New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add permitOnlyProjectScopedClusters flag #10237
feat: add permitOnlyProjectScopedClusters flag #10237
Conversation
22e7635
to
de4fb4d
Compare
Codecov Report
@@ Coverage Diff @@
## master #10237 +/- ##
==========================================
- Coverage 45.89% 45.85% -0.04%
==========================================
Files 229 229
Lines 28299 28347 +48
==========================================
+ Hits 12987 12999 +12
- Misses 13539 13565 +26
- Partials 1773 1783 +10
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
@@ -426,7 +426,10 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed | |||
}) | |||
} else { | |||
err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) bool { | |||
if !proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination) { | |||
permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a big fan of silencing errors, we should probably change the signature of IterateHierarchy
to return an error itself
@@ -417,7 +417,17 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap | |||
|
|||
// filter out all resources which are not permitted in the application project | |||
for k, v := range liveObjByKey { | |||
if !project.IsLiveResourcePermitted(v, app.Spec.Destination.Server, app.Spec.Destination.Name) { | |||
permitted, err := project.IsLiveResourcePermitted(v, app.Spec.Destination.Server, app.Spec.Destination.Name, func(project string) ([]*appv1.Cluster, error) { | |||
return m.db.GetProjectClusters(context.TODO(), project) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added context.TODO()
as a placeholder, but should probably be something else
return fmt.Errorf("namespace %v is not permitted in project '%s'", un.GetNamespace(), proj.Name) | ||
if res.Namespaced { | ||
permitted, err := proj.IsDestinationPermitted(v1alpha1.ApplicationDestination{Namespace: un.GetNamespace(), Server: app.Spec.Destination.Server, Name: app.Spec.Destination.Name}, func(project string) ([]*v1alpha1.Cluster, error) { | ||
return m.db.GetProjectClusters(context.TODO(), project) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added context.TODO() as a placeholder, but should probably be something else
return m.db.GetProjectClusters(context.TODO(), project) | ||
}) | ||
|
||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this block is the right way to do this; I suspect that this also needs tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple nitpicks. @alexmt would you have time to glance at this? I'm curious if you have any performance concerns.
de4fb4d
to
345430b
Compare
@blakepettersson we discussed this in today's security meeting. The conclusions were:
Thanks again for the good work! Assuming we conclude that the change is necessary/performant, I wanna be sure to get this into 2.5, so I'll be watching carefully. |
Awesome! Looking forward to what you guys come up with! 😄
I was one of them 😄 |
Looks like something set you up for a bunch of merge conflicts. Can you resolve? It'll probably be easiest to resolve conflicts for the non-generated files and then just run codegen again. |
345430b
to
1812ba6
Compare
Discussed this in the Contributor office hours. @jessesuen and @alexmt are gonna chat about this and review. |
This commit adds a new flag, `permitOnlyProjectScopedClusters`, which prevents any application from syncing to clusters which are not a part of the same project. Fixes argoproj#10220. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
1812ba6
to
35174e4
Compare
@jessesuen @alexmt @crenshaw-dev do you guys have any further thoughts on this PR? 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - will leave this open in case Jesse or Alex have any thoughts, but I'll merge it by the end of the week if not.
Awesome, thanks a lot!! 🤗 🤗 |
This commit adds a new flag, `permitOnlyProjectScopedClusters`, which prevents any application from syncing to clusters which are not a part of the same project. Fixes argoproj#10220. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> docs: remove duplicate word in user-management doc (argoproj#10546) Signed-off-by: Mickaël Canévet <mickael.canevet@jellysmack.com> Signed-off-by: Mickaël Canévet <mickael.canevet@jellysmack.com> fix: hide terminal on the non-pod resource kind (argoproj#9980) (argoproj#10556) Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> fix: add more info to creationtime format (argoproj#10286) (argoproj#10493) * fix: add more info to creationtime format Signed-off-by: Ashutosh <mail.ashutosh8@gmail.com> * lint issue Signed-off-by: ashutosh16 <mail.ashutosh8@gmail.com> * fix: add more info to creationtime format Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> Signed-off-by: Ashutosh <mail.ashutosh8@gmail.com> Signed-off-by: ashutosh16 <mail.ashutosh8@gmail.com> Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com> feat: support multiple sources for application Signed-off-by: ishitasequeira <ishiseq29@gmail.com> remove debug logging and unwanted code Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> Merge branch 'multiple-sources-for-applications' of github.com:ishitasequeira/argo-cd into multiple-sources-for-applications feat: support multiple sources for application Signed-off-by: ishitasequeira <ishiseq29@gmail.com> remove debug logging and unwanted code Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix bug introduced after rebase Signed-off-by: ishitasequeira <ishiseq29@gmail.com> executed make codegen Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
This commit adds a new flag,
permitOnlyProjectScopedClusters
, whichprevents any application from syncing to clusters which are not a part
of the same project. Fixes #10220.
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist:
[ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.