Skip to content

fix: grant dashboard SA read access to DevWorkspaceOperatorConfig#2099

Merged
tolusha merged 1 commit intomainfrom
fix/dashboard-sa-dwoc-rbac
Mar 19, 2026
Merged

fix: grant dashboard SA read access to DevWorkspaceOperatorConfig#2099
tolusha merged 1 commit intomainfrom
fix/dashboard-sa-dwoc-rbac

Conversation

@akurinnoy
Copy link
Contributor

@akurinnoy akurinnoy commented Mar 18, 2026

What does this PR do?

This PR grants the dashboard service account read access to the DWOCp. The dashboard backup feature reads the DWOC to get backup configuration (schedule, registry path, auth secret name). Without this permission, backup API endpoints fail with 403 for all users.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

How to test this PR?

  1. Deploy the operator:

OpenShift

./build/scripts/olm/test-catalog-from-sources.sh

or

build/scripts/docker-run.sh /bin/bash -c "
  oc login \
    --token=<...> \
    --server=<...> \
    --insecure-skip-tls-verify=true && \
  build/scripts/olm/test-catalog-from-sources.sh
"

on Minikube

./build/scripts/minikube-tests/test-operator-from-sources.sh

Verify the dashboard SA ClusterRole includes the new rule:

kubectl get clusterrole <namespace>-che-dashboard -o json | jq '.rules[] | select(.apiGroups[] ==
  "controller.devfile.io")'
# Should return: {"apiGroups":["controller.devfile.io"],"resources":["devworkspaceoperatorconfigs"],"verbs":["get"]}

Common Test Scenarios

  • Deploy Eclipse Che
  • Start an empty workspace
  • Open terminal and build/run an image
  • Stop a workspace
  • Check operator logs for reconciliation errors or infinite reconciliation loops

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@akurinnoy @claude
fix: grant dashboard SA read access to DevWorkspaceOperatorConfig
61c08bf 
The dashboard backup feature needs to read the DWOC to get backup
configuration (schedule, registry path, auth secret name). Without
this permission, the dashboard SA gets 403 Forbidden when reading
the DWOC in the DWO namespace, causing backup endpoints to fail
for all users.

Assisted-by: Claude Opus 4.6

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
@openshift-ci openshift-ci bot added the lgtm label Mar 18, 2026
@akurinnoy akurinnoy mentioned this pull request Mar 18, 2026
Merged
@openshift-ci
Copy link

openshift-ci bot commented Mar 18, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: akurinnoy, dkwon17, rohanKanojia

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tolusha
Copy link
Contributor

tolusha commented Mar 19, 2026

/retest

@tolusha tolusha merged commit bfb39e5 into main Mar 19, 2026
21 checks passed
@tolusha tolusha deleted the fix/dashboard-sa-dwoc-rbac branch March 19, 2026 13:08
akurinnoy added a commit that referenced this pull request Mar 19, 2026
@akurinnoy @claude
fix: grant dashboard SA read access to DevWorkspaceOperatorConfig (#2099
7d57bef 
)

The dashboard backup feature needs to read the DWOC to get backup
configuration (schedule, registry path, auth secret name). Without
this permission, the dashboard SA gets 403 Forbidden when reading
the DWOC in the DWO namespace, causing backup endpoints to fail
for all users.

Assisted-by: Claude Opus 4.6

Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@akurinnoy akurinnoy mentioned this pull request Mar 19, 2026
Merged
13 tasks
dkwon17 pushed a commit to dkwon17/che-operator that referenced this pull request Mar 19, 2026
@akurinnoy @claude @dkwon17
fix: grant dashboard SA read access to DevWorkspaceOperatorConfig (ec…
78f673e 
…lipse-che#2099)

The dashboard backup feature needs to read the DWOC to get backup
configuration (schedule, registry path, auth secret name). Without
this permission, the dashboard SA gets 403 Forbidden when reading
the DWOC in the DWO namespace, causing backup endpoints to fail
for all users.

Assisted-by: Claude Opus 4.6

Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dkwon17 pushed a commit that referenced this pull request Mar 19, 2026
@akurinnoy @claude @dkwon17
fix: grant dashboard SA read access to DevWorkspaceOperatorConfig (#2099
82a80c7 
)

The dashboard backup feature needs to read the DWOC to get backup
configuration (schedule, registry path, auth secret name). Without
this permission, the dashboard SA gets 403 Forbidden when reading
the DWOC in the DWO namespace, causing backup endpoints to fail
for all users.

Assisted-by: Claude Opus 4.6

Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohanKanojia rohanKanojia rohanKanojia approved these changes

@dkwon17 dkwon17 dkwon17 approved these changes

@SDawley SDawley Awaiting requested review from SDawley SDawley is a code owner

@tolusha tolusha Awaiting requested review from tolusha tolusha is a code owner

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@mkuznyetsov mkuznyetsov Awaiting requested review from mkuznyetsov mkuznyetsov is a code owner

Assignees

@rohanKanojia rohanKanojia

@dkwon17 dkwon17

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@akurinnoy @tolusha @rohanKanojia @dkwon17