-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ wire more controllers cross-shard and authz #2562
✨ wire more controllers cross-shard and authz #2562
Conversation
sttts
commented
Jan 6, 2023
- replicate ClusterRoles+ClusterBindings that are labeled to be replicated
- added replication label controllers for ClusterRoles+Bindings relevant to APIExport authorization
- allow deep SAR again the cache server data
3a213b7
to
aa249d5
Compare
globalAPIResourceSchemaIndexer: globalKcpInformers.Apis().V1alpha1().APIResourceSchemas().Informer().GetIndexer(), | ||
globalShardIndexer: globalKcpInformers.Core().V1alpha1().Shards().Informer().GetIndexer(), | ||
globalWorkspaceTypeIndexer: globalKcpInformers.Tenancy().V1alpha1().WorkspaceTypes().Informer().GetIndexer(), | ||
globalClusterRoleIndexer: globalKubeInformers.Rbac().V1().ClusterRoles().Informer().GetIndexer(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need to replicate cr and crb ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As explained in gmeet: these are required to authorize binding of APIExports, and for maximum permission policy, for now. There will be more reasons for other cross-workspace authorizations.
aa249d5
to
04a096b
Compare
65c6de3
to
3759c6f
Compare
0011bf0
to
bb9fcfc
Compare
@@ -0,0 +1,254 @@ | |||
/* | |||
Copyright 2022 The KCP Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
its 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
applies to other places as well
) | ||
|
||
const ( | ||
ControllerName = "kcp-apiexport-replication-clusterrolebinding" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apiexport
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
renamed to kcp-apis-replication-clusterrolebinding
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
applies to the other controller as well
cluster, _, name, err := kcpcache.SplitMetaClusterNamespaceKey(key) | ||
if err != nil { | ||
runtime.HandleError(err) | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not to return the err?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then it would be requeued. Doesn't help here to fix the problem.
return true | ||
} | ||
|
||
func (c *controller) process(ctx context.Context, key string) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change the signature of this method to ctx context.Context, crb *rbacv1.ClusterRoleBinding
, rename to reconcile
and move it to a separate file - it would unify with the rest of the controllers and allow for easier unit testing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
} | ||
|
||
logger.V(4).Info("patching ClusterRoleBinding", "patch", patch) | ||
_, err = c.kubeClusterClient.Cluster(cluster.Path()).RbacV1().ClusterRoleBindings().Patch(ctx, crb.Name, types.MergePatchType, []byte(patch), metav1.PatchOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wondering if we could use committer.NewCommitter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, I can't. But I wrote one I can use. Stay tuned :)
@@ -26,6 +26,11 @@ const ( | |||
// | |||
// If this annotation exists, the system will maintain the annotation value. | |||
LogicalClusterPathAnnotationKey = "kcp.io/path" | |||
|
|||
// ReplicateAnnotationKey is the annotation key used to indicate that a ClusterRole should be replicated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you please remind me why it is a list?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there can be multiple controllers that contribute to this annotation. E.g. from another Api group.
func(cluster logicalcluster.Name, _, name string) (interface{}, bool, error) { | ||
obj, err := c.localClusterRoleBindingLister.Cluster(cluster).Get(name) | ||
if err != nil { | ||
return obj, true, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this line causes the panic, replace with return nil, false, err
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't obj nil then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
func(cluster logicalcluster.Name, _, name string) (interface{}, bool, error) { | ||
obj, err := c.localClusterRoleLister.Cluster(cluster).Get(name) | ||
if err != nil { | ||
return obj, true, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here (re panic), replace with return nil, false, err
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
bb9fcfc
to
d1f1dce
Compare
d1f1dce
to
a0b03ef
Compare
32dde53
to
5d8654c
Compare
Co-authored-by: Sergiusz Urbaniak <sergiusz.urbaniak@gmail.com>
Co-authored-by: Sergiusz Urbaniak <sergiusz.urbaniak@gmail.com>
…nnotation in core
5d8654c
to
82b52e5
Compare
/lgtm |
/retest |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |