPlas
Update src/profiles_management/helpers/kfam.py
b080752 
Co-authored-by: Daniela Plascencia <[email protected]>
@kimwnasptd
review: Use regex in rfc1123 helper
08616e7
@kimwnasptd
review: Refactor delete_rolebindings_not_matching_profile_contributors
6842668
@kimwnasptd
review: Refactor resource_matches_profile_contributor
3bd4e27
@kimwnasptd
review: Different handling for empty contributors
7a076f4
@kimwnasptd
review: Rename to has_valid_kfam_annotations
bc814e8
@kimwnasptd @mvlassis
Update src/profiles_management/helpers/kfam.py
8439ef1 
Co-authored-by: Manos Vlassis <[email protected]>
@kimwnasptd @mvlassis
Update src/profiles_management/helpers/kfam.py
7f7c54d 
Co-authored-by: Manos Vlassis <[email protected]>
@kimwnasptd
review: Extend docstring
6d1516a
@kimwnasptd
review: Custom Exception for invalid KFAM Annotations
490cd15
@kimwnasptd
review: Document raised ApiError exceptions
5ab93d5
@kimwnasptd
review: Handling of empty name RFC 1123
9853be5
@kimwnasptd
review: Parametrize rfc1123 unit tests
c744060
@kimwnasptd
review: Parametrise annotation unit tests
babe4d5
@kimwnasptd
review: Parametrise kfam unit tests
03df480
@kimwnasptd
review: Refactor profiles contributor check
c5142ee
@kimwnasptd
review: Omit the extra annotations check
e9c058a
@kimwnasptd kimwnasptd force-pushed the kf-6596-remove-contributor-rolebindings branch from 1cf2476 to e9c058a Compare January 27, 2025 09:16
@kimwnasptd kimwnasptd merged commit e779929 into main Jan 27, 2025
6 checks passed
@kimwnasptd kimwnasptd deleted the kf-6596-remove-contributor-rolebindings branch January 27, 2025 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mvlassis mvlassis mvlassis approved these changes

@DnPlas DnPlas DnPlas left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create or delete RoleBindings in a Profile based on the PMR
3 participants
@kimwnasptd @DnPlas @mvlassis