Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Print warning only instead of error if no permission on ingressclass #7578

Merged
merged 3 commits into from
Oct 10, 2021
Merged

Print warning only instead of error if no permission on ingressclass #7578

merged 3 commits into from
Oct 10, 2021

Conversation

yong-jie-gong
Copy link
Contributor

…ter level resource IngressClass

What this PR does / why we need it:

for backaward compatibility, if serviceaccount who run the ingress-controller don't have permission on cluster level resource IngressClass, ingress-controller will fail directly. Add this PR to provide backaward compabitiltiy

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Which issue/s this PR fixes

fixes #7510
#7510

How Has This Been Tested?

Compile new ingress-controller and start with serviceaccount who don't have Permission on IngressClass

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Sep 2, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @yongjie-gong. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 2, 2021
@yong-jie-gong yong-jie-gong mentioned this pull request Sep 2, 2021
Closed
8 tasks
tao12345666333
tao12345666333 reviewed Sep 2, 2021
View reviewed changes
Copy link
Member

@tao12345666333 tao12345666333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 2, 2021
@yong-jie-gong
Copy link
Contributor Author

/test pull-ingress-nginx-gofmt

1 similar comment
@yong-jie-gong
Copy link
Contributor Author

/test pull-ingress-nginx-gofmt

@rikatz rikatz added this to the v1.0.1 milestone Sep 7, 2021
@rikatz
Copy link
Contributor

rikatz commented Sep 7, 2021

/assign

Maybe canary error is valid, will look again

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 11, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 16, 2021
rikatz
rikatz reviewed Sep 16, 2021
View reviewed changes
cmd/nginx/main.go
Comment on lines +113 to +115
if errors.IsUnauthorized(err) {
klog.Fatalf("Error searching IngressClass: Please verify your RBAC and allow Ingress Controller to list and get Ingress Classes: %v", err)
} else if errors.IsForbidden(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the difference between unauthorized an forbidden?

When one can happen and other not?

After that clarification, lgtm

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yongjie-gong friendly reminder

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the difference here is code 401 (user not authenticated) vs 403 (user without permission to do that action).

We should rely on 403 always, but anyway seems like a good safeguard also to look into 401.

I'm going to merge this, but improve the logics on a follow up PR, leaving both 401 and 403 as situations to ignore IngressClass and adding some e2e tests for this.

@rikatz rikatz modified the milestones: v1.0.1, v1.0.2 Sep 20, 2021
@rikatz
Copy link
Contributor

rikatz commented Sep 21, 2021

@yongjie-gong I'm leaving this to v1.0.2 but we need to fix it ASAP :)

Thanks!

@rikatz rikatz mentioned this pull request Sep 21, 2021
Merged
10 tasks
@iamNoah1
Copy link
Contributor

/priority important-soon
/triage-accepted
/kind bug

@k8s-ci-robot k8s-ci-robot added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Sep 22, 2021
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. and removed needs-priority needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Sep 22, 2021
@iamNoah1
Copy link
Contributor

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 22, 2021
@rikatz rikatz modified the milestones: v1.0.2, v1.1.0, v1.0.3 Sep 26, 2021
@rikatz rikatz modified the milestones: v1.0.3, v1.0.4 Oct 10, 2021
@rikatz
Copy link
Contributor

rikatz commented Oct 10, 2021

/lgtm
/approve
Will open a follow up on this.

Thanks!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 10, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz, yongjie-gong

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 10, 2021
@k8s-ci-robot k8s-ci-robot merged commit 6499393 into kubernetes:main Oct 10, 2021
@rikatz rikatz mentioned this pull request Oct 10, 2021
Merged
@phillebaba phillebaba mentioned this pull request Feb 22, 2022
Merged
rchshld pushed a commit to joomcode/ingress-nginx that referenced this pull request May 19, 2023
@yong-jie-gong @rchshld
Print warning only instead of error if no permission on ingressclass (k…
f07b6c2 
…ubernetes#7578)

* skip ingressclass check if ingressclass is not enabled

* reformat with gofmt
@yong-jie-gong yong-jie-gong restored the main branch November 14, 2023 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tao12345666333 tao12345666333 tao12345666333 left review comments

@rikatz rikatz rikatz left review comments

@iamNoah1 iamNoah1 iamNoah1 left review comments

@ElvinEfendi ElvinEfendi Awaiting requested review from ElvinEfendi

Assignees

@rikatz rikatz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.0.4
Development

Successfully merging this pull request may close these issues.

New ingress-controller should not mandate the cluster level permission on IngressClass
5 participants
@yong-jie-gong @k8s-ci-robot @rikatz @iamNoah1 @tao12345666333