Require Knative to be installed only on an RBAC kubernetes cluster

app/assets/javascripts/clusters/clusters_bundle.js

@@ -32,6 +32,7 @@ export default class Clusters {
       installKnativePath,
       installPrometheusPath,
       managePrometheusPath,
+      hasRbac,
       clusterType,
       clusterStatus,
       clusterStatusReason,
@@ -45,6 +46,7 @@ export default class Clusters {
     this.store.setManagePrometheusPath(managePrometheusPath);
     this.store.updateStatus(clusterStatus);
     this.store.updateStatusReason(clusterStatusReason);
+    this.store.updateRbac(hasRbac);
     this.service = new ClustersService({
       endpoint: statusPath,
       installHelmEndpoint: installHelmPath,
@@ -102,6 +104,7 @@ export default class Clusters {
             ingressHelpPath: this.state.ingressHelpPath,
             managePrometheusPath: this.state.managePrometheusPath,
             ingressDnsHelpPath: this.state.ingressDnsHelpPath,
+            rbac: this.state.rbac,
           },
         });
       },

app/assets/javascripts/clusters/components/applications.vue

@@ -52,6 +52,11 @@ export default {
       required: false,
       default: '',
     },
+    rbac: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
   },
   data: () => ({
     elasticsearchLogo,
@@ -442,6 +447,18 @@ export default {
         title-link="https://github.com/knative/docs"
       >
         <div slot="description">
+          <span v-if="!rbac">
+            <p v-if="!rbac" class="bs-callout bs-callout-info append-bottom-0">
+              {{
+                s__(`ClusterIntegration|You must have an RBAC-enabled cluster
+              to install Knative.`)
+              }}
+              <a :href="helpPath" target="_blank" rel="noopener noreferrer">
+                {{ __('More information') }}
+              </a>
+            </p>
+            <br />
+          </span>
           <p>
             {{
               s__(`ClusterIntegration|Knative extends Kubernetes to provide
@@ -465,7 +482,7 @@ export default {
               />
             </div>
           </template>
-          <template v-else-if="helmInstalled">
+          <template v-else-if="helmInstalled && rbac">
             <div class="form-group">
               <label for="knative-domainname">
                 {{ s__('ClusterIntegration|Knative Domain Name:') }}

app/assets/javascripts/clusters/stores/clusters_store.js

 import { s__ } from '../../locale';
+import { parseBoolean } from '../../lib/utils/common_utils';
 import { INGRESS, JUPYTER, KNATIVE, CERT_MANAGER } from '../constants';
 export default class ClusterStore {
@@ -7,6 +8,7 @@ export default class ClusterStore {
       helpPath: null,
       ingressHelpPath: null,
       status: null,
+      rbac: false,
       statusReason: null,
       applications: {
         helm: {
@@ -81,6 +83,10 @@ export default class ClusterStore {
     this.state.status = status;
   }
+  updateRbac(rbac) {
+    this.state.rbac = parseBoolean(rbac);
+  }
+
   updateStatusReason(reason) {
     this.state.statusReason = reason;
   }

app/models/clusters/applications/knative.rb

@@ -19,6 +19,13 @@ module Clusters
       self.reactive_cache_key = ->(knative) { [knative.class.model_name.singular, knative.id] }
+      def set_initial_status
+        return unless not_installable?
+        return unless verify_cluster?
+
+        self.status = 'installable'
+      end
+
       state_machine :status do
         after_transition any => [:installed] do |application|
           application.run_after_commit do
@@ -99,6 +106,10 @@ module Clusters
       def install_knative_metrics
         ["kubectl apply -f #{METRICS_CONFIG}"] if cluster.application_prometheus_available?
       end
+
+      def verify_cluster?
+        cluster&.application_helm_available? && cluster&.platform_kubernetes_rbac?
+      end
     end
   end
 end

