Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow che administrators to enable container build capabilities for developers workspaces #21752

Closed
l0rd opened this issue Oct 7, 2022 · 6 comments
Closed

Allow che administrators to enable container build capabilities for developers workspaces #21752

l0rd opened this issue Oct 7, 2022 · 6 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes severity/P1 Has a major impact to usage or development of the system. status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering.
Milestone
7.56

Comments

@l0rd
Copy link
Contributor

l0rd commented Oct 7, 2022
edited
Loading

Is your enhancement related to a problem? Please describe

Today it's only possible to add the capability through an attribute in a devfile and this is not portable.

Describe the solution you'd like

Add to the CheCluster a field to enable the container build capabilties and update the dashboard to consume it at workspace startup:

spec:
  devEnvironments:
    disableContainerBuildCapabilities: true # initially the default is `true` 
                                            # but will be switched to `false` as soon
                                            # as #21764 sub-tasks are completed.

Release Notes Text

An administrator can enable container builds using devEnvironments.disableContainerBuildCapabilities: true in CheCluster configuration. This allow using podman build on any workspace (adding the attribute controller.devfile.io/scc: container-build in a Devfile is not required anymore) .
@l0rd l0rd added the kind/enhancement A feature request - must adhere to the feature request template. label Oct 7, 2022
@ibuziuk ibuziuk mentioned this issue Oct 7, 2022
Closed
67 tasks
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Oct 7, 2022
@tolusha tolusha added the area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator label Oct 8, 2022
@tolusha
Copy link
Contributor

tolusha commented Oct 8, 2022

@l0rd
Could you help with CheCluster CR fields?

@l0rd
Copy link
Contributor Author

l0rd commented Oct 10, 2022 

spec:
  devEnvironments:
    disableContainerBuildCapabilities: false # <== default is false

@tolusha tolusha mentioned this issue Oct 10, 2022
Merged
11 tasks
@ibuziuk
Copy link
Member

ibuziuk commented Oct 10, 2022

from the semantics perspective it would be better to drop the negative connotation (disable field set to false) and use EnableContainerBuildCapabilities set to true by default:

spec:
  devEnvironments:
    enableContainerBuildCapabilities: true # <== default is true

@l0rd l0rd added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Oct 10, 2022
@l0rd
Copy link
Contributor Author

l0rd commented Oct 10, 2022

I am ok with both but in the past we have been trying to stick with the following convention: omitting a boolean field corresponds to setting it to false. That's because it's super simple to implement and it make sense from a logical point of view.

@ibuziuk ibuziuk mentioned this issue Oct 11, 2022
Closed
@tolusha tolusha closed this as completed Oct 12, 2022
@tolusha tolusha added this to the 7.55 milestone Oct 12, 2022
@tolusha tolusha mentioned this issue Oct 12, 2022
Merged
11 tasks
@l0rd l0rd mentioned this issue Oct 13, 2022
Closed
@l0rd
Copy link
Contributor Author

l0rd commented Oct 13, 2022
edited
Loading

I have added the full list of tasks to automate the enabling of the workspaces container build capabilities in #21764.
Once all subtasks are completed the CheCluster.devEnvironments should have the following new fields defaults:

spec:
  devEnvironments:
    disableContainerBuildCapabilities: false # initially the default is `true`
    containerBuildConfiguration:
       openShiftSecurityContextConstraint: 'container-build'
       containerOverrides: {"securityContext":{"capabilities":{"add": ["SETGID", "SETUID"]}}}
       podOverrides: {"spec": {"securityContext": {"allowPrivilegeEscalation": false}}}

@l0rd l0rd added new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering. labels Oct 27, 2022
@l0rd l0rd modified the milestones: 7.55, 7.56 Oct 27, 2022
@max-cx
Copy link

max-cx commented Dec 15, 2022

Sync'd with Red Hat JIRA https://issues.redhat.com/browse/CRW-3637

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes severity/P1 Has a major impact to usage or development of the system. status/info-needed More information is needed before the issue can move into the “analyzing” state for engineering.
Projects
None yet
Milestone
7.56
Development

No branches or pull requests
5 participants
@l0rd @ibuziuk @tolusha @che-bot @max-cx