Make kubearchive admins of the product-kubearchive-logging component #7568
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Code Review by Gemini```diff
--- a/components/vector-kubearchive-log-collector/base/rbac.yaml
+++ b/components/vector-kubearchive-log-collector/base/rbac.yaml
@@ -3,7 +3,7 @@
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubearchive-logging-component-maintainers
- namespace: kubearchive
+ namespace: product-kubearchive-logging
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
@@ -14,13 +14,10 @@
kind: ClusterRole
name: component-maintainer
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kubearchive-logging-admin
- namespace: kubearchive
-subjects:
- - kind: Group
- apiGroup: rbac.authorization.k8s.io
- name: konflux-kubearchive # rover group
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: admin
+Reasoning for change: --- a/components/vector-kubearchive-log-collector/base/rbac.yaml
+++ b/components/vector-kubearchive-log-collector/base/rbac.yaml
@@ -10,13 +10,3 @@
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: component-maintainer
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kubearchive-logging-admin
- namespace: kubearchive
-subjects:
- - kind: Group
- apiGroup: rbac.authorization.k8s.io
- name: konflux-kubearchive # rover group
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: admin
Reasoning for change: --- a/components/vector-kubearchive-log-collector/base/rbac.yaml
+++ b/components/vector-kubearchive-log-collector/base/rbac.yaml
@@ -0,0 +1,16 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kubearchive-logging-admin
+ namespace: product-kubearchive-logging
+subjects:
+ - kind: Group
+ apiGroup: rbac.authorization.k8s.io
+ name: konflux-kubearchive # rover group
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: admin
+Reasoning for change: |
|
/approve |
Signed-off-by: Marta Anon <[email protected]>
maruiz93
force-pushed
the
rbac-perms-k9e-logging
branch
from
c5dc242 to
0d9a5a9
Compare
|
New changes are detected. LGTM label has been removed. |
Code Review by Gemini### Review of changes
The changes introduce new RBAC configurations for the `product-kubearchive-logging` namespace and also include unrelated image tag updates in `mintmaker` components.
**Issues and Suggestions:**
1. **Unrelated Changes in `mintmaker` Kustomizations:**
The changes to `components/mintmaker/production/*/kustomization.yaml` files, specifically the addition of the `images` section, are unrelated to the commit message "Make kubearchive admins of the product-kubearchive-logging component". These changes should be reverted or moved to a separate pull request to maintain a clear and focused commit history.
* **File:** `components/mintmaker/production/kflux-ocp-p01/kustomization.yaml`
```diff
--- a/components/mintmaker/production/kflux-ocp-p01/kustomization.yaml
+++ b/components/mintmaker/production/kflux-ocp-p01/kustomization.yaml
@@ -1,15 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
namespace: mintmaker
+
+images:
+ - name: quay.io/konflux-ci/mintmaker
+ newName: quay.io/konflux-ci/mintmaker
+ newTag: a3816e76f5e06ba3114731fc34fa14f76d442b6c
+
patches:
- path: pipelines-as-code-secret-path.yaml
target:
name: pipelines-as-code-secret
group: external-secrets.io
version: v1beta1
kind: ExternalSecret
components:
- ../../components/rh-certs
```
**Suggestion:** Remove lines 6-10.
* **File:** `components/mintmaker/production/kflux-osp-p01/kustomization.yaml`
```diff
--- a/components/mintmaker/production/kflux-osp-p01/kustomization.yaml
+++ b/components/mintmaker/production/kflux-osp-p01/kustomization.yaml
@@ -1,14 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
namespace: mintmaker
+
+images:
+ - name: quay.io/konflux-ci/mintmaker
+ newName: quay.io/konflux-ci/mintmaker
+ newTag: a3816e76f5e06ba3114731fc34fa14f76d442b6c
+
patches:
- path: pipelines-as-code-secret-path.yaml
target:
name: pipelines-as-code-secret
group: external-secrets.io
version: v1beta1
kind: ExternalSecret
components:
- ../../components/rh-certs
```
**Suggestion:** Remove lines 6-10.
* **File:** `components/mintmaker/production/kflux-prd-rh02/kustomization.yaml`
```diff
--- a/components/mintmaker/production/kflux-prd-rh02/kustomization.yaml
+++ b/components/mintmaker/production/kflux-prd-rh02/kustomization.yaml
@@ -1,12 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
namespace: mintmaker
+
+images:
+ - name: quay.io/konflux-ci/mintmaker
+ newName: quay.io/konflux-ci/mintmaker
+ newTag: a3816e76f5e06ba3114731fc34fa14f76d442b6c
+
patches:
- path: pipelines-as-code-secret-path.yaml
target:
