-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exit code 1 on not allowed to kubectl auth can-i #59579
Conversation
@fbac: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. One of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I think "can-i" answering "no" is still a successful result. For example:
If you get a non-zero exit code, |
When can-i fails it raises an error with CheckErr. This exit 1 only happens if err == nil In my opinion, current behavior is a bit inconsistent. With the same non-allowed query it returns different exit codes With this little fix, it will return 1 always when not allowed, 0 when allowed. It doesn affect --quiet nor the CheckErr if something went bad. |
This seems intentional: #43900 This is minor, but the current behavior makes sense to me.
/ok-to-test |
/test pull-kubernetes-bazel-test |
Hi, can anybody in @kubernetes/sig-auth-pr-reviews review this? |
@fbac: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/release-note-none |
/retest |
PTAL @soltysh can you review this? |
this change makes sense to me. needs a test and a release note |
3990295
to
67e2d30
Compare
67e2d30
to
28dfbdd
Compare
/retest |
pkg/kubectl/cmd/auth/cani_test.go
Outdated
@@ -166,6 +174,11 @@ func TestRunAccessCheck(t *testing.T) { | |||
} | |||
|
|||
actualAllowed, err := test.o.RunAccessCheck() | |||
actualReturnCode := 0 | |||
if !actualAllowed { | |||
actualReturnCode = 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this isn't really testing your change... this test would pass even without your change. I expected something in test-cmd-util.sh that actually checked exit code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're completely right. I've written an small test in test-cmd-util.sh, but becase the apiserver is always in AlwaysAllow during tests, does it makes sense? It will never return exit 1.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hrmm... true. I guess we'll skip that for now and go with manual testing.
c6fb9c1
to
d2ce05d
Compare
d2ce05d
to
9fa269a
Compare
/retest |
@@ -5219,6 +5219,12 @@ runTests() { | |||
|
|||
output_message=$(kubectl auth can-i list jobs.batch/bar -n foo --quiet 2>&1 "${kube_flags[@]}") | |||
kube::test::if_empty_string "${output_message}" | |||
|
|||
output_message=$(kubectl auth can-i get pods --subresource=log 2>&1 "${kube_flags[@]}"; echo $?) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still not testing your particular change. Can you add a test for your case, iow. one that will return non-zero when not allowed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually there is no way to test kubectl returning exit code 1, since the apiserver is in AlwaysAllow, how can we test this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we'll have to live with a manual test. See #59579 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@soltysh so what changes should I make? Since there is no way to test error exit 1 I think the commit is good as it is now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fbac, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/sig cli |
You must be a member of the kubernetes/kubernetes-milestone-maintainers github team to add status labels. |
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process Pull Request Labels
|
/test pull-kubernetes-e2e-kops-aws |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
kubectl auth can-i verb resource always returns 0 status, even if the user can't
With this commit, kubectl will return exit code 1 when a verb is not allowed. It doesn't affect quiet option.
Release note: