mirror of
https://github.com/ChristianLight/tutor.git
synced 2024-11-04 20:37:52 +00:00
fix: avoid namespace edition for k8s users without access rights
In most cases, it makes very little sense to edit the namespace that an application is running in. Quite often, users are granted access to just one namespace and don't have the necessary rights to edit the namespace -- and for good security reasons. In such cases, the k8s namespace object already exists and there is no need for the user to edit or create it. Here, what we do is that we create the namespace only if it does not exist. This should solve quite a few permission issues, notably for Openshift users.
This commit is contained in:
parent
9b6b770dd7
commit
4a451844e6
@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".
|
||||
|
||||
## Unreleased
|
||||
|
||||
- [Improvement] Avoid permission issues in Kubernetes/Openshift for users who do not have the rights to edit their namespace.
|
||||
- [Improvement] Better Kubernetes object creation.
|
||||
|
||||
## v11.3.0 (2021-05-18)
|
||||
|
@ -151,7 +151,7 @@ class K8sJobRunner(jobs.BaseJobRunner):
|
||||
field_selector = "metadata.name={}".format(job_name)
|
||||
while True:
|
||||
namespaced_jobs = K8sClients.instance().batch_api.list_namespaced_job(
|
||||
self.config["K8S_NAMESPACE"], field_selector=field_selector
|
||||
k8s_namespace(self.config), field_selector=field_selector
|
||||
)
|
||||
if not namespaced_jobs.items:
|
||||
continue
|
||||
@ -215,15 +215,23 @@ def quickstart(context: click.Context, non_interactive: bool) -> None:
|
||||
@click.command(help="Run all configured Open edX services")
|
||||
@click.pass_obj
|
||||
def start(context: Context) -> None:
|
||||
# Create namespace
|
||||
utils.kubectl(
|
||||
"apply",
|
||||
"--kustomize",
|
||||
tutor_env.pathjoin(context.root),
|
||||
"--wait",
|
||||
"--selector",
|
||||
"app.kubernetes.io/component=namespace",
|
||||
)
|
||||
config = tutor_config.load(context.root)
|
||||
# Create namespace, if necessary
|
||||
# Note that this step should not be run for some users, in particular those
|
||||
# who do not have permission to edit the namespace.
|
||||
try:
|
||||
utils.kubectl("get", "namespaces", k8s_namespace(config))
|
||||
fmt.echo_info("Namespace already exists: skipping creation.")
|
||||
except exceptions.TutorError:
|
||||
fmt.echo_info("Namespace does not exist: now creating it...")
|
||||
utils.kubectl(
|
||||
"apply",
|
||||
"--kustomize",
|
||||
tutor_env.pathjoin(context.root),
|
||||
"--wait",
|
||||
"--selector",
|
||||
"app.kubernetes.io/component=namespace",
|
||||
)
|
||||
# Create volumes
|
||||
utils.kubectl(
|
||||
"apply",
|
||||
@ -455,7 +463,7 @@ def kubectl_exec(
|
||||
) -> int:
|
||||
selector = "app.kubernetes.io/name={}".format(service)
|
||||
pods = K8sClients.instance().core_api.list_namespaced_pod(
|
||||
namespace=config["K8S_NAMESPACE"], label_selector=selector
|
||||
namespace=k8s_namespace(config), label_selector=selector
|
||||
)
|
||||
if not pods.items:
|
||||
raise exceptions.TutorError(
|
||||
|
Loading…
Reference in New Issue
Block a user