Skip to content

Detect and warn about DevWorkspaces with SCC (Security Context Constraint) mismatches in the Eclipse Che Dashboard #1436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
olexii4 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Detect and warn about DevWorkspaces with SCC (Security Context Constraint) mismatches in the Eclipse Che Dashboard #1436

olexii4 wants to merge 4 commits into from

Conversation

@olexii4
Copy link
Contributor

@olexii4 olexii4 commented Dec 31, 2025
edited
Loading

What does this PR do?

This PR implements a feature to detect and warn about DevWorkspaces with SCC (Security Context Constraint) mismatches in the Eclipse Che Dashboard.

When an administrator enables container run or build capabilities on the server, workspaces that were created before this change will have a different SCC than the current server configuration. These workspaces will display a warning status with an explanatory tooltip, but can still be started.

Key Changes:

  1. selectCurrentScc selector - Detects the current SCC from server configuration based on container run/build capabilities
  2. getContainerScc method - Retrieves the SCC attribute from a DevWorkspace
  3. containerRunCapabilities branding docs URL - Added documentation link for the tooltip
  4. sccMismatch.ts helper module - Contains:
    • SCC_MISMATCH_WARNING_MESSAGE constant - Centralized warning message used across components
    • hasSccMismatch function - Determines if there's a mismatch between workspace and server SCC
  5. getSccMismatchTooltip function - Generates the tooltip content with warning message and documentation link
  6. WorkspaceStatusIndicator update - Shows warning triangle icon with tooltip when workspace SCC doesn't match server SCC (only for stopped workspaces)
  7. WorkspaceStatusLabel update - Shows actual status with warning icon and tooltip when SCC mismatch is detected (only for stopped workspaces)
  8. StartingStepStartWorkspace SCC check - Shows warning alert when starting workspace with SCC mismatch (does not block start)
  9. WorkspaceActionsProvider SCC check - Logs warning when starting workspace with SCC mismatch (does not block start)

Behavior:

Scenario currentScc containerScc Behavior
Server has no SCC requirement undefined any Show actual status, allow start (no warning)
Both match defined same value Show actual status, allow start (no warning)
Workspace missing SCC defined undefined Show warning icon/tooltip, allow start with warning alert
Different SCC values defined different value Show warning icon/tooltip, allow start with warning alert

Note: SCC mismatch warning is only shown for stopped workspaces. Running or starting workspaces show their actual status.

Screenshot/screencast of this PR

Знімок екрана 2026-01-07 о 04 53 40 Знімок екрана 2026-01-07 о 04 53 55 Знімок екрана 2026-01-07 о 04 54 15

What issues does this PR fix or reference?

fixes eclipse-che/che#23636

Is it tested? How?

Deploy Eclipse-Che with the image from this PR.

Test SCC Mismatch Detection:

Deploy Eclipse-Che with the image from this PR.:

  1. Create a new workspace (without container run capabilities enabled)
  2. Enable container run capabilities on the server. Additional information
  3. Refresh the dashboard

Verify:

  • Workspace status indicator shows warning triangle icon (not stopped icon)
  • Workspace status label shows "Stopped" text with warning icon
  • Tooltip shows the SCC mismatch warning message: "The workspace was created with a different container SCC (Security Context Constraint) than what is currently configured. The workspace may fail to start."
  • Tooltip includes a clickable "Learn more" link to documentation
  • Workspace can be started (not blocked)
  • Warning alert is displayed during start

Test containerScc undefined scenario:

  1. Create a workspace without SCC attribute (containerScc undefined)
  2. Configure server with any SCC value (e.g., enable container run capabilities)

Verify:

  • Workspace status shows warning icon (mismatch detected)
  • Tooltip shows SCC mismatch warning
  • Workspace can be started with warning alert

Test no server SCC requirement:

  1. Create a workspace with any SCC attribute
  2. Ensure server has no container run/build capabilities enabled (currentScc undefined)

Verify:

  • Workspace status shows actual status (no warning)
  • Workspace can be started normally without any warning

Test matching SCC:

  1. Enable container run capabilities on server
  2. Create a new workspace (will have matching SCC)

Verify:

  • Workspace status shows actual status (no warning)
  • Workspace can be sta

Release Notes

Docs PR

@olexii4 olexii4 requested a review from tolusha December 31, 2025 03:31
@che-bot
Copy link
Contributor

che-bot commented Dec 31, 2025

Click here to review and test in web IDE: Contribute

@olexii4 olexii4 force-pushed the CHE-23636 branch 6 times, most recently from 3a6a875 to e893a6c Compare January 1, 2026 00:03
@github-actions
Copy link

github-actions bot commented Jan 1, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@github-actions
Copy link

github-actions bot commented Jan 1, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@github-actions
Copy link

github-actions bot commented Jan 1, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@github-actions
Copy link

github-actions bot commented Jan 1, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@github-actions
Copy link

github-actions bot commented Jan 2, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@olexii4 olexii4 force-pushed the CHE-23636 branch 2 times, most recently from 23c92a8 to 59afc95 Compare January 2, 2026 01:53
@github-actions
Copy link

github-actions bot commented Jan 2, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

