Skip to content

procedures: Manage extension installation in Code - OSS with ConfigMap #3012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RomanNikitenko merged 4 commits into from
Jan 22, 2026
Merged

procedures: Manage extension installation in Code - OSS with ConfigMap #3012

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a17f233
docs: Manage extension installation in Code - OSS with ConfigMap
RomanNikitenko Jan 16, 2026
65500b7
chore: Address code review comments
RomanNikitenko Jan 21, 2026
fc8f946
fix: Add required annotations to the vscode-editor-configurations Con…
RomanNikitenko Jan 22, 2026
5940b0d
Use subpath when mount policy.json
RomanNikitenko Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/administration-guide/nav.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,7 @@
** xref:configuring-single-and-multiroot-workspaces.adoc[]
** xref:trusted-extensions-for-microsoft-visual-studio-code.adoc[]
** xref:default-extensions-for-microsoft-visual-studio-code.adoc[]
** xref:manage-extension-installation.adoc[]
** xref:editor-configurations-for-microsoft-visual-studio-code.adoc[]
* xref:managing-workloads-using-the-che-server-api.adoc[]
* xref:upgrading-che.adoc[]
Expand Down
3 changes: 2 additions & 1 deletion modules/administration-guide/pages/configuring-visual-studio-code.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@ Learn how to configure Visual Studio Code - Open Source ("Code - OSS").
* xref:configuring-single-and-multiroot-workspaces.adoc[]
* xref:trusted-extensions-for-microsoft-visual-studio-code.adoc[]
* xref:default-extensions-for-microsoft-visual-studio-code.adoc[]
* xref:editor-configurations-for-microsoft-visual-studio-code.adoc[]
* xref:editor-configurations-for-microsoft-visual-studio-code.adoc[]
* xref:manage-extension-installation.adoc[]
10 changes: 9 additions & 1 deletion ...tration-guide/pages/editor-configurations-for-microsoft-visual-studio-code.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,19 @@ The following sections are currently supported:
* extensions.json
* product.json
* configurations.json
* policy.json

The *settings.json* section contains various settings with which you can customize different parts of the Code - OSS editor. +
The *extensions.json* section contains recommended extensions that are installed when a workspace is started. +
The *product.json* section contains properties that you need to add to the editor's *product.json* file. If the property already exists, its value will be updated. +
The *configurations.json* section contains properties for Code - OSS editor configuration. For example, you can use the `extensions.install-from-vsix-enabled` property to disable `Install from VSIX` command.
The *configurations.json* section contains properties for Code - OSS editor configuration. For example, you can use the `extensions.install-from-vsix-enabled` property to disable `Install from VSIX` menu item in the Extensions panel.
[NOTE]
====
The `extensions.install-from-vsix-enabled` property disables only the UI action. Extensions can still be installed via the `workbench.extensions.command.installFromVSIX` API command or the CLI. To block these paths as well, see xref:manage-extension-installation.adoc[].
====


The *policy.json* section allows to control over Code - OSS extension installation using the AllowedExtensions policy, as well as the ability to fully block extension installation. See xref:manage-extension-installation.adoc[].

.Procedure

Expand Down
153 changes: 153 additions & 0 deletions modules/administration-guide/pages/manage-extension-installation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
:_content-type: PROCEDURE
:description: Manage extension installation with ConfigMap
:keywords: extensions, workspace
:navtitle: Manage extension installation with ConfigMap
// :page-aliases:

[id="visual-studio-code-manage-extensions-installation"]
= Manage extension installation with ConfigMap

This page describes how Code - OSS manages extension installation using a ConfigMap.
With these controls, you can enforce a fine-grained allow/deny list using the `AllowedExtensions` policy and block installs via the CLI, default extensions, and the `workbench.extensions.command.installFromVSIX` API command.
The sections below show how to enable and enforce these controls in Code - OSS.


The following items are currently supported:

* BlockCliExtensionsInstallation property - when enabled, blocks installation of extensions via CLI
* BlockDefaultExtensionsInstallation property - when enabled, blocks installation of default extensions, see xref:default-extensions-for-microsoft-visual-studio-code.adoc[]
* BlockInstallFromVSIXCommandExtensionsInstallation property - when enabled, blocks installation of extensions via the workbench.extensions.command.installFromVSIX API command
* AllowedExtensions section - provides fine-grained control over Code - OSS extension installation; when this policy is applied, already installed extensions that are not allowed are disabled and show the warning `Some extensions are disabled because they are not allowed by your system administrator`. For conceptual background, see link:https://code.visualstudio.com/docs/setup/enterprise#_configure-allowed-extensions/[Configure allowed extensions].

