Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to specify ServiceAccount for odo dev #5977

Closed
vinny-sabatini opened this issue Jul 26, 2022 · 8 comments · Fixed by #6512
Closed

Ability to specify ServiceAccount for odo dev #5977

vinny-sabatini opened this issue Jul 26, 2022 · 8 comments · Fixed by #6512
Assignees
@valaparthvi
Labels
kind/feature Categorizes issue as a feature request. For PRs, that means that the PR is the implementation kind/user-story An issue of user-story kind priority/High Important issue; should be worked on before any other issues (except priority/Critical issue(s)). sprint demo Indicates an issue for which a demo should be recorded and presented at the end of the sprint.
Milestone
v3.6.0 🚀

Comments

@vinny-sabatini
Copy link
Contributor

/kind feature

Which functionality do you think we should add?

When running the odo dev command, I would like to be able to specify the Kubernetes ServiceAccount the pod should run as.

Why is this needed?

Currently, if you use odo dev the pod will start as the default service account. Some workloads running on Kubernetes need to run as a specific service account in order to have the proper permissions to work properly. One common use case is a Kubernetes Operator.
@openshift-ci openshift-ci bot added the kind/feature Categorizes issue as a feature request. For PRs, that means that the PR is the implementation label Jul 26, 2022
@dharmit
Copy link
Member

dharmit commented Aug 1, 2022

Notes from the discussion on this in the odo contributors' call:

  1. This should ideally be addressed at Devfile API level such that a container component has a serviceAccount attribute.
  2. In absence of 1, odo can use annotations field in container component so that a service account specified in this field is used by odo to set proper information inside the Pod created for such component.

@dharmit dharmit mentioned this issue Aug 1, 2022
Closed
@vinny-sabatini vinny-sabatini mentioned this issue Sep 9, 2022
Closed
3 tasks
@kadel kadel added the priority/High Important issue; should be worked on before any other issues (except priority/Critical issue(s)). label Sep 20, 2022
@rm3l rm3l added this to odo v3.0.0 Sep 21, 2022
@rm3l
Copy link
Member

rm3l commented Sep 21, 2022
edited
Loading

As part of this Sprint, the team will be investigating how to implement pod-overrides and container-overrides annotations in the Devfile library (as a more generic way that would allow us to support user-defined ServiceAccounts), as discussed in devfile/api#920 (comment).
Then on the odo side, it would "just" be a matter of updating the Devfile library version.

Related issue: devfile/api#936

To better estimate the work that needs to be done, we are investigating if there exists some library that could help with merging JSON data.

/assign @feloy

@feloy
Copy link
Contributor

feloy commented Sep 21, 2022

The gojq (github.com/itchyny/gojq) can be used:

package main

import (
	"errors"
	"fmt"

	"github.com/itchyny/gojq"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/utils/pointer"
)

func main() {
	pod := corev1.Pod{
		Spec: corev1.PodSpec{
			SecurityContext: &corev1.PodSecurityContext{
				RunAsUser: pointer.Int64(1001),
			},
		},
	}

	unstructuredPod, err := ConvertResourceToUnstructured(&pod)
	if err != nil {
		panic(err)
	}

	query, err := gojq.Parse(".spec.securityContext = {\"runAsUser\": 1000, \"runAsGroup\": 3000, \"fsGroup\": 2000}")
	if err != nil {
		panic(err)
	}
	iter := query.Run(unstructuredPod)
	v, ok := iter.Next()
	if !ok {
		panic(errors.New("error"))
	}

	json := v.(map[string]interface{})
	ConvertUnstructuredToResource(unstructured.Unstructured{Object: json}, &pod)

	fmt.Printf("%v\n", pod)
}

func ConvertUnstructuredToResource(u unstructured.Unstructured, obj interface{}) error {
	return runtime.DefaultUnstructuredConverter.FromUnstructured(u.UnstructuredContent(), obj)
}

func ConvertResourceToUnstructured(obj interface{}) (map[string]interface{}, error) {
	return runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
}

