Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [che-dev] Username and K8s namespace name
Can we avoid supporting namespaces created using user tokens and just support:
- namespaces created beforehand (by an admin or even better by an operator such as namespace-configuration-operator)
- namespaces created by Che SA
That would allow us to use labels to identify the che user that owns the namespace.


On Sun, Aug 2, 2020 at 3:26 AM Gorkem Ercan <gorkem.ercan@xxxxxxxxx> wrote:


On Thu., Jul. 30, 2020, 11:14 a.m. Lukas Krejci, <lkrejci@xxxxxxxxxx> wrote:
On Thursday, July 30, 2020 3:18:02 PM CEST Gorkem Ercan wrote:
> Another approach could be that che depends only on labels to select
> namespace for workspace creation.
> This way if the namespace is created by the user all Che does is it adds a
> label to associate the namespace to the user.

This would require the perms to update a namespace/projects, with which we had
problems in the past - https://github.com/eclipse/che/issues/16612.

If I remember correctly, on OpenShift, by default, users are not allowed to
update projects even if they are able to create them. Also, any labels on the
projectrequest (i.e. the object one uses to create projects) are ignored and
not put on the eventually created project.


That is right ! - this is why we can not have nice things.


> If Che creates the namespace it can do it in any pattern like partial
> name/hash, (do we allow admins to decide on patterns??)
> and just add the labels.
>
> Of course this gives freedom to the savvy user to label any namespace for
> Che and We only need to remedy the case
> if this causes multiple namespaces to be selected.
>
> Another side-effect is admins can easily select all che workspace related
> namespaces to do things like monitoring etc.
>
>
> On Thu, Jul 30, 2020 at 8:32 AM Sergii Kabashniuk <skabashn@xxxxxxxxxx>
>
> wrote:
> > Hello, devs.
> > I want to discuss with you one topic related to k8s namespace name of the
> > workspace.
> > We noticed that situation when the username is incompatible with k8s
> > namespace name isn't that rare [1].
> > And that is not very clear for the users what to do next [2].
> >
> >
> > Let's summarise the problem first.
> > By default we have che.infra.kubernetes.namespace.allow_user_defined=false
> > and che.infra.kubernetes.namespace.default=<username>-che
> > That means that the user a not able to propose namespace by himself and we
> > use his username in case if Che is going to explicitly create
> > k8s namespace for the workspace. Obviously the situation becomes
> > complicated if the user chooses a username that is not k8s compatible [3].
> >
> >
> > Now let's talk about what we can do.
> > 1. In case if Che is NOT controlling namespace creation we have limited
> > number variants here. I can suggest adding more placeholders.
> >
> >    - <oc_user_label_name> - In case of OpenShift OAuth enabled we can use
> >
> > labels of user.openshift.io/v1 object.
> >
> >    - External http endpoint, which we can query with user id and which
> >
> > mast return k8s namespace name
> >
> >    - An extra field in JWT token. Need additional research here.
> >
> > 2.  In case if Che is ALLOWED to create namespace and user is NOT allowed
> > to suggest his variant
> >
> >    - On first login pre-create k8s namespace.
> >    - Remove incompatible characters.
> >    - In case of the namespace with such a name already exists - add 6
> >
> > characters random suffix.
> >
> > 3.  In case if Che is ALLOWED to create a namespace and user ALLOWED to
> > suggest his variant.
> >
> >    - Ensure that the problem with namespace name exists for the given user
> >    - Ask the user about the desired namespace before creating a workspace
> >
> > or accepting a factory on the dashboard
> >
> >    - In case if there are already existed workspace, we can use his k8s
> >
> > namespace as a first option.
> >
> > Unconditional.
> >
> >   - Try to add validation on the Keycalok profile page to add extra
> >
> > validation of username.
> >
> >   - Synchronize username on each login. At this moment we are
> >
> > synchronizing the single field -  email.
> >
> >
> >
> > [1] Invalid default namespace name
> > https://github.com/eclipse/che/issues/15323
> > [2] How to remove Che user https://github.com/eclipse/che/issues/17500
> > [3] rfc1035/rfc1123 label (DNS_LABEL) : An alphanumeric (a-z, and 0-9)
> > string, with a maximum length of 63 characters,
> >
> >     with the '-' character allowed anywhere except the first or last
> >
> > character, suitable for use as a hostname or segment in a domain name
> >
> > --
> >
> > Sergii Kabashniuk
> >
> > Principal Software Engineer, DevTools
> >
> > Red Hat
> >
> > skabashniuk@xxxxxxxxxx
> > _______________________________________________
> > che-dev mailing list
> > che-dev@xxxxxxxxxxx
> > To unsubscribe from this list, visit
> > https://www.eclipse.org/mailman/listinfo/che-dev




_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/che-dev
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/che-dev

Back to the top