-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(helm): stop requesting superfluous permissions #693
Conversation
/e2e --tests sdk,substrafl,frontend |
aedd040
to
2992f4b
Compare
/e2e --tests sdk,frontend |
/e2e --tests sdk |
End to end tests: ✔️ SUCCESS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a process to ensure that the helm chart version is the right one? 🤔
Sort of, the CI checks the proposed version doesn't already exist on the repo: https://github.com/Substra/substra-backend/blob/main/.github/workflows/helm.yml#L41 but that's it |
@@ -20,9 +20,12 @@ rules: | |||
resources: ["secrets"] | |||
verbs: ["get", "watch", "list", "create", "update", "patch"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we actually need "create", "update", "patch" on secrets? It looks like this Role just use read access on secret
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably not, now you put it like this
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | ||
- apiGroups: ["batch", "extensions"] | ||
- apiGroups: ["batch"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we actually use batch jobs in the worker?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ctrl+F-ing batch
in the code base would lead my to believe we don't
No, jobs
is part of the batch
kubernetes API group so that is normal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But do we need to run jobs in the worker? I thought we just ran pods :x
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To the best of my knowledge, we don't use K8s Jobs currently
Signed-off-by: Olivier Léobal <[email protected]>
Signed-off-by: Olivier Léobal <[email protected]>
Signed-off-by: Olivier Léobal <[email protected]>
afe0165
to
312b4d9
Compare
/e2e --tests sdk,substrafl,frontend |
End to end tests: ✔️ SUCCESS That was easy. |
Description
Remove permissions that we think are superfluous.
(this was split from #671)
How has this been tested?
⬇️ (sufficient, I hope)
Checklist