Error on manipulation for cluster services / add-ons #17740
Conversation
k8s-github-robot
added
the
size/M
|
Should we have a cmd flag that allows the user to bypass this check? Something like |
janetkuo
force-pushed
the
manipulate-cluster-services
branch
from
7946079
to
99591f3
Compare
|
I think we probably should have a way to bypass it, since we may want to for testing purposes. Case in point, #17614. |
janetkuo
force-pushed
the
manipulate-cluster-services
branch
from
99591f3
to
00640d0
Compare
|
I added a flag |
k8s-github-robot
added
size/L
janetkuo
force-pushed
the
manipulate-cluster-services
branch
from
00640d0
to
786d98e
Compare
|
Couple of design points: Why are services special? Why isn't this kubernetes.io/cluster-resource: We have several types of auto resources - endpoints, services, secrets, I don't think this is specific to cluster scoped resources. |
|
@liggitt this would solve several deletion related problems. |
|
|
||
| // AddMutateClusterServiceFlag adds a flag that prevents the manipulation on add-ons. Used by mutations only. | ||
| func AddMutateClusterServiceFlag(cmd *cobra.Command) { | ||
| cmd.Flags().BoolP("addon-check", "", true, "If true, prevents the users from manipulating add-ons / cluster services. See http://releases.k8s.io/HEAD/cluster/addons for more info. Default true.") |
There was a problem hiding this comment.
deletion protection seems like something we'd want in general, and this seems like a too-specific application of it... can we make this flag more general?
That requires a GET before DELETE, which at the very least doubles requests. In other cases, someone could be allowed to delete something they cannot get... what would you do with that? |
|
Go ahead and do the delete. If the admin wants you to blindly delete, you On Nov 25, 2015, at 9:07 PM, Jordan Liggitt notifications@github.com Why are services special? Why isn't this kubernetes.io/cluster-resource: That requires a GET before DELETE, which at the very least doubles — |
janetkuo
force-pushed
the
manipulate-cluster-services
branch
2 times, most recently
from
ac47c28
to
e6bbd32
Compare
k8s-github-robot
added
size/M
|
Changed the flag from |
k8s-github-robot
added
the
needs-rebase
janetkuo
force-pushed
the
manipulate-cluster-services
branch
from
e6bbd32
to
6a1ecbf
Compare
janetkuo
removed
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
Rebased. @jlowdermilk @smarterclayton @liggitt PTAL. |
| @@ -70,7 +70,7 @@ func TestDeleteNamedObject(t *testing.T) { | |||
| Codec: codec, | |||
| Client: fake.CreateHTTPClient(func(req *http.Request) (*http.Response, error) { | |||
| switch p, m := req.URL.Path, req.Method; { | |||
| case p == "/namespaces/test/replicationcontrollers/redis-master-controller" && m == "DELETE": | |||
| case p == "/namespaces/test/replicationcontrollers/redis-master-controller" && (m == "DELETE" || m == "GET"): | |||
| return &http.Response{StatusCode: 200, Body: objBody(codec, &rc.Items[0])}, nil | |||
| default: | |||
| // Ensures no GET is performed when deleting by name | |||
There was a problem hiding this comment.
these tests were explicitly here to make sure deletes succeed when GET fails (the case where a user is allowed to DELETE something they cannot GET)... we still need to test those scenarios.
There was a problem hiding this comment.
so I think we need the following tests:
- GET succeeds, and is followed by DELETE
- GET returns 404... not sure if DELETE should be performed or not
- GET returns 403, and is followed by DELETE, which succeeds
There was a problem hiding this comment.
Originally I added GET here because I needed to GET a resource to check if it's a cluster service (check its label) before deleting it.
There was a problem hiding this comment.
I understand, but we need tests that ensure a DELETE can succeed even when the GET does not
k8s-github-robot
added
the
needs-rebase
janetkuo
force-pushed
the
manipulate-cluster-services
branch
from
6a1ecbf
to
c5c557e
Compare
k8s-github-robot
removed
the
needs-rebase
|
Just rebased. Ping for another look. |
|
It doesn't look like my last set of comments were addressed. Please take another look |
|
@liggitt I missed your comments. Will update accordingly. |
k8s-github-robot
added
the
needs-rebase
|
Ping! |
|
@liggitt I'm not sure if I understand you correctly. If we're making a new annotation, say |
| cmdutil.AddOutputFlagsForMutation(cmd) | ||
| cmdutil.AddWriteProtectFlag(cmd) |
There was a problem hiding this comment.
stop is deprecated, should we update it?
|
Needs a rebase |
I'm saying we should additionally set the |
|
GCE e2e build/test failed for commit c5c557e. Please reference the list of currently known flakes when examining this failure. If you request a re-test, you must reference the issue describing the flake. |
|
I think we want the general annotation, because it aligns with a bunch of other author -> user communication we will want. We have use cases for a "do not reconcile automatically" annotation that I would like to make |
k8s-github-robot
added
size/L
|
This PR hasn't been active in 90 days. Closing this PR. Please reopen if you would like to work towards merging this change, if/when the PR is ready for the next round of review. cc @janetkuo @kargakis You can add 'keep-open' label to prevent this from happening again, or add a comment to keep it open another 90 days |
Fixes #17532.
Stops the users from manipulating cluster services (add-ons, i.e. resources with the label
kubernetes.io/cluster-service: "true") inkubectl.For example, if we have an rc "addon" with such label:
We only do this check when
delete,stop,rolling-update, andreplace --force(which does delete) a resource.For testing purpose, added a flag
--write-protect[=true]to bypass the check if set to false.cc @kubernetes/kubectl @kubernetes/goog-ux @nikhiljindal @erictune
This change is