✨ Admission for APIExportEndpointSlice #2560
Conversation
openshift-ci
bot
added
the
kind/api-change
|
There are a few checks that seem redundant as the APIExport reference is marked as mandatory and immutable. I would welcome a second opinion on whether they should still be kept (like for APIBinding) or removed. |
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Show resolved
Hide resolved
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
|
|
||
| var oldSlice *apisv1alpha1.APIExportEndpointSlice | ||
| if a.GetOperation() == admission.Update { | ||
| u, ok := a.GetOldObject().(*unstructured.Unstructured) |
There was a problem hiding this comment.
what is the purpose of this block since all it does is to assign value to oldSlice variable
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Show resolved
Hide resolved
fgiloux
force-pushed
the
slice-permissions
branch
from
db84695
to
d8e1a2d
Compare
| @@ -322,3 +305,23 @@ func (o *apiBindingAdmission) SetKcpInformers(informers kcpinformers.SharedInfor | |||
| indexers.ByLogicalClusterPathAndName: indexers.IndexByLogicalClusterPathAndName, | |||
| }) | |||
| } | |||
|
|
|||
| func CheckAPIExportAccess(ctx context.Context, user user.Info, apiExportName string, authz authorizer.Authorizer) error { | |||
There was a problem hiding this comment.
I'd move it to pkg/admission/helpers or maybe even pkg/authorization
There was a problem hiding this comment.
I would keep it under admission. Due to the user info I am not expecting it to be useful somewhere else. I am not found of "helpers" packages... I am not finding the name helpful :-)
I will put it under pkg/admission/authorization. Let me know if you have concerns with it.
fgiloux
force-pushed
the
slice-permissions
branch
from
d8e1a2d
to
8b02a34
Compare
| limitations under the License. | ||
| */ | ||
|
|
||
| package authorization |
There was a problem hiding this comment.
pkg/admission/authorization looks strange, no?
There was a problem hiding this comment.
I can rename it to permissions if you prefer but that's basically the same idea
| o.apiExportIndexer = informers.Apis().V1alpha1().APIExports().Informer().GetIndexer() | ||
|
|
||
| indexers.AddIfNotPresentOrDie(informers.Tenancy().V1alpha1().WorkspaceTypes().Informer().GetIndexer(), cache.Indexers{ | ||
| indexers.ByLogicalClusterPathAndName: indexers.IndexByLogicalClusterPathAndName, |
There was a problem hiding this comment.
why do we need this indexer?
There was a problem hiding this comment.
Good point. I am removing it. It is also in the apibinding admission and I could not see any use of it there either. It could be fixed there in a subsequent PR
| o.SetReadyFunc(func() bool { | ||
| return apiExportsReady() | ||
| }) | ||
| o.apiExportLister = informers.Apis().V1alpha1().APIExports().Lister() |
There was a problem hiding this comment.
where is this field used?
There was a problem hiding this comment.
Good point. I am removing it. It is also in the apibinding admission and I could not see any use of it there either. It could be fixed there in a subsequent PR
| // ValidateInitialization ensures the required injected fields are set. | ||
| func (o *apiExportEndpointSliceAdmission) ValidateInitialization() error { | ||
| if o.deepSARClient == nil { | ||
| return fmt.Errorf(PluginName + " plugin needs a Kubernetes ClusterInterface") |
There was a problem hiding this comment.
wrong msg ? it needs a DeepSARClient
There was a problem hiding this comment.
a DeepSARClient is a Kubernetes ClusterInterface
There was a problem hiding this comment.
Yeah but the error is less useful if it's less specific?
There was a problem hiding this comment.
e.g. there is an injector for just the client, and one very specifically for SetDeepSARClient
fgiloux
force-pushed
the
slice-permissions
branch
2 times, most recently
from
6a37518
to
feae98c
Compare
|
/lgtm |
|
/assign @sttts for approval |
|
@p0lyn0mial: GitHub didn't allow me to assign the following users: for, approval. Note that only kcp-dev members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pkg/admission/apiexportendpointslice/apiexportendpointslice_admission.go
Outdated
Show resolved
Hide resolved
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
fgiloux
force-pushed
the
slice-permissions
branch
from
feae98c
to
104797e
Compare
|
/retest |
1 similar comment
|
/retest |
fgiloux
force-pushed
the
slice-permissions
branch
from
104797e
to
f89328b
Compare
|
/lgtm |
fgiloux
force-pushed
the
slice-permissions
branch
from
f89328b
to
6603d5a
Compare
|
I needed to rebase as the signature of delegated.NewDelegatedAuthorizer had changed. lgtm needed again. Sorry :-( |
|
Mind fixing #2560 (comment) while you're at it? |
…ainst the referenced APIExport. Signed-off-by: Frederic Giloux <[email protected]>
fgiloux
force-pushed
the
slice-permissions
branch
from
6603d5a
to
0a230b9
Compare
|
/lgtm |
Summary
check for binding authorization against the referenced APIExport.
Signed-off-by: Frederic Giloux [email protected]
Related issue(s)
Contributes to #2332