Hello team,
working on "Support workspace namespace configuration in che-operator"[0], we've hit an issue with permissions for `che-operator` and `che` serviceaccounts (sa).
TLDR: we want to use `<username>-che` [1] as default namespace for workspaces. For that, we need che-operator to have these extra cluster-wide permissions [2] to be able to grant it to `che` sa, even if we might not actually need it.
Longer versionCurrent stateWe have 4 namespace scenarios we need to support:
 1] all in one namespace
 2] use pre-created namespaces for workspaces
 3] create new namespaces
 4] use OpenShift oauth (we can further split this scenario, but as we delegate permissions to openshift user, we don't need to deal with any sa or permissions from che-operator)
Currently, che-operator default deployment support 1] and 4] and it sets default namespace for workspaces to same namespace as it is deployed.
Desired stateWe want to have `<username>-che` as default namespace for workspaces[1] and che server should be able to create that namespace. This should be default deployment for che-operator and thus must work out of the box, including installation from OperatorHub or with chectl.
(please correct me if I'm wrong)
IssueTo allow che server to create and use different namespaces, we need to grant `che` sa extra cluster-wide permissions[2]. In che-operator, we can decide what permissions grant to `che` sa, because we have CheCluster CR. HOWEVER, to allow che-operator grant permissions to `che` sa, `che-operator` sa has to have these permissions as well. This is the issue, because in che-operator deployment time, we don't know what namespace scenario will be used. If we want `<username>-che` as default, we need all listed permissions for che-operator as default. Even if then we deploy CR with for example oauth, so we end-up with `che-operator` sa with a lot of permissions that we don't actually need.
So what are our options? (with little comments)
- Grant all listed permissions to che-operator by default and grant needed permissions to `che` sa by namespace set in CR. We can then document how to remove unnecessary permissions for used namespace scenario.
    - che-operator will support all scenarios, but we need all these permissions only for scenario 3]
- Don't grant any cluster-wide permissions to che-operator, keep all in one namespace by default and document what is needed for another scenarios.
    - to achieve `<username>-che`, extra manual steps are needed.
- Don't grant any cluster-wide permissions to che-operator, have `<username>-che` as default and document the extra manual steps needed + good error message in che-operator.
    - does not work out of the box, but allow admin to tune up the permissions and strategy as needed.
- Grant all listed permissions to che-operator, then when it deploys Che, it decides from CR what permissions it doesn't need and remove them.
    - we cut-off the option to go back to higher permissions scenario without extra manual steps. Also I'm not sure if it is even possible to remove oneself permissions.
There is currently draft PR open[3] and it's issue[0] contains interesting discussion. The PR currently follows first option.
-- 
Michal Vala
Software Engineer, Eclipse Che
Red Hat Czech