procedures: Manage extension installation in Code - OSS with ConfigMap #3012
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| :_content-type: PROCEDURE | ||
| :description: Manage extension installation with ConfigMap | ||
| :keywords: extensions, workspace | ||
| :navtitle: Manage extension installation with ConfigMap | ||
| // :page-aliases: | ||
|
|
||
| [id="visual-studio-code-manage-extensions-installation"] | ||
| = Manage extension installation with ConfigMap | ||
|
|
||
| This page describes how Code - OSS manages extension installation using a ConfigMap. | ||
| With these controls, you can enforce a fine-grained allow/deny list using the `AllowedExtensions` policy and block installs via the CLI, default extensions, and the `workbench.extensions.command.installFromVSIX` API command. | ||
| The sections below show how to enable and enforce these controls in Code - OSS. | ||
|
|
||
|
|
||
| The following items are currently supported: | ||
|
|
||
| * BlockCliExtensionsInstallation property - when enabled, blocks installation of extensions via CLI | ||
| * BlockDefaultExtensionsInstallation property - when enabled, blocks installation of default extensions, see xref:default-extensions-for-microsoft-visual-studio-code.adoc[] | ||
| * BlockInstallFromVSIXCommandExtensionsInstallation property - when enabled, blocks installation of extensions via the workbench.extensions.command.installFromVSIX API command | ||
| * AllowedExtensions section - provides fine-grained control over Code - OSS extension installation. For conceptual background, see link:https://code.visualstudio.com/docs/setup/enterprise#_configure-allowed-extensions/[Configure allowed extensions]. | ||
|
|
||
| .Procedure | ||
|
|
||
| * Add a new ConfigMap to the {prod-namespace} namespace and specify the properties you want to add. | ||
| + | ||
| ==== | ||
| [source,yaml] | ||
| ---- | ||
| kind: ConfigMap | ||
| apiVersion: v1 | ||
| metadata: | ||
| name: vscode-editor-configurations | ||
| namespace: eclipse-che | ||
|
Member
Author
There was a problem hiding this comment. it's not possible to use |
||
|
|
||
| labels: | ||
| app.kubernetes.io/component: workspaces-config | ||
| app.kubernetes.io/part-of: che.eclipse.org | ||
|
|
||
|
Member
Author
There was a problem hiding this comment.
Contributor
There was a problem hiding this comment. Hello. Only the following labels added automatically, but not annotations:
It is better to use |
||
| data: | ||
| policy.json: | | ||
| { | ||
| "BlockCliExtensionsInstallation": true, | ||
| "BlockDefaultExtensionsInstallation": true, | ||
| "BlockInstallFromVSIXCommandExtensionsInstallation": true, | ||
| "AllowedExtensions": { | ||
| "*": true, | ||
| "dbaeumer.vscode-eslint": false, | ||
| "ms-python.python": false, | ||
| "redhat": false | ||
| } | ||
| } | ||
| ---- | ||
| ==== | ||
|
|
||
| * Start or restart your workspace | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| Make sure that the Configmap contains data in a valid JSON format. | ||
| ==== | ||
|
|
||
| .Verification | ||
| . Verify that the `BlockCliExtensionsInstallation` property is applied: | ||
| * Provide a file with the `.vsix` extension (for example, `redhat.java-1.43.1.vsix`) in your workspace. | ||
| * Open a terminal and use the CLI to install the extension, for example: `/checode/checode-linux-libc/ubi9/bin/remote-cli/code-oss --install-extension /projects/web-nodejs-sample/redhat.java-1.43.1.vsix` | ||
| * The extension should not install; the terminal shows: `Installation of extensions via CLI has been blocked by an administrator`. | ||
|
|
||
| . Verify that the `BlockDefaultExtensionsInstallation` property is applied: | ||
| * Configure default extensions: see xref:default-extensions-for-microsoft-visual-studio-code.adoc[]. | ||
| * Open the Extensions view. | ||
| * Verify that default extensions are not installed when the workspace started/restarted. | ||
|
|
||
| . Verify that the `BlockInstallFromVSIXCommandExtensionsInstallation` property is applied: | ||
| * This property blocks installing extensions via the `workbench.extensions.command.installFromVSIX` API command. | ||
| * For example, an extension might call: `vscode.commands.executeCommand('workbench.extensions.command.installFromVSIX', URL);` | ||
| * It is not possible to install an extension from a `.vsix` when this property is set to `true`. | ||
|
|
||
| . Verify that rules defined in the `AllowedExtensions` section are applied: | ||
| * Press `F1` → `Preferences: Open Settings (UI)`, and enter `extensions.allowed` in the search field. | ||
| * All settings from the `AllowedExtensions` section of the ConfigMap should be present in Settings. | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| Only properties from the `AllowedExtensions` section are displayed in Settings. The `BlockCliExtensionsInstallation`, `BlockDefaultExtensionsInstallation`, and `BlockInstallFromVSIXCommandExtensionsInstallation` properties are not displayed and are handled separately. | ||
| ==== | ||
|
|
||
| * Use `F1 → Open View → Extensions` to open the Extensions view, disallowed extensions has `This extension cannot be installed because it is not in the allowed list` warning | ||
| * Try to install allowed and disallowed extensions to verify that the ConfigMap rules are enforced. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be useful to clarify that it seems this setting also serves as a restriction on extension activation. For example, in the case we discussed where someone could just insert an extension at
/checode/remote/extensions/and update theextensions.jsonfile there, the extension does get installed, but this property blocks the activation :