✨ wire more controllers cross-shard and authz #2562
Conversation
sttts
commented
Jan 6, 2023
sttts
commented
- replicate ClusterRoles+ClusterBindings that are labeled to be replicated
- added replication label controllers for ClusterRoles+Bindings relevant to APIExport authorization
- allow deep SAR again the cache server data
sttts
force-pushed
the
sttts-global-authz
branch
from
3a213b7
to
aa249d5
Compare
sttts
changed the title
sttts
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
| globalAPIResourceSchemaIndexer: globalKcpInformers.Apis().V1alpha1().APIResourceSchemas().Informer().GetIndexer(), | ||
| globalShardIndexer: globalKcpInformers.Core().V1alpha1().Shards().Informer().GetIndexer(), | ||
| globalWorkspaceTypeIndexer: globalKcpInformers.Tenancy().V1alpha1().WorkspaceTypes().Informer().GetIndexer(), | ||
| globalClusterRoleIndexer: globalKubeInformers.Rbac().V1().ClusterRoles().Informer().GetIndexer(), |
There was a problem hiding this comment.
why do we need to replicate cr and crb ?
There was a problem hiding this comment.
As explained in gmeet: these are required to authorize binding of APIExports, and for maximum permission policy, for now. There will be more reasons for other cross-workspace authorizations.
sttts
force-pushed
the
sttts-global-authz
branch
from
aa249d5
to
04a096b
Compare
openshift-ci
bot
added
the
kind/api-change
sttts
force-pushed
the
sttts-global-authz
branch
4 times, most recently
from
65c6de3
to
3759c6f
Compare
sttts
changed the title
openshift-merge-robot
added
the
needs-rebase
sttts
force-pushed
the
sttts-global-authz
branch
from
0011bf0
to
bb9fcfc
Compare
openshift-merge-robot
removed
the
needs-rebase
| @@ -0,0 +1,254 @@ | |||
| /* | |||
| Copyright 2022 The KCP Authors. | |||
There was a problem hiding this comment.
applies to other places as well
| ) | ||
|
|
||
| const ( | ||
| ControllerName = "kcp-apiexport-replication-clusterrolebinding" |
There was a problem hiding this comment.
renamed to kcp-apis-replication-clusterrolebinding
There was a problem hiding this comment.
applies to the other controller as well
| cluster, _, name, err := kcpcache.SplitMetaClusterNamespaceKey(key) | ||
| if err != nil { | ||
| runtime.HandleError(err) | ||
| return nil |
There was a problem hiding this comment.
why not to return the err?
There was a problem hiding this comment.
then it would be requeued. Doesn't help here to fix the problem.
| return true | ||
| } | ||
|
|
||
| func (c *controller) process(ctx context.Context, key string) error { |
There was a problem hiding this comment.
change the signature of this method to ctx context.Context, crb *rbacv1.ClusterRoleBinding, rename to reconcile and move it to a separate file - it would unify with the rest of the controllers and allow for easier unit testing
| } | ||
|
|
||
| logger.V(4).Info("patching ClusterRoleBinding", "patch", patch) | ||
| _, err = c.kubeClusterClient.Cluster(cluster.Path()).RbacV1().ClusterRoleBindings().Patch(ctx, crb.Name, types.MergePatchType, []byte(patch), metav1.PatchOptions{}) |
There was a problem hiding this comment.
wondering if we could use committer.NewCommitter
There was a problem hiding this comment.
no, I can't. But I wrote one I can use. Stay tuned :)
| @@ -26,6 +26,11 @@ const ( | |||
| // | |||
| // If this annotation exists, the system will maintain the annotation value. | |||
| LogicalClusterPathAnnotationKey = "kcp.io/path" | |||
|
|
|||
| // ReplicateAnnotationKey is the annotation key used to indicate that a ClusterRole should be replicated. | |||
There was a problem hiding this comment.
could you please remind me why it is a list?
There was a problem hiding this comment.
there can be multiple controllers that contribute to this annotation. E.g. from another Api group.
| func(cluster logicalcluster.Name, _, name string) (interface{}, bool, error) { | ||
| obj, err := c.localClusterRoleBindingLister.Cluster(cluster).Get(name) | ||
| if err != nil { | ||
| return obj, true, err |
There was a problem hiding this comment.
I think this line causes the panic, replace with return nil, false, err
| func(cluster logicalcluster.Name, _, name string) (interface{}, bool, error) { | ||
| obj, err := c.localClusterRoleLister.Cluster(cluster).Get(name) | ||
| if err != nil { | ||
| return obj, true, err |
There was a problem hiding this comment.
same here (re panic), replace with return nil, false, err
sttts
force-pushed
the
sttts-global-authz
branch
from
bb9fcfc
to
d1f1dce
Compare
openshift-merge-robot
added
the
needs-rebase
sttts
force-pushed
the
sttts-global-authz
branch
from
d1f1dce
to
a0b03ef
Compare
openshift-merge-robot
removed
the
needs-rebase
sttts
force-pushed
the
sttts-global-authz
branch
2 times, most recently
from
32dde53
to
5d8654c
Compare
sttts
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Co-authored-by: Sergiusz Urbaniak <sergiusz.urbaniak@gmail.com>
Co-authored-by: Sergiusz Urbaniak <sergiusz.urbaniak@gmail.com>
…nnotation in core
sttts
force-pushed
the
sttts-global-authz
branch
from
5d8654c
to
82b52e5
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/lgtm |
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
