Add permissions for managing namespaces in admission rules #4590
Conversation
|
Welcome @suyiiyii! |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @suyiiyii, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request resolves a bug preventing the Volcano admission webhook from properly mutating PodGroup resources. It grants the necessary permissions for the webhook to access namespace annotations, ensuring that PodGroup objects can be correctly updated based on namespace-specific configurations.
Highlights
- Admission Webhook Permissions: Adds "get", "list", "watch" permissions for "namespaces" to the Volcano admission webhook's ClusterRole, enabling it to read namespace annotations for PodGroup mutation.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
volcano-sh-bot
added
the
size/XS
There was a problem hiding this comment.
Code Review
This pull request correctly adds the necessary RBAC permissions for the admission webhook to read namespace information, which is required for mutating PodGroups based on namespace annotations. The change is well-justified. I have one high-severity feedback item concerning the Helm chart configuration to ensure the new functionality is enabled by default for users.
| - apiGroups: [""] | ||
| resources: ["namespaces"] | ||
| verbs: ["get", "list", "watch"] |
There was a problem hiding this comment.
While these permissions are necessary for the podgroups/mutate webhook as described, this webhook is not enabled by default in the Helm chart's values.yaml. For the feature to work as intended with a default installation, /podgroups/mutate should be added to the enabled_admissions list in installer/helm/chart/volcano/values.yaml.
Without this change, users will have to manually discover and edit their values to enable the webhook, which could lead to confusion.
suyiiyii
force-pushed
the
fix/ns_read
branch
from
b93684e to
8649d68
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds namespace read permissions to the Volcano admission webhook's ClusterRole to enable PodGroup mutation based on namespace annotations.
- Adds
get,list, andwatchpermissions for namespaces in the admission webhook's ClusterRole - Enables the mutating webhook to read namespace annotations for PodGroup queue field updates
- Fixes webhook failures when attempting to access namespace settings
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
/assign @hwdef |
| - apiGroups: ["scheduling.incubator.k8s.io", "scheduling.volcano.sh"] | ||
| resources: ["podgroups"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] |
There was a problem hiding this comment.
We should add a check {{- if .Values.custom.enabled_admissions | regexMatch "/podgroups/mutate" }}, only add the rbac role when podgroup mutating webhook is configured.
Signed-off-by: suyiiyii <[email protected]>
suyiiyii
force-pushed
the
fix/ns_read
branch
from
8649d68 to
25bfd3c
Compare
|
/kind bug |
|
/ok-to-test |
volcano-sh-bot
added
the
ok-to-test
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Monokaix The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
volcano-sh-bot
added
the
approved
|
/lgtm |
|
/lgtm |
|
Please also cherrypick to release 1.12, 1.11 and 1.10. |
Thanks for merging my PR. Just to confirm, would you like me to cherrypick this PR to the release-1.12, release-1.11, and release-1.10 branches? |
Yeah you can work on that: ) |
5 participants
What type of PR is this?
Bugfix
What this PR does / why we need it:
This PR adds permissions for managing namespaces (
get,list,watch) in the admission webhook's ClusterRole. This is required for the mutating webhook to read namespace annotations and mutate PodGroup resources accordingly. Without these permissions, the webhook cannot access namespace annotations and will fail to update the PodGroup'squeuefield based on the namespace's settings.Which issue(s) this PR fixes:
Fixes #4589
Special notes for your reviewer:
Does this PR introduce a user-facing change?
NONE