Cannot create web-terminals as kubeadmin on OpenShift 4.15

[AObuchow]

Prior to OCP 4.15, the OpenShift console expected the devworkspace's controller.devfile.io/creator label to be set to an empty string when logged in to the cluster as kubeadmin due to openshift/origin#24950. In essence, the kubeadmin user does not have a uid, and thus DevWorkspace-Operator sets the controller.devfile.io/creator label to an empty string when logged in as kubeadmin.

However, due to a recent change made to the OpenShift Console for 4.15, the OpenShift console is now expecting the controller.devfile.io/creator label to be set to kubeadmin's username, instead of its (empty string) uid, resulting in users not being able to access their web terminal instances when logged in as kubeadmin: "Error Loading OpenShift command line terminal: User is not a owner of the requested workspace".

Would it be possible to revert e87dc6f? And how quickly (if at all) would this change land in OCP 4.15?

Here is the related Web Terminal Operator bug.

Thank you :)

[stlaz]

e87dc6f cannot be reverted. We'll need to see what else we can do.

[stlaz]

@AObuchow which values do you set the controller.devfile.io/creator label to in a world where none of the users of the cluster have any UID, yet they are each different (different usernames)?

[ibuziuk]

@stlaz could you clarify why it can not be reverted and why it was implemented that way.
another topic is e2e tests - why #12922 has not been merged since mid 2023 that should have caught that problem earlier before the release cc: @musienko-maxim

[stlaz]

#13719 (review) has the clarification.
I don't know anything about any e2e tests, I'm not a member of the console team.

[jerolimov]

/assign @musienko-maxim @jerolimov @vikram-raj

[AObuchow]

I've been working on resolving this issue on the DevWorkspace Operator side, and have made a few findings:

• Setting the controller.devfile.io/creator value to a plain-text username can result in an invalid Kubernetes label that does not comply with the RFCs used. This is problematic for the case of kube:admin, where the : is not accepted as a Kubernetes label value.
  • Changes need to be made in how we store (on the DWO side) and retrieve (on the Console side) usernames in the controller.devfile.io/creator, perhaps through some agreed-upon encoding process.
• The OpenShift Console's frontend is still hard-coded to expect the controller.devfile.io/creator label to be an empty string "" when kubeadmin creates a web terminal.
  • Changes will have to be made to the frontend in order to match the appropriate controller.devfile.io/creator value when a username (instead of a UID) is used.
  • For fixing the kubeadmin case alone, it'd be a matter of using the agreed-upon encoding process to use an encoded version of kube:admin as the label selector.

If anyone has any input on my proposal, please share your thoughts.