Skip to content

feat: block member label modification through DP #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 27 commits into from
May 14, 2025
Merged

feat: block member label modification through DP #36

merged 27 commits into from
May 14, 2025

Conversation

@audrastump
Copy link
Collaborator

@audrastump audrastump commented Apr 29, 2025
edited
Loading

Description of your changes

Blocking users from modifying member cluster labels directly through the dataplane unless they are the RP client. Not mergeable until member label changes are available through CLI.

Fixes #

I have:

  • Run make reviewable to ensure this PR is ready for review.

How has this code been tested

Unit tests

Special notes for your reviewer

@ryanzhang-oss ryanzhang-oss requested a review from Copilot April 29, 2025 20:57
Copilot AI reviewed Apr 29, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR blocks direct modification of fleet member cluster labels through the dataplane unless performed by the RP client.

  • Introduces a new constant and check in the user validation logic to deny label modifications by non-RP clients.
  • Adds the helper function isRPClient to identify RP clients based on username and group membership.
  • Updates the webhook test suite to verify that label modifications are allowed for RP clients and denied for non-RP clients.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
pkg/webhook/validation/uservalidation.go Adds constant and logic to deny label modifications by non-RP clients along with a new isRPClient helper function.
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook_test.go Adds test cases to verify the new label modification restrictions.

zhiying-lin
zhiying-lin reviewed Apr 30, 2025
View reviewed changes
jwtty
jwtty reviewed Apr 30, 2025
View reviewed changes
@codecov
Copy link

codecov bot commented May 7, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 63.63636% with 12 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...eetresourcehandler/fleetresourcehandler_webhook.go 14.28% 6 Missing ⚠️
cmd/hubagent/main.go 0.00% 4 Missing ⚠️
pkg/webhook/webhook.go 81.81% 2 Missing ⚠️

📢 Thoughts on this report? Let us know!

@audrastump audrastump force-pushed the main branch 3 times, most recently from c86ddf2 to 4579fb3 Compare May 7, 2025 22:41
@audrastump
moving to new repo
cb856d4 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump audrastump force-pushed the main branch 2 times, most recently from 674fee6 to cb856d4 Compare May 7, 2025 22:57
audrastump added 3 commits May 7, 2025 15:58
@audrastump
DeniedModifyFleetLabelsEnabled configurable
72aba7c 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
adding fleet agent test
a5d7102 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
updating test coverage
cd3d407 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
jim-minter
jim-minter reviewed May 8, 2025
View reviewed changes
audrastump added 3 commits May 8, 2025 13:51
@audrastump
adding cmd line option for enabling deny labels
80fcdb9 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
refactored user group func
d578c91 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
removing RP client
c23e25f 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
jim-minter
jim-minter reviewed May 9, 2025
View reviewed changes
audrastump added 4 commits May 8, 2025 20:13
@audrastump
adding more test coverage
a0f7a8c 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
updating name
b61ab21 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
updating name
60ecd7b 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
updating name
f1a4f8d 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
jim-minter
jim-minter approved these changes May 9, 2025
View reviewed changes
Copy link
Collaborator

@jim-minter jim-minter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

audrastump and others added 3 commits May 8, 2025 21:30
@audrastump
retrigger tests
f3fe28f 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
Merge branch 'main' into main
b3ed7e3
@audrastump
updating to add more test coverage
9d3d072 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump audrastump marked this pull request as ready for review May 9, 2025 18:41
britaniar
britaniar reviewed May 9, 2025
View reviewed changes
@audrastump
updated
48a6f7d 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump audrastump requested a review from britaniar May 12, 2025 17:27
britaniar
britaniar previously approved these changes May 13, 2025
View reviewed changes
Copy link
Collaborator

@britaniar britaniar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jwtty
jwtty reviewed May 14, 2025
View reviewed changes
jwtty
jwtty requested changes May 14, 2025
View reviewed changes
@audrastump
update
58b7b8e 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
update
6c31921 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump audrastump requested a review from jwtty May 14, 2025 02:57
audrastump added 4 commits May 14, 2025 10:07
@audrastump
empty
efeef0e 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
empty
3451e4a 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
retesting
d2164e6 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
empty
e14a2c9 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
jwtty
jwtty requested changes May 14, 2025
View reviewed changes
audrastump added 3 commits May 14, 2025 10:42
@audrastump
empty
947f940 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
nits
370b07e 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
updated
dcd31a0 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
jwtty
jwtty reviewed May 14, 2025
View reviewed changes
@audrastump
updated
97aa550 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@audrastump
retriggering test
a0ef536 
Signed-off-by: audrastump <a.e.stump@wustl.edu>
@jwtty jwtty merged commit fe0f3f3 into kubefleet-dev:main May 14, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhiying-lin zhiying-lin zhiying-lin left review comments

Copilot code review Copilot Copilot left review comments

@jim-minter jim-minter jim-minter approved these changes

@jwtty jwtty jwtty approved these changes

@britaniar britaniar britaniar left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@audrastump @jim-minter @jwtty @zhiying-lin @britaniar