Comments (7)
Pod/container overrides for volumes/volumemounts is now possible thanks to devfile/devworkspace-operator#1223
I'm able to add a CSI volume to a devworkspace pod/container by following these steps to create a
SharedSecret
: https://docs.openshift.com/container-platform/4.14/storage/container_storage_interface/ephemeral-storage-shared-resource-csi-driver-operator.htmlExample overrides:
schemaVersion: 2.2.0 attributes: controller.devfile.io/storage-type: per-workspace metadata: name: che-demo attributes: pod-overrides: spec: volumes: - csi: driver: csi.sharedresource.openshift.io readOnly: true volumeAttributes: sharedSecret: my-share name: my-csi-volume components: - name: workspace attributes: container-overrides: volumeMounts: - mountPath: /etc/my-csi-volume name: my-csi-volume readOnly: true container: ...
I believe this covers your use case @cgruver ?
Yes! That covers the use case.
from che.
Mounting the SharedSecret like so: #22751 (comment) is working in the latest Che:
To get it working, I manually added csi
in the list of volumes in the container-build
scc (the default scc for workspaces).
![image](https://private-user-images.githubusercontent.com/83611742/301297441-e0ffa5e1-9d80-43c0-9b10-c7470e5a88df.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDg4OTcwNjcsIm5iZiI6MTcwODg5Njc2NywicGF0aCI6Ii84MzYxMTc0Mi8zMDEyOTc0NDEtZTBmZmE1ZTEtOWQ4MC00M2MwLTliMTAtYzc0NzBlNWE4OGRmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAyMjUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMjI1VDIxMzI0N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTJhMGU2OWFmZGM4Zjg2ODc1MWJkMmZjNDEyMmU2YWU2YjJiYjEzYzM4NzUzOWJkMmIxMDkxOGQ3ODY4ZDNiNDQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.xuv8XUE-l9wyUzgG30k-N0GGC_MgJ7Ph5vSjuKof8aA)
from che.
There are currently a couple of options to mount a CSI volume:
- Che administrator can specify a specific storage class using
.spec.devEnvironments.storage.perWorkspaceStrategyPvcConfig.storageClass
in the CheCluster CR - The developer can pre-create the CSI volume and a corresponding PVC with the label
controller.devfile.io/mount-to-devworkspace: "true"
and this will be automounted in workspaces.
@cgruver can you confirm that those 2 options don't work for your use case? And that what you are requesting is to add the capability in the Devfile API? For example:
schemaVersion: 2.2.0
metadata:
name: mydevfile
components:
- name: mydevfile
container:
(...)
volumeMounts:
- name: cache
path: /.cache
- name: cache
volume:
size: 2Gi
+ csi:
+ driver: some-csi-driver
My worry is this will make the Devfile less portable (i.e. it works on my cluster but doesn't on yours).
from che.
@l0rd The use case in question here is not for PVCs, but for things like AWS Secrets Manager or SPIFFE.
The CheCluster CR config will not work, because these CSI volumes will often be workspace specific, and it's possible that there will be a need for volumes from different drivers.
The easiest option is probably to allow them to be injected via pod-overrides
and container-overrides
pod-overrides: {"spec": {"volumes": [{"name": "mysecret-volume", "csi": {"driver": "some-csi-driver", "readOnly" : true, "volumeAttributes": {"attrib1": "some-value"}}}]}}
container-overrides: {"volumeMounts": [{"name": "mysecret", "mountPath": "/var/my/path", "readOnly": true}]}
Portability is less of an issue, because in this scenario, the workspace is dependent on the volume anyway. If a given cluster does not have the needed CSI drivers, then the workspace won't work anyway.
from che.
@cgruver ok, I am still not sure if the developer can or not pre-create the volume. And adding this information in the devfile still looks like a hack. However I agree with you that the pod/container-overrides
you are trying to apply should work and we need to figure out how to fix it (if that's a problem with the default SCC, then it's configurable and doesn't require any change in the code).
For a better solution to this use case: have you thought about leveraging the cloud-credential-operator? We introduced the support for SA token volume projection to add GCP credentials in workspaces (see GCP workload identity federation) when the cloud-credential-operator is installed and configured in the cluster. The cloud-credential-operator supports AWS out of the box (and I assume that SPIFFE could be supported too).
from che.
Pod/container overrides for volumes/volumemounts is now possible thanks to devfile/devworkspace-operator#1223
I'm able to add a CSI volume to a devworkspace pod/container by following these steps to create a SharedSecret
: https://docs.openshift.com/container-platform/4.14/storage/container_storage_interface/ephemeral-storage-shared-resource-csi-driver-operator.html
Example overrides:
schemaVersion: 2.2.0
attributes:
controller.devfile.io/storage-type: per-workspace
metadata:
name: che-demo
attributes:
pod-overrides:
spec:
volumes:
- csi:
driver: csi.sharedresource.openshift.io
readOnly: true
volumeAttributes:
sharedSecret: my-share
name: my-csi-volume
components:
- name: workspace
attributes:
container-overrides:
volumeMounts:
- mountPath: /etc/my-csi-volume
name: my-csi-volume
readOnly: true
container:
...
I believe this covers your use case @cgruver ?
from che.
I have a permissions issue when trying with Che however (my cluster died):
Status
status:
conditions:
- lastTransitionTime: '2024-01-31T01:54:49Z'
message: 'Error creating DevWorkspace deployment: Detected unrecoverable deployment condition: FailedCreate pods "workspace07eac1a5666447ee-6d865d86cb-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETGID": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETUID": capability may not be added, provider restricted-v2: .initContainers[0].allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed, provider restricted-v2: .containers[0].capabilities.add: Invalid value: "SETGID": capability may not be added, provider restricted-v2: .containers[0].capabilities.add: Invalid value: "SETUID": capability may not be added, provider restricted-v2: .containers[0].allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed, provider "restricted": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "csi": csi volumes are not allowed to be used, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]'
from che.
Related Issues (20)
- Che-Code automatic rebase against upstream VS Code is failed HOT 1
- Update 'OcpUserLoginPage' to login in OCP cluster without OAuth config
- Intercept `Ctrl + W` so we can close a IDE tab instead of the browser tab
- [plugin-registry] Upgrade openvsx base image to v0.14.3 HOT 2
- Revoke OAuth button still in active state after OAuth revoked
- Gitconfig is not automatically created HOT 1
- Eclipse Che: Unable to add plug-in automatically in workspace using Devfile for IntelliJ IDEA Community Editor HOT 5
- [docs] Previous Versions Docs aren't working HOT 11
- Add an ability to revoke GitLab oauth from dashboard
- Only some settings in .vscode/settings.json are applied in Dev Spaces 3.11 HOT 3
- Volume size defined in the parent devfile is not overridable in the child
- Docs: Eclipse Che Security Best Practices HOT 2
- After revoke OAuth application the 'Authorization' indicator is still turned in 'User Preferences' Dashboard HOT 1
- Extension secrets are lost on workspace restart
- Failed to deploy Eclipse Che: Timeout reached while waiting for "plugin-registry" ConfigMap.
- GitHub `che-operator` PR checks failed
- Fix Che Dashboard release workflow
- Eclipse Che: Need documentation for extracting che server, workspace metrics running on k8s with prometheus HOT 7
- CVE-2023-26136 (Critical) found in Che Dashboard for deprecated request package
- Eclipse Che with Azure Kubernetes Service OIDC HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from che.