1 similar comment
@github-actions
Copy link

github-actions bot commented Jan 2, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@olexii4 olexii4 changed the title Che 23636 Detect and prevent starting DevWorkspaces with SCC (Security Context Constraint) mismatches in the Eclipse Che Dashboard Jan 2, 2026
@tolusha
Copy link
Contributor

tolusha commented Jan 5, 2026

Some notes:

  1. Could we move message to a constant, since it used in many places?
  2. If containerScc is undefined, that we should allow workspace to start.
  3. containerScc !== currentScc doesn't mean that container nested capabilities are enabled. Instead, the message should emphasize, that container SCC(s) are different.
  4. I believe that warning is enough, dashaboard should not prevent workspace from starting.
  5. Does documentation link is different for downstream?

@olexii4
Copy link
Contributor Author

olexii4 commented Jan 5, 2026

  1. Does documentation link is different for downstream?

Documentation link is different for downstream. We have the MR

@svor svor self-requested a review January 5, 2026 15:30
@github-actions
Copy link

github-actions bot commented Jan 5, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@olexii4 olexii4 changed the title Detect and prevent starting DevWorkspaces with SCC (Security Context Constraint) mismatches in the Eclipse Che Dashboard Detect and warn about DevWorkspaces with SCC (Security Context Constraint) mismatches in the Eclipse Che Dashboard Jan 5, 2026
@olexii4
feat: add SCC mismatch detection and prevention for DevWorkspaces
8e32a58 
This commit adds the ability to detect and prevent starting workspaces
with SCC (Security Context Constraint) mismatches.

Changes:
- Add selectCurrentScc selector to detect current SCC from server config
- Add getDefaultEditor helper function for consistency
- Add getContainerScc method to WorkspaceAdapter
- Add containerRunCapabilities URL to branding docs
- Update WorkspaceStatusIndicator to show Failed status with tooltip
  when workspace SCC doesn't match server SCC
- Add SCC mismatch checks in StartWorkspace component to prevent starting
- Add SCC mismatch checks in WorkspaceActionsDropdown to disable actions
- Add SCC mismatch checks in WorkspaceActionsProvider
- Remove SCC injection from createDevWorkspaceTemplate
- Remove manageContainerSccAttribute and related methods

When container run/build capabilities are enabled on the server,
workspaces created before this change will show a Failed status
and cannot be started.

Signed-off-by: Oleksii Orel <[email protected]>
@github-actions
Copy link

github-actions bot commented Jan 6, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@olexii4 olexii4 force-pushed the CHE-23636 branch 2 times, most recently from f65f966 to 62c26b2 Compare January 7, 2026 02:25
@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@olexii4
fix: change SCC mismatch from blocking error to warning
5e502eb 
Based on code review feedback:
- Move SCC mismatch message to a constant (SCC_MISMATCH_WARNING_MESSAGE)
- Allow workspace start when containerScc is undefined
- Update message to emphasize SCC difference instead of nested capabilities
- Change from blocking error to warning - dashboard should not prevent
  workspace from starting

The hasSccMismatch() function now returns false when containerScc is
undefined, allowing workspaces created before SCC attribute was added
to start normally.

Status indicators now show warning icon instead of failed status, and
start actions log a warning instead of throwing an error.

Signed-off-by: Oleksii Orel <[email protected]>
@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@olexii4
fix: simplify SCC mismatch detection rules
381c3b0 
Remove the early return when currentScc is undefined. This ensures
SCC mismatch is detected when workspace has a containerScc value
but server has no SCC requirement (currentScc is undefined).

Signed-off-by: Oleksii Orel <[email protected]>
@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@olexii4
test: add coverage for SCC mismatch detection
eb1be37 
Add unit tests to improve coverage for SCC mismatch related changes:

- Add SCC mismatch tests to Provider.spec.tsx (WorkspaceActions)
- Add SCC mismatch tests to StartWorkspace index.spec.tsx
- Add currentScc parameter tests to devWorkspaceClient.spec.ts
- Create Header test file with containerScc prop tests

Assisted-by: Claude

Signed-off-by: Oleksii Orel <[email protected]>
@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1436

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1436", name: che-dashboard}]}}]"

@openshift-ci openshift-ci bot added the lgtm label Jan 8, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 8, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: olexii4, tolusha

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@svor svor requested a review from artaleks9 January 8, 2026 15:09
@eclipse-che eclipse-che deleted a comment from codecov bot Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tolusha tolusha tolusha approved these changes

@akurinnoy akurinnoy Awaiting requested review from akurinnoy akurinnoy is a code owner

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@svor svor Awaiting requested review from svor

@artaleks9 artaleks9 Awaiting requested review from artaleks9

Assignees

@tolusha tolusha

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Show warning, that old workspace can't be started if container run capabilities enabled

4 participants

@olexii4 @che-bot @tolusha