Allow to set Supplemental Groups or fsGroup for the registry via the command line #12951
Conversation
pkg/cmd/admin/registry/registry.go
Outdated
| @@ -181,6 +186,8 @@ func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out, errout i | |||
| cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.") | |||
| cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS") | |||
| cmd.Flags().StringVar(&cfg.ServingKeyPath, "tls-key", cfg.ServingKeyPath, "An optional path to a PEM encoded private key for serving over TLS") | |||
| cmd.Flags().StringSliceVar(&cfg.SupplementalGroupRange, "supplemental-groups", cfg.SupplementalGroupRange, "Specify supplemental groups which is an array of ID's that grants group access to registry shared storage") | |||
| cmd.Flags().StringVar(&cfg.FSGroup, "fs-group", "", "Specify fsGroup which is an ID's that grants group access to registry block storage") | |||
pkg/cmd/admin/registry/registry.go
Outdated
| } | ||
| } | ||
| if len(opts.Config.SupplementalGroupRange) > 0 && len(opts.Config.FSGroup) > 0 { | ||
| return kcmdutil.UsageError(cmd, "fsGroup and supplemental groups cannot be specified both at the same time") |
There was a problem hiding this comment.
I don't see a reason of why they cannot be specified both. Would be interesting to know.
There was a problem hiding this comment.
@php-coder I think you either want block storage or shared for registry volume, not both.
pkg/cmd/admin/registry/registry.go
Outdated
| // Complete(). | ||
| continue | ||
| } | ||
| result.SupplementalGroups = append(result.SupplementalGroups, groupID) |
There was a problem hiding this comment.
BTW to be consistent with the code below and to reduce lines of code this can be re-written to:
if groupID, err := strconv.ParseInt(val, 10, 64); err == nil {
result.SupplementalGroups = append(result.SupplementalGroups, groupID)
}
pkg/cmd/admin/registry/registry.go
Outdated
| @@ -224,6 +231,23 @@ func (opts *RegistryOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, | |||
| opts.nodeSelector = valid | |||
| } | |||
|
|
|||
| if len(opts.Config.FSGroup) > 0 { | |||
| if val, err := strconv.ParseInt(opts.Config.FSGroup, 10, 64); err != nil || val == 0 { | |||
There was a problem hiding this comment.
Looks like this allows the values less than zero. Perhaps uint32 is more suitable in this case.
There was a problem hiding this comment.
negative values will be refused by PodSpec validation, actually having this to be set to 0 might be valid case (you want root group?).
pkg/cmd/admin/registry/registry.go
Outdated
| @@ -181,6 +186,8 @@ func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out, errout i | |||
| cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.") | |||
| cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS") | |||
| cmd.Flags().StringVar(&cfg.ServingKeyPath, "tls-key", cfg.ServingKeyPath, "An optional path to a PEM encoded private key for serving over TLS") | |||
| cmd.Flags().StringSliceVar(&cfg.SupplementalGroupRange, "supplemental-groups", cfg.SupplementalGroupRange, "Specify supplemental groups which is an array of ID's that grants group access to registry shared storage") | |||
There was a problem hiding this comment.
Range in the name is a bit confusing. As far I can see, it's just a list and not range like 10-15 or 10/5.
The code for parsing fsGroup/supplementalGroups from the openshift.io/sa.scc.supplemental-groups annotation that actually support ranges could be found here:
origin/pkg/security/scc/matcher.go
Lines 334 to 393 in bd3e362
origin/pkg/security/uid/uid.go
Lines 18 to 40 in bd3e362
There was a problem hiding this comment.
yeah, the name is wrong, shold be just --supplemental-groups=[]
mfojtik
force-pushed
the
registry-groups
branch
2 times, most recently
from
3d69ad6 to
a917cb1
Compare
|
@php-coder comments addressed, PTAL. |
mfojtik
force-pushed
the
registry-groups
branch
from
a917cb1 to
7ea4f72
Compare
|
LGTM (and Travis says that you have to re-generate docs). |
openshift-bot
added
the
needs-rebase
|
[merge] |
|
Evaluated for origin merge up to ef3fc41 |
|
[Test]ing while waiting on the merge queue |
|
Evaluated for origin test up to ef3fc41 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/549/) (Base Commit: f0670df) |
openshift-bot
removed
the
needs-rebase
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/549/) (Base Commit: 83a6089) (Image: devenv-rhel7_6118) |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1420541