✨ Add inactive annotation to logicalcluster #3152
Conversation
kcp-ci-bot
added
release-note
|
Hi @RedbackThomson. Thanks for your PR. I'm waiting for a kcp-dev member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
kcp-ci-bot
added
the
needs-ok-to-test
Signed-off-by: Nicholas Thomson <[email protected]>
RedbackThomson
force-pushed
the
inactive_workspaces
branch
from
4fbb142
to
cdd8d2a
Compare
kcp-ci-bot
added
dco-signoff: yes
| @@ -445,6 +445,7 @@ func NewConfig(opts kcpserveroptions.CompletedOptions) (*Config, error) { | |||
| apiHandler = filters.WithWarningRecorder(apiHandler) | |||
|
|
|||
| apiHandler = kcpfilters.WithAuditEventClusterAnnotation(apiHandler) | |||
| apiHandler = kcpfilters.WithBlockInactiveLogicalClusters(apiHandler, c.KcpSharedInformerFactory.Core().V1alpha1().LogicalClusters()) | |||
There was a problem hiding this comment.
Wondering, what speaks against putting it just before auth, i.e. line 411 or 426 ?
There was a problem hiding this comment.
I honestly had no intuition as to where it should go. Let me know :)
pkg/server/filters/filters.go
Outdated
| if err == nil { | ||
| if ann, ok := logicalCluster.ObjectMeta.Annotations[inactiveAnnotation]; ok && ann == "true" { | ||
| responsewriters.ErrorNegotiated( | ||
| apierrors.NewBadRequest("logical cluster is marked inactive"), |
There was a problem hiding this comment.
400 is explicitly a client error. Looking through the list
403 Forbidden
423 Locked
503 Service Unavailable
What do we return when accessing a logical cluster without the LogicalCluster object? 403 I assume? Maybe that would be the right response here too.
|
Wondering, a small e2e test would be good. |
|
/ok-to-test |
kcp-ci-bot
added
ok-to-test
|
What about discovery? Should we allow that? Why do you need OpenAPI (am just curious) ? |
|
What kind of maintenance would this feature allow? If everything except the LogicalCluster is blocked, what can you reasonably do during a maintenance window? |
Without the OpenAPI endpoint, |
My use case is that I'm rebuilding the cluster by restoring from an etcd snapshot and in that time I don't want controllers to access resources before they're fully reapplied. |
kcp-ci-bot
added
dco-signoff: no
Signed-off-by: Nicholas Thomson <[email protected]>
RedbackThomson
force-pushed
the
inactive_workspaces
branch
from
1ec5705
to
4df1bd8
Compare
kcp-ci-bot
added
dco-signoff: yes
|
/retest-required |
|
/lgtm |
|
LGTM label has been added. Git tree hash: 17f26e8c7f809b8d8a7fc1bf6e62df8cdffef172
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kcp-ci-bot
added
the
approved
|
/kind feature |
kcp-ci-bot
added
the
kind/feature
Summary
In order to do maintenance on a workspace, without controllers reconciling the resources inside the window during the maintenance period, I need a mechanism by which to disable access to the workspace. This feature adds a new optional annotation to
LogicalClusterwhich disables API access through to the resource while present:All requests to the logical cluster while the annotation is set are denied with a 400 error, except for requests to CRUD the logical cluster itself or the OpenAPI spec (so that you can reasonably disable the annotation).
Related issue(s)
None
Release Notes