.Procedure

* Add a new ConfigMap to the {prod-namespace} namespace and specify the properties you want to add.
+
====
[source,yaml]
----
kind: ConfigMap
apiVersion: v1
metadata:
name: vscode-editor-configurations
namespace: eclipse-che
Copy link
Member Author

@RomanNikitenko RomanNikitenko Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not possible to use {prod-namespace} here instead of eclipse-che
is there any other way to do it?
otherwise we need to replace the value manually for the downstream


labels:
app.kubernetes.io/component: workspaces-config
app.kubernetes.io/part-of: che.eclipse.org
annotations:
controller.devfile.io/mount-as: file
controller.devfile.io/mount-path: /checode-config
controller.devfile.io/read-only: 'true'

Copy link
Member Author

@RomanNikitenko RomanNikitenko Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added these annotations to get policy.json section as a file on file system
@tolusha is it OK from your point of view?

tbh, I thought these annotations are added automatically to the corresponding ConfigMap in user namespace
but it is not true, many thanks to @rgrunber for thorough testing!

Copy link
Contributor

@tolusha tolusha Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello.

Only the following labels added automatically, but not annotations:

  • controller.devfile.io/mount-to-devworkspace
  • controller.devfile.io/watch-configmap

It is better to use controller.devfile.io/mount-as: subpath otherwise you will override the /checode-config directory completely.

Copy link
Member Author

@RomanNikitenko RomanNikitenko Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!
updated 5940b0d

data:
policy.json: |
{
"BlockCliExtensionsInstallation": true,
"BlockDefaultExtensionsInstallation": true,
"BlockInstallFromVSIXCommandExtensionsInstallation": true,
"AllowedExtensions": {
"*": true,
"dbaeumer.vscode-eslint": false,
"ms-python.python": false,
"redhat": false
}
}
----
====

[NOTE]
====
Make sure that the Configmap contains data in a valid JSON format.
====

* Start or restart your workspace


TIP: To completely disable extension installation, set all extensions to disallowed:
====
[source,yaml]
----
kind: ConfigMap
apiVersion: v1
metadata:
name: vscode-editor-configurations
namespace: eclipse-che

labels:
app.kubernetes.io/component: workspaces-config
app.kubernetes.io/part-of: che.eclipse.org
annotations:
controller.devfile.io/mount-as: file
controller.devfile.io/mount-path: /checode-config
controller.devfile.io/read-only: 'true'

data:
policy.json: |
{
"AllowedExtensions": {
"*": false
}
}
----
====

* Optional: To add the ConfigMap in the user's namespace, use the following example:
+
====
[source,yaml]
----
kind: ConfigMap
apiVersion: v1
metadata:
name: vscode-editor-configurations
labels:
controller.devfile.io/mount-to-devworkspace: 'true'
controller.devfile.io/watch-configmap: 'true'
annotations:
controller.devfile.io/mount-as: file
controller.devfile.io/mount-path: /checode-config
controller.devfile.io/read-only: 'true'
data:
policy.json: |
{
"AllowedExtensions": {
"*": false
}
}
----
====
+
[WARNING]
====
When the ConfigMap is stored in the user's namespace, the user can edit its values.
====

.Verification
. Verify that the `BlockCliExtensionsInstallation` property is applied:
* Press `F1` → `Preferences: Open Settings (UI)`, and enter `BlockCliExtensionsInstallation` in the search field => The setting from the ConfigMap should appear in Settings.
* Provide a file with the `.vsix` extension (for example, `redhat.java-1.43.1.vsix`) in your workspace.
* Open a terminal and use the CLI to install the extension, for example: `/checode/checode-linux-libc/ubi9/bin/remote-cli/code-oss --install-extension /projects/web-nodejs-sample/redhat.java-1.43.1.vsix`
* The extension should not install; the terminal shows: `Installation of extensions via CLI has been blocked by an administrator`.

. Verify that the `BlockDefaultExtensionsInstallation` property is applied:
* Press `F1` → `Preferences: Open Settings (UI)`, and enter `BlockDefaultExtensionsInstallation` in the search field => The setting from the ConfigMap should appear in Settings.
* Configure default extensions: see xref:default-extensions-for-microsoft-visual-studio-code.adoc[].
* Open the Extensions view.
* Verify that default extensions are not installed when the workspace started/restarted.

. Verify that the `BlockInstallFromVSIXCommandExtensionsInstallation` property is applied:
* Press `F1` → `Preferences: Open Settings (UI)`, and enter `BlockInstallFromVSIXCommandExtensionsInstallation` in the search field => The setting from the ConfigMap should appear in Settings.
* This property blocks installing extensions via the `workbench.extensions.command.installFromVSIX` API command.
* For example, an extension might call: `vscode.commands.executeCommand('workbench.extensions.command.installFromVSIX', URL);`
* It is not possible to install an extension from a `.vsix` when this property is set to `true`.

. Verify that rules defined in the `AllowedExtensions` section are applied:
* Press `F1` → `Preferences: Open Settings (UI)`, and enter `extensions.allowed` in the search field.
* All settings from the `AllowedExtensions` section of the ConfigMap should be present in Settings.
* Use `F1 → Open View → Extensions` to open the Extensions view, disallowed extensions has `This extension cannot be installed because it is not in the allowed list` warning
* Try to install allowed and disallowed extensions to verify that the ConfigMap rules are enforced.

. Verify that rules defined in the `AllowedExtensions` section are applied:
* Press `F1` → `Preferences: Open Settings (UI)`, and enter `extensions.allowed` in the search field.
* All settings from the `AllowedExtensions` section of the ConfigMap should be present in Settings.