Rework foreign apibinding permissionclaims logic by mjudeikis · Pull Request #4088 · kcp-dev/kcp

mjudeikis · 2026-04-29T12:36:27Z

Summary

In this PR, a few things happen:

Changes how we purge bound-crds, move to index. So we can track it more wider
Adds an additional reconciler to materialise CRDs when its claimed via consumer which is not yet materialized in the shard
Add additional triggers when informer is updated

Added extensive code comments as this was a ⛏️

What Type of PR Is This?

/kind bug

Related Issue(s)

Fixes #4087

Release Notes

Fix foreign apiexports, claimed in apibindings in sharded environments.

gman0 · 2026-04-29T16:45:54Z

In general, is it really okay to claim resources that haven't been bound / don't exist in APIBinding's workspace?

An argument in favor could be that we don't care about the order in which APIBindings come (those who have claims against a resource VS the binding that binds that resource); depends 🤷 other than that,

/lgtm

It will be interesting to see how this affects perf with large number of bindings though.

gman0 · 2026-04-29T17:04:26Z

^

/lgtm

kcp-ci-bot · 2026-04-29T17:04:33Z

LGTM label has been added.

Details

Git tree hash: 39cef409f73c601a9873b7a7e5492463cde9b6bf

mjudeikis · 2026-04-30T07:24:26Z

In general, is it really okay to claim resources that haven't been bound / don't exist in APIBinding's workspace

This is an existing feature, so it just does not work in this edge case

gman0 · 2026-04-30T09:12:20Z

/lgtm

kcp-ci-bot · 2026-04-30T09:12:25Z

LGTM label has been added.

Details

Git tree hash: 78ccd199e32d3c9d526efa49c6a45b6a62efe59d

gman0 · 2026-04-30T09:14:32Z

https://docs.kcp.io/kcp/main/concepts/apis/exporting-apis/#permission-claims_1

Permission claims must be accepted by the user explicitly, before this access is granted. The resources can be builtin Kubernetes resources or resources bound with other APIBindings.

Docs might need a change too then.

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt> On-behalf-of: SAP <mangirdas.judeikis@sap.com>

ntnn

/lgtm
/approve

kcp-ci-bot · 2026-05-04T12:53:29Z

LGTM label has been added.

Details

Git tree hash: 9eaec19adaf46aec89706ec0aee4bf49453a0d49

kcp-ci-bot · 2026-05-04T12:53:30Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ntnn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [ntnn]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

mjudeikis · 2026-05-04T13:43:15Z

/retest

gman0 reviewed Apr 29, 2026

View reviewed changes

Comment thread pkg/reconciler/apis/crdcleanup/crdcleanup_controller.go Outdated

kcp-ci-bot assigned gman0 Apr 29, 2026

kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 29, 2026

kcp-ci-bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 30, 2026

kcp-ci-bot requested a review from gman0 April 30, 2026 07:27

mjudeikis moved this to In-Review in Platform Mesh & Kube Projects - Backlog Apr 30, 2026

mjudeikis added this to Platform Mesh & Kube Projects - Backlog Apr 30, 2026

kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 30, 2026

ntnn reviewed Apr 30, 2026

View reviewed changes

Comment thread pkg/reconciler/apis/permissionclaimlabel/permissionclaimlabel_controller.go Outdated

Comment thread pkg/reconciler/apis/apibinding/apibinding_reconcile.go

Comment thread pkg/indexers/apiexport.go

ntnn moved this to Reviewing in tbd Apr 30, 2026

ntnn added this to tbd Apr 30, 2026

Rework foreign apibinding permissionclaims logic

de105e8

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt> On-behalf-of: SAP <mangirdas.judeikis@sap.com>

mjudeikis force-pushed the foreign.informer.apibinding branch from cf2f4ec to 28e1707 Compare May 4, 2026 08:26

kcp-ci-bot removed the lgtm Indicates that a PR is ready to be merged. label May 4, 2026

Address review feedback

720783e

mjudeikis force-pushed the foreign.informer.apibinding branch from 28e1707 to 720783e Compare May 4, 2026 08:31

ntnn approved these changes May 4, 2026

View reviewed changes

kcp-ci-bot assigned ntnn May 4, 2026

kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label May 4, 2026

kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 4, 2026

kcp-ci-bot merged commit d1be278 into kcp-dev:main May 4, 2026
14 checks passed

github-project-automation Bot moved this from In-Review to Done in Platform Mesh & Kube Projects - Backlog May 4, 2026

github-project-automation Bot moved this from Reviewing to Done in tbd May 4, 2026

Conversation

mjudeikis commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

What Type of PR Is This?

Related Issue(s)

Release Notes

Uh oh!

Uh oh!

gman0 commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gman0 commented Apr 29, 2026

Uh oh!

kcp-ci-bot commented Apr 29, 2026

Uh oh!

mjudeikis commented Apr 30, 2026

Uh oh!

gman0 commented Apr 30, 2026

Uh oh!

kcp-ci-bot commented Apr 30, 2026

Uh oh!

gman0 commented Apr 30, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ntnn left a comment

Choose a reason for hiding this comment

Uh oh!

kcp-ci-bot commented May 4, 2026

Uh oh!

kcp-ci-bot commented May 4, 2026

Uh oh!

mjudeikis commented May 4, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

mjudeikis commented Apr 29, 2026 •

edited

Loading

gman0 commented Apr 29, 2026 •

edited

Loading