name: pipelines-as-code-secret
group: external-secrets.io
version: v1beta1
kind: ExternalSecret
```
**Suggestion:** Remove lines 6-10.
* **File:** `components/mintmaker/production/kflux-prd-rh03/kustomization.yaml`
```diff
--- a/components/mintmaker/production/kflux-prd-rh03/kustomization.yaml
+++ b/components/mintmaker/production/kflux-prd-rh03/kustomization.yaml
@@ -1,12 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
namespace: mintmaker
+
+images:
+ - name: quay.io/konflux-ci/mintmaker
+ newName: quay.io/konflux-ci/mintmaker
+ newTag: a3816e76f5e06ba3114731fc34fa14f76d442b6c
+
patches:
- path: pipelines-as-code-secret-path.yaml
target:
name: pipelines-as-code-secret
group: external-secrets.io
version: v1beta1
kind: ExternalSecret
```
**Suggestion:** Remove lines 6-10.
* **File:** `components/mintmaker/production/kflux-rhel-p01/kustomization.yaml`
```diff
--- a/components/mintmaker/production/kflux-rhel-p01/kustomization.yaml
+++ b/components/mintmaker/production/kflux-rhel-p01/kustomization.yaml
@@ -1,14 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
namespace: mintmaker
+
+images:
+ - name: quay.io/konflux-ci/mintmaker
+ newName: quay.io/konflux-ci/mintmaker
+ newTag: a3816e76f5e06ba3114731fc34fa14f76d442b6c
+
patches:
- path: pipelines-as-code-secret-path.yaml
target:
name: pipelines-as-code-secret
group: external-secrets.io
version: v1beta1
kind: ExternalSecret
components:
- ../../components/rh-certs
```
**Suggestion:** Remove lines 6-10.
* **File:** `components/mintmaker/production/stone-prod-p01/kustomization.yaml`
```diff
--- a/components/mintmaker/production/stone-prod-p01/kustomization.yaml
+++ b/components/mintmaker/production/stone-prod-p01/kustomization.yaml
@@ -1,15 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
namespace: mintmaker
+
+images:
+ - name: quay.io/konflux-ci/mintmaker
+ newName: quay.io/konflux-ci/mintmaker
+ newTag: a3816e76f5e06ba3114731fc34fa14f76d442b6c
+
patches:
- path: pipelines-as-code-secret-path.yaml
target:
name: pipelines-as-code-secret
group: external-secrets.io
version: v1beta1
kind: ExternalSecret
components:
- ../../components/rh-certs
```
**Suggestion:** Remove lines 6-10.
2. **Redundant RoleBinding in `rbac.yaml`:**
The `rbac.yaml` file grants the `konflux-kubearchive` group both the `component-maintainer` ClusterRole and the `admin` ClusterRole within the `product-kubearchive-logging` namespace. The `admin` ClusterRole typically provides a superset of permissions compared to a `component-maintainer` role. Granting both is redundant. It's best practice to grant the least privilege necessary. If `admin` access is truly required for "manipulate resources", then the `component-maintainer` binding is unnecessary. If `component-maintainer` is sufficient, then `admin` should not be granted.
* **File:** `components/vector-kubearchive-log-collector/base/rbac.yaml`
```diff
--- /dev/null
+++ b/components/vector-kubearchive-log-collector/base/rbac.yaml
@@ -0,0 +1,28 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kubearchive-logging-component-maintainers
+ namespace: product-kubearchive-logging
+subjects:
+ - kind: Group
+ apiGroup: rbac.authorization.k8s.io
+ name: konflux-kubearchive # rover group
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: component-maintainer
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kubearchive-logging-admin
+ namespace: product-kubearchive-logging
+subjects:
+ - kind: Group
+ apiGroup: rbac.authorization.k8s.io
+ name: konflux-kubearchive # rover group
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: admin
```
**Suggestion:** Remove the first `RoleBinding` (lines 1-14) if the `admin` role is intended to be granted, as it provides broader permissions.
Alternatively, if `component-maintainer` is sufficient, remove the second `RoleBinding` (lines 15-28).
Given the commit message "Make kubearchive admins" and "manipulate resources", it implies the `admin` role is the primary intent, making the `component-maintainer` role redundant.
**Recommended Change (assuming `admin` is the desired level of access):**
```diff
--- a/components/vector-kubearchive-log-collector/base/rbac.yaml
+++ b/components/vector-kubearchive-log-collector/base/rbac.yaml
@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kubearchive-logging-admin
+ namespace: product-kubearchive-logging
+subjects:
+ - kind: Group
+ apiGroup: rbac.authorization.k8s.io
+ name: konflux-kubearchive # rover group
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: admin
```
This change removes lines 1-14 from the original new file. |
mshaposhnik
approved these changes
Aug 11, 2025
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: maruiz93, mshaposhnik, rh-hemartin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 479ca23
into
redhat-appstudio:main
9 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The kubearchive team should be able to check logs, do port-forwards and manipulate resources to troubleshoot potential issues in this component.