Add exit code 1 on not allowed to kubectl auth can-i #59579
Conversation
|
@fbac: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. One of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
k8s-ci-robot
added
the
needs-ok-to-test
|
I think "can-i" answering "no" is still a successful result. For example: If you get a non-zero exit code, |
|
When can-i fails it raises an error with CheckErr. This exit 1 only happens if err == nil In my opinion, current behavior is a bit inconsistent. With the same non-allowed query it returns different exit codes With this little fix, it will return 1 always when not allowed, 0 when allowed. It doesn affect --quiet nor the CheckErr if something went bad. |
This seems intentional: #43900 This is minor, but the current behavior makes sense to me.
/ok-to-test |
k8s-ci-robot
added
sig/auth
|
/test pull-kubernetes-bazel-test |
|
Hi, can anybody in @kubernetes/sig-auth-pr-reviews review this? |
|
@fbac: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/release-note-none |
k8s-ci-robot
added
release-note-none
|
/retest |
|
PTAL @soltysh can you review this? |
|
this change makes sense to me. needs a test and a release note |
fbac
force-pushed
the
kubectl-cani-exitcode
branch
from
3990295
to
67e2d30
Compare
k8s-ci-robot
added
size/S
fbac
force-pushed
the
kubectl-cani-exitcode
branch
from
67e2d30
to
28dfbdd
Compare
k8s-ci-robot
removed
the
size/S
|
/retest |
k8s-ci-robot
added
release-note
pkg/kubectl/cmd/auth/cani_test.go
Outdated
| @@ -166,6 +174,11 @@ func TestRunAccessCheck(t *testing.T) { | |||
| } | |||
|
|
|||
| actualAllowed, err := test.o.RunAccessCheck() | |||
| actualReturnCode := 0 | |||
| if !actualAllowed { | |||
| actualReturnCode = 1 | |||
There was a problem hiding this comment.
this isn't really testing your change... this test would pass even without your change. I expected something in test-cmd-util.sh that actually checked exit code
There was a problem hiding this comment.
You're completely right. I've written an small test in test-cmd-util.sh, but becase the apiserver is always in AlwaysAllow during tests, does it makes sense? It will never return exit 1.
There was a problem hiding this comment.
hrmm... true. I guess we'll skip that for now and go with manual testing.
fbac
force-pushed
the
kubectl-cani-exitcode
branch
from
c6fb9c1
to
d2ce05d
Compare
k8s-ci-robot
added
size/XS
fbac
force-pushed
the
kubectl-cani-exitcode
branch
from
d2ce05d
to
9fa269a
Compare
|
/retest |
| @@ -5219,6 +5219,12 @@ runTests() { | |||
|
|
|||
| output_message=$(kubectl auth can-i list jobs.batch/bar -n foo --quiet 2>&1 "${kube_flags[@]}") | |||
| kube::test::if_empty_string "${output_message}" | |||
|
|
|||
| output_message=$(kubectl auth can-i get pods --subresource=log 2>&1 "${kube_flags[@]}"; echo $?) | |||
There was a problem hiding this comment.
This is still not testing your particular change. Can you add a test for your case, iow. one that will return non-zero when not allowed?
There was a problem hiding this comment.
Actually there is no way to test kubectl returning exit code 1, since the apiserver is in AlwaysAllow, how can we test this?
There was a problem hiding this comment.
Yeah, we'll have to live with a manual test. See #59579 (comment)
There was a problem hiding this comment.
@soltysh so what changes should I make? Since there is no way to test error exit 1 I think the commit is good as it is now.
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fbac, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/sig cli |
|
You must be a member of the kubernetes/kubernetes-milestone-maintainers github team to add status labels. |
k8s-ci-robot
added
sig/cli
|
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process Pull Request Labels
|
|
/test pull-kubernetes-e2e-kops-aws |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
kubectl auth can-i verb resource always returns 0 status, even if the user can't
With this commit, kubectl will return exit code 1 when a verb is not allowed. It doesn't affect quiet option.
Release note: