✨ (GoodPracticesValidator) : Add a new check to warn authors when permissions to create CRDs are found #241
Conversation
|
c/c @ryantking |
camilamacedo86
changed the title
|
/lgtm |
There was a problem hiding this comment.
Even though I can see the reason behind this PR, this change will enforce some restrictions on what an operator can do. I would like to run this pass another set of eyes before approving.
@joelanford do you have any issues with this change?
|
|
||
| func hasRBACFor(perm v1alpha1.StrategyDeploymentPermissions, apiGroupResourceMap map[string][]string, verbs []string) bool { | ||
| // For each APIGroup and list of resources that we are looking for | ||
| for apiFromMap, resourcesFromMap := range apiGroupResourceMap { |
There was a problem hiding this comment.
I wonder if we have a better way to check for this. This looks rather ugly though I guess you didn't have much of a choice.
There was a problem hiding this comment.
I think it is easily readable and understandable then we try to make it less ugly when behind the scene will do the same.
|
Also this PR needs a rebase. |
|
Hi @dinhxuanvu:
We are not enforcing. The good practices validator will return a warning in this case and not an error. From ^
|
… not create an operator to manage another operator by looking for RBAC permissions to create CRDs
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, dinhxuanvu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/lgtm |
Description
Add a new check to warn authors when permissions to create CRDs are found. They usually will ask for these permissions when their Operands manage other operators and create CRDs that is not recommended.
Motivation
Use case: we recently check a Helm-based language operator created with helm charts which would install other Operators.
How it will be used
Any project that uses OF/api will have this check. However, via SDK (which is generally used by users/ci's/pipelines) the warning will be raised when:
a) To validate a bundle against the validator for Good Practices specifically, in addition to required bundle validators:
$ operator-sdk bundle validate ./bundle --select-optional name=good-practicesb) To validate a bundle against the entire suite of validators for Operator Framework, in addition to required bundle validators:
$ operator-sdk bundle validate ./bundle --select-optional suite=operatorframework