feat: add permitOnlyProjectScopedClusters flag #10237
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
blakepettersson
force-pushed
the
feature/add-permitonlyprojectscopedclusters-flag
branch
from
22e7635
to
de4fb4d
Compare
Codecov Report
@@ Coverage Diff @@
## master #10237 +/- ##
==========================================
- Coverage 45.89% 45.85% -0.04%
==========================================
Files 229 229
Lines 28299 28347 +48
==========================================
+ Hits 12987 12999 +12
- Misses 13539 13565 +26
- Partials 1773 1783 +10
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
blakepettersson
commented
Aug 8, 2022
| @@ -426,7 +426,10 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed | |||
| }) | |||
| } else { | |||
| err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) bool { | |||
| if !proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination) { | |||
| permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) { | |||
There was a problem hiding this comment.
I'm not a big fan of silencing errors, we should probably change the signature of IterateHierarchy to return an error itself
blakepettersson
commented
Aug 8, 2022
blakepettersson
commented
Aug 8, 2022
| @@ -417,7 +417,17 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap | |||
|
|
|||
| // filter out all resources which are not permitted in the application project | |||
| for k, v := range liveObjByKey { | |||
| if !project.IsLiveResourcePermitted(v, app.Spec.Destination.Server, app.Spec.Destination.Name) { | |||
| permitted, err := project.IsLiveResourcePermitted(v, app.Spec.Destination.Server, app.Spec.Destination.Name, func(project string) ([]*appv1.Cluster, error) { | |||
| return m.db.GetProjectClusters(context.TODO(), project) | |||
There was a problem hiding this comment.
I added context.TODO() as a placeholder, but should probably be something else
blakepettersson
commented
Aug 8, 2022
| return fmt.Errorf("namespace %v is not permitted in project '%s'", un.GetNamespace(), proj.Name) | ||
| if res.Namespaced { | ||
| permitted, err := proj.IsDestinationPermitted(v1alpha1.ApplicationDestination{Namespace: un.GetNamespace(), Server: app.Spec.Destination.Server, Name: app.Spec.Destination.Name}, func(project string) ([]*v1alpha1.Cluster, error) { | ||
| return m.db.GetProjectClusters(context.TODO(), project) |
There was a problem hiding this comment.
I added context.TODO() as a placeholder, but should probably be something else
blakepettersson
commented
Aug 8, 2022
| return m.db.GetProjectClusters(context.TODO(), project) | ||
| }) | ||
|
|
||
| if err != nil { |
There was a problem hiding this comment.
Not sure if this block is the right way to do this; I suspect that this also needs tests
crenshaw-dev
requested changes
Aug 8, 2022
There was a problem hiding this comment.
Just a couple nitpicks. @alexmt would you have time to glance at this? I'm curious if you have any performance concerns.
blakepettersson
force-pushed
the
feature/add-permitonlyprojectscopedclusters-flag
branch
from
de4fb4d
to
345430b
Compare
|
@blakepettersson we discussed this in today's security meeting. The conclusions were:
Thanks again for the good work! Assuming we conclude that the change is necessary/performant, I wanna be sure to get this into 2.5, so I'll be watching carefully. |
|
Awesome! Looking forward to what you guys come up with! 😄
I was one of them 😄 |
|
Looks like something set you up for a bunch of merge conflicts. Can you resolve? It'll probably be easiest to resolve conflicts for the non-generated files and then just run codegen again. |
blakepettersson
force-pushed
the
feature/add-permitonlyprojectscopedclusters-flag
branch
from
345430b
to
1812ba6
Compare
|
Discussed this in the Contributor office hours. @jessesuen and @alexmt are gonna chat about this and review. |
This commit adds a new flag, `permitOnlyProjectScopedClusters`, which prevents any application from syncing to clusters which are not a part of the same project. Fixes argoproj#10220. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
blakepettersson
force-pushed
the
feature/add-permitonlyprojectscopedclusters-flag
branch
from
1812ba6
to
35174e4
Compare
|
@jessesuen @alexmt @crenshaw-dev do you guys have any further thoughts on this PR? 😄 |
crenshaw-dev
approved these changes
Sep 7, 2022
|
Awesome, thanks a lot!! 🤗 🤗 |
ocraviotto
pushed a commit
to ocraviotto/argo-cd
that referenced
this pull request
Sep 15, 2022
This commit adds a new flag, `permitOnlyProjectScopedClusters`, which prevents any application from syncing to clusters which are not a part of the same project. Fixes argoproj#10220. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> docs: remove duplicate word in user-management doc (argoproj#10546) Signed-off-by: Mickaël Canévet <mickael.canevet@jellysmack.com> Signed-off-by: Mickaël Canévet <mickael.canevet@jellysmack.com> fix: hide terminal on the non-pod resource kind (argoproj#9980) (argoproj#10556) Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> fix: add more info to creationtime format (argoproj#10286) (argoproj#10493) * fix: add more info to creationtime format Signed-off-by: Ashutosh <mail.ashutosh8@gmail.com> * lint issue Signed-off-by: ashutosh16 <mail.ashutosh8@gmail.com> * fix: add more info to creationtime format Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> Signed-off-by: Ashutosh <mail.ashutosh8@gmail.com> Signed-off-by: ashutosh16 <mail.ashutosh8@gmail.com> Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com> Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com> feat: support multiple sources for application Signed-off-by: ishitasequeira <ishiseq29@gmail.com> remove debug logging and unwanted code Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> Merge branch 'multiple-sources-for-applications' of github.com:ishitasequeira/argo-cd into multiple-sources-for-applications feat: support multiple sources for application Signed-off-by: ishitasequeira <ishiseq29@gmail.com> remove debug logging and unwanted code Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix lint and unit test errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> fix bug introduced after rebase Signed-off-by: ishitasequeira <ishiseq29@gmail.com> executed make codegen Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
blakepettersson
deleted the
feature/add-permitonlyprojectscopedclusters-flag
branch
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds a new flag,
permitOnlyProjectScopedClusters, whichprevents any application from syncing to clusters which are not a part
of the same project. Fixes #10220.
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist:
[ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.