-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Admission for APIExportEndpointSlice #2560
Conversation
There are a few checks that seem redundant as the APIExport reference is marked as mandatory and immutable. I would welcome a second opinion on whether they should still be kept (like for APIBinding) or removed. |
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Show resolved
Hide resolved
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
|
||
var oldSlice *apisv1alpha1.APIExportEndpointSlice | ||
if a.GetOperation() == admission.Update { | ||
u, ok := a.GetOldObject().(*unstructured.Unstructured) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is the purpose of this block since all it does is to assign value to oldSlice
variable
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Show resolved
Hide resolved
db84695
to
d8e1a2d
Compare
@@ -322,3 +305,23 @@ func (o *apiBindingAdmission) SetKcpInformers(informers kcpinformers.SharedInfor | |||
indexers.ByLogicalClusterPathAndName: indexers.IndexByLogicalClusterPathAndName, | |||
}) | |||
} | |||
|
|||
func CheckAPIExportAccess(ctx context.Context, user user.Info, apiExportName string, authz authorizer.Authorizer) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd move it to pkg/admission/helpers
or maybe even pkg/authorization
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would keep it under admission. Due to the user info I am not expecting it to be useful somewhere else. I am not found of "helpers" packages... I am not finding the name helpful :-)
I will put it under pkg/admission/authorization
. Let me know if you have concerns with it.
d8e1a2d
to
8b02a34
Compare
limitations under the License. | ||
*/ | ||
|
||
package authorization |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/admission/authorization
looks strange, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can rename it to permissions if you prefer but that's basically the same idea
o.apiExportIndexer = informers.Apis().V1alpha1().APIExports().Informer().GetIndexer() | ||
|
||
indexers.AddIfNotPresentOrDie(informers.Tenancy().V1alpha1().WorkspaceTypes().Informer().GetIndexer(), cache.Indexers{ | ||
indexers.ByLogicalClusterPathAndName: indexers.IndexByLogicalClusterPathAndName, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need this indexer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I am removing it. It is also in the apibinding admission and I could not see any use of it there either. It could be fixed there in a subsequent PR
o.SetReadyFunc(func() bool { | ||
return apiExportsReady() | ||
}) | ||
o.apiExportLister = informers.Apis().V1alpha1().APIExports().Lister() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where is this field used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I am removing it. It is also in the apibinding admission and I could not see any use of it there either. It could be fixed there in a subsequent PR
// ValidateInitialization ensures the required injected fields are set. | ||
func (o *apiExportEndpointSliceAdmission) ValidateInitialization() error { | ||
if o.deepSARClient == nil { | ||
return fmt.Errorf(PluginName + " plugin needs a Kubernetes ClusterInterface") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wrong msg ? it needs a DeepSARClient
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a DeepSARClient is a Kubernetes ClusterInterface
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah but the error is less useful if it's less specific?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
e.g. there is an injector for just the client, and one very specifically for SetDeepSARClient
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
6a37518
to
feae98c
Compare
/lgtm |
/assign @sttts for approval |
@p0lyn0mial: GitHub didn't allow me to assign the following users: for, approval. Note that only kcp-dev members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
feae98c
to
104797e
Compare
/retest |
1 similar comment
/retest |
104797e
to
f89328b
Compare
/lgtm |
f89328b
to
6603d5a
Compare
I needed to rebase as the signature of delegated.NewDelegatedAuthorizer had changed. lgtm needed again. Sorry :-( |
Mind fixing #2560 (comment) while you're at it? |
…ainst the referenced APIExport. Signed-off-by: Frederic Giloux <fgiloux@redhat.com>
6603d5a
to
0a230b9
Compare
/lgtm |
Summary
check for binding authorization against the referenced APIExport.
Signed-off-by: Frederic Giloux fgiloux@redhat.com
Related issue(s)
Contributes to #2332