@rm3l rm3l removed this from after v3.0.0 Sep 22, 2022
@rm3l rm3l added this to the v3.1.0 🚀 milestone Sep 30, 2022
@rm3l rm3l added this to odo Project Sep 30, 2022
@dharmit dharmit self-assigned this Oct 10, 2022
@dharmit
Copy link
Member

dharmit commented Oct 10, 2022

https://github.com/devfile/api/blob/fe7c10eaa530b12b19cfb0e22e221e753391304c/pkg/attributes/attributes.go#L14

@rm3l rm3l modified the milestones: v3.1.0 🚀, v3.2.0 🚀 Oct 12, 2022
@dharmit dharmit moved this to In Progress 🚧 in odo Project Oct 18, 2022
@rm3l rm3l modified the milestones: v3.2.0 🚀, v3.3.0 🚀 Oct 26, 2022
@rm3l rm3l added the kind/feature Categorizes issue as a feature request. For PRs, that means that the PR is the implementation label Nov 2, 2022
@dharmit
Copy link
Member

dharmit commented Nov 17, 2022

I've opened devfile/library#155 for container-overrides part.

@rm3l rm3l modified the milestones: v3.3.0 🚀, v3.4.0 🚀 Nov 21, 2022
@rm3l rm3l assigned valaparthvi and unassigned dharmit Nov 23, 2022
@rm3l
Copy link
Member

rm3l commented Nov 24, 2022
edited by valaparthvi
Loading

TODO (as of Nov-23, 2022):

@rm3l rm3l modified the milestones: v3.4.0 🚀, v3.5.0 🚀 Dec 12, 2022
@feloy feloy moved this from In Progress 🚧 to In Review 👀 in odo Project Dec 20, 2022
@rm3l rm3l removed this from the v3.5.0 🚀 milestone Jan 3, 2023
@rm3l rm3l added this to the v3.6.0 🚀 milestone Jan 3, 2023
@valaparthvi valaparthvi moved this from In Review 👀 to In Progress 🚧 in odo Project Jan 6, 2023
@valaparthvi valaparthvi mentioned this issue Jan 9, 2023
Closed
3 tasks
@valaparthvi
Copy link
Contributor

This issue is slightly blocked on devfile/api#1002.
We added the support for container-overrides and pod-overrides in devfile/library. But once we updated odo with the latest devfile/library, we discovered some issues related to devfile/api#1002 (comment). So for now, until the issue in question is fixed, we'll be slightly blocked.
I'm going to research some alternatives.

@valaparthvi
Copy link
Contributor

valaparthvi commented Jan 11, 2023
edited
Loading

/label status/blocked

devfile/api#1002 (comment)

@valaparthvi valaparthvi added the status/blocked Denotes an issue or PR that is blocked on something (e.g., issue/PR in different repo) label Jan 11, 2023
@valaparthvi valaparthvi mentioned this issue Jan 18, 2023
Merged
3 tasks
@valaparthvi valaparthvi removed the status/blocked Denotes an issue or PR that is blocked on something (e.g., issue/PR in different repo) label Jan 19, 2023
@rm3l rm3l moved this from In Progress 🚧 to In Review 👀 in odo Project Jan 19, 2023
@github-project-automation github-project-automation bot moved this from In Review 👀 to Done ✅ in odo Project Jan 23, 2023
@rm3l rm3l added the sprint demo Indicates an issue for which a demo should be recorded and presented at the end of the sprint. label Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@valaparthvi valaparthvi

Labels
kind/feature Categorizes issue as a feature request. For PRs, that means that the PR is the implementation kind/user-story An issue of user-story kind priority/High Important issue; should be worked on before any other issues (except priority/Critical issue(s)). sprint demo Indicates an issue for which a demo should be recorded and presented at the end of the sprint.
Projects
odo Project
Archived in project
odo v3.0.0
Status: Done
Milestone
v3.6.0 🚀
6 participants
@kadel @rm3l @dharmit @feloy @valaparthvi @vinny-sabatini