app/views/clusters/clusters/show.html.haml

@@ -16,6 +16,7 @@
   install_jupyter_path: clusterable.install_applications_cluster_path(@cluster, :jupyter),
   install_knative_path: clusterable.install_applications_cluster_path(@cluster, :knative),
   toggle_status: @cluster.enabled? ? 'true': 'false',
+  has_rbac: @cluster.platform_kubernetes_rbac? ? 'true': 'false',
   cluster_type: @cluster.cluster_type,
   cluster_status: @cluster.status_name,
   cluster_status_reason: @cluster.status_reason,

changelogs/unreleased/knative-rbac-check.yml

+---
+title: Require Knative to be installed only on an RBAC kubernetes cluster
+merge_request: 23807
+author: Chris Baumbauer
+type: changed

locale/gitlab.pot

@@ -1842,6 +1842,9 @@ msgstr ""
 msgid "ClusterIntegration|You must first install Helm Tiller before installing the applications below"
 msgstr ""
+msgid "ClusterIntegration|You must have an RBAC-enabled cluster to install Knative."
+msgstr ""
+
 msgid "ClusterIntegration|Your account must have %{link_to_kubernetes_engine}"
 msgstr ""

spec/factories/clusters/clusters.rb

@@ -44,6 +44,10 @@ FactoryBot.define do
       provider_gcp factory: [:cluster_provider_gcp, :creating]
     end
+    trait :rbac_disabled do
+      platform_kubernetes factory: [:cluster_platform_kubernetes, :configured, :rbac_disabled]
+    end
+
     trait :disabled do
       enabled false
     end

spec/factories/clusters/platforms/kubernetes.rb

@@ -16,8 +16,8 @@ FactoryBot.define do
       end
     end
-    trait :rbac_enabled do
-      authorization_type :rbac
+    trait :rbac_disabled do
+      authorization_type :abac
     end
   end
 end

spec/features/projects/clusters/applications_spec.rb

@@ -70,6 +70,34 @@ describe 'Clusters Applications', :js do
         end
       end
+      context 'when user installs Knative' do
+        before do
+          create(:clusters_applications_helm, :installed, cluster: cluster)
+        end
+
+        context 'on an abac cluster' do
+          let(:cluster) { create(:cluster, :provided_by_gcp, :rbac_disabled, projects: [project])}
+
+          it 'should show info block and not be installable' do
+            page.within('.js-cluster-application-row-knative') do
+              expect(page).to have_css('.bs-callout-info')
+              expect(page.find(:css, '.js-cluster-application-install-button')['disabled']).to eq('true')
+            end
+          end
+        end
+
+        context 'on an rbac cluster' do
+          let(:cluster) { create(:cluster, :provided_by_gcp, projects: [project])}
+
+          it 'should not show callout block and be installable' do
+            page.within('.js-cluster-application-row-knative') do
+              expect(page).not_to have_css('.bs-callout-info')
+              expect(page).to have_css('.js-cluster-application-install-button:not([disabled])')
+            end
+          end
+        end
+      end
+
       context 'when user installs Cert Manager' do
         before do
           allow(ClusterInstallAppWorker).to receive(:perform_async)

spec/javascripts/clusters/stores/clusters_store_spec.js

@@ -62,6 +62,7 @@ describe('Clusters Store', () => {
         ingressHelpPath: null,
         status: mockResponseData.status,
         statusReason: mockResponseData.status_reason,
+        rbac: false,
         applications: {
           helm: {
             title: 'Helm Tiller',

spec/models/clusters/applications/knative_spec.rb

@@ -15,6 +15,13 @@ describe Clusters::Applications::Knative do
     allow(ClusterWaitForIngressIpAddressWorker).to receive(:perform_async)
   end
+  describe 'when rbac is not enabled' do
+    let(:cluster) { create(:cluster, :provided_by_gcp, :rbac_disabled) }
+    let(:knative_no_rbac) { create(:clusters_applications_knative, cluster: cluster) }
+
+    it { expect(knative_no_rbac).to be_not_installable }
+  end
+
   describe '.installed' do
     subject { described_class.installed }