Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add NamespacedPolicy CRD [multi-tenancy PR 7] #1402

Merged
merged 11 commits into from
Apr 26, 2024
Merged

feat: add NamespacedPolicy CRD [multi-tenancy PR 7] #1402

merged 11 commits into from
Apr 26, 2024

Conversation

binbin-li
Copy link
Collaborator

@binbin-li binbin-li commented Apr 17, 2024
edited
Loading

Description

What this PR does / why we need it:

This is the 7th PR for multi-tenancy support. Please review #1395 first. Check diff between PR 6 and PR 7 at: binbin-li#123

  1. Created new CRD: NamespacedPolicy for the namespaced Policy resource.
  2. Added controller for the NamespacedPolicy and moved some common logics beween Policy Controller and Namespaced Policy Controller to util methods.
  3. Updated the implementation of ActivePolicies so that it fully supports accessing Policies per namespace.
  4. Will add new e2e tests for namespaced CRs once all CRDs supports namespace.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Test A
  • Test B

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@binbin-li binbin-li changed the title [WIP] feat: add ClusterPolicy CRD [WIP] feat: add ClusterPolicy CRD [multi-tenancy PR 7] Apr 17, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 17, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 71.79487% with 33 lines in your changes are missing coverage. Please review.

❗ No coverage uploaded for pull request base (dev@ea5604a). Click here to learn what that means.

❗ Current head 8b67644 differs from pull request most recent head 5b77947. Consider uploading reports for the commit 5b77947 to get more accurate results

Files Patch % Lines
pkg/utils/test_utils.go 0.00% 22 Missing ⚠️
pkg/manager/manager.go 0.00% 7 Missing ⚠️
...controllers/namespaceresource/policy_controller.go 92.15% 4 Missing ⚠️
Additional details and impacted files 
@@          Coverage Diff           @@
##             dev    #1402   +/-   ##
======================================
  Coverage       ?   66.52%           
======================================
  Files          ?      114           
  Lines          ?     5987           
  Branches       ?        0           
======================================
  Hits           ?     3983           
  Misses         ?     1621           
  Partials       ?      383

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@binbin-li binbin-li force-pushed the multi-tenancy-pr-7 branch 5 times, most recently from 538b2da to d8ce82d Compare April 18, 2024 12:11
@binbin-li binbin-li force-pushed the multi-tenancy-pr-7 branch 4 times, most recently from a65b110 to ecafdef Compare April 22, 2024 13:59
@binbin-li binbin-li changed the title [WIP] feat: add ClusterPolicy CRD [multi-tenancy PR 7] feat: add NamespacedPolicy CRD [multi-tenancy PR 7] Apr 22, 2024
@binbin-li binbin-li force-pushed the multi-tenancy-pr-7 branch 3 times, most recently from e927eb1 to 3b7a1a3 Compare April 23, 2024 07:07
susanshi
susanshi reviewed Apr 24, 2024
View reviewed changes
Copy link
Collaborator

@susanshi susanshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the PR binbin, left some comments.

config/rbac/namespacedpolicy_viewer_role.yaml
@@ -0,0 +1,27 @@
# permissions for end users to view namespacedpolicies.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Want to confirm the role here. Do we need a cluster role or role? is there a difference when rolebinding when it comes to ClusterScoped policy vs namespacedpolicy?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question! This is actually generated by kubebuilder command, and ClusterRole is always assigned to it. Since it's not actually used anywhere it does not make a difference. IMO, it's like a template for devs to follow in Helm template which could be updated accordingly.

config/samples/namespaced/policy/config_v1alpha1_policy_rego.yaml Outdated Show resolved Hide resolved
pkg/controllers/clustered/policy_controller.go Outdated Show resolved Hide resolved
pkg/controllers/namespaced/policy_controller_test.go Outdated Show resolved Hide resolved
pkg/controllers/namespaced/policy_controller_test.go Outdated Show resolved Hide resolved
@susanshi
Copy link
Collaborator

Hi Binbin, does this PR enable customer use Cluster store/verifier , with a name spaced policy? just wondering if we should highlight this scenario in a release note for v1.2

@binbin-li binbin-li force-pushed the multi-tenancy-pr-7 branch from 3b7a1a3 to 80dc17e Compare April 24, 2024 05:08
@binbin-li
Copy link
Collaborator Author

Hi Binbin, does this PR enable customer use Cluster store/verifier , with a name spaced policy? just wondering if we should highlight this scenario in a release note for v1.2

synced offline, will need to merge all following CRD PRs to enable multi-tenancy.

@binbin-li binbin-li mentioned this pull request Apr 24, 2024
Merged
12 tasks
@binbin-li binbin-li force-pushed the multi-tenancy-pr-7 branch from 9046b7c to b163ded Compare April 25, 2024 09:56
@binbin-li binbin-li force-pushed the multi-tenancy-pr-7 branch from b163ded to cf7c563 Compare April 25, 2024 15:04
susanshi
susanshi approved these changes Apr 26, 2024
View reviewed changes
Copy link
Collaborator

@susanshi susanshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@binbin-li binbin-li enabled auto-merge (squash) April 26, 2024 07:14
@binbin-li binbin-li merged commit 1f21940 into ratify-project:dev Apr 26, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susanshi susanshi susanshi approved these changes

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@binbin-li @susanshi