-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add configuration to permissions pre-flight check to use SelfSubjectAccessReview
or SelfSubjectRulesReview
#931
Add configuration to permissions pre-flight check to use SelfSubjectAccessReview
or SelfSubjectRulesReview
#931
Conversation
@rashmigottipati @tmshort Do y'all want to review this first? In case you already have and it looks good to you, please drop an LGTM 😄 |
@praveenrewar that sounds good, I'll make sure to review it today/tomorrow. :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good (added some optional nits). Should we also add a test for SelfSubjectRulesReview
. I think the existing ones only tests SelfSubjectAccessReview
as that is used by default.
// An error is returned if there are any issues creating a SelfSubjectRulesReview (i.e can't determine permissions) | ||
// or if the SelfSubjectRulesReview is evaluated and the caller does not have the permission to perform the actions | ||
// identified in the provided ResourceAttributes. | ||
func (rv *SelfSubjectRulesReviewValidator) ValidatePermissions(ctx context.Context, resourceAttrib *authv1.ResourceAttributes) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(optional) nit: resourceAttributes
instead of resourceAttrib
? (Also applicable to ValidatePermissions on SelfSubjectAccessReviewValidator)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I missed making this change. I can make this change if needed, but functionally it shouldn't make a difference
I think that is reasonable. I think this might be possible via adding a kapp Config resource to the appropriate tests and changing the value there, which I hadn't thought of before. I'll try to have a change made soon-ish for this |
@everettraven Just checking if you are still working on it or your forgot to push your changes. (No rush) |
@praveenrewar thanks for following up! I was working on the changes a bit yesterday. I'll finish them up and push today |
to allow configuring whether it uses SelfSubjectAccessReview or SelfSubjectRulesReview to determine if a user has the appropriate permissions. Defaults to SelfSubjectAccessReview for backwards compatibility Signed-off-by: everettraven <[email protected]>
Signed-off-by: everettraven <[email protected]>
cb68443
to
0505c5f
Compare
@praveenrewar @100mik rebased and pushed. I can squash the commits if needed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
What this PR does / why we need it:
SelfSubjectAccessReview
s are great for this pre-flight check's use case, but can a bit intense on the API server (for every resource we are sending at least one request to the API server). For users who are concerned about the load placed on the API server, it would be nice to allow the option to use aSelfSubjectRulesReview
instead as it will give the set of permissions a user has for a namespace. Using this API, and caching the results per namespace, results in less requests sent directly to the API server.This PR:
permissions
package to have a pluggablePermissionValidator
interface that has aValidatePermissions
function instead of using a single, inextensible function as existed previously.PermissionValidator
implementations that validates permissions usingSelfSubjectAccessReview
andSelfSubjectRulesReview
PermissionValidator
interfaceWhich issue(s) this PR fixes:
Fixes #930
Does this PR introduce a user-facing change?
Additional Notes for your reviewer:
Review Checklist:
a link to that PR
change
Additional documentation e.g., Proposal, usage docs, etc.: