Merge pull request #41 from foriequal0/fix/impersonate

foriequal0 · Aug 12, 2024 · 71060cf · 71060cf
2 parents 147f349 + 89b8f98
commit 71060cf
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 10 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -2,7 +2,7 @@
 name = "pod-graceful-drain"
 description = "You don't need `lifecycle: { preStop: { exec: { command: [\"sleep\", \"30\"] } } }`"
 authors = ["SeongChan Lee <[email protected]>"]
-version = "0.1.0-rc.1"
+version = "0.1.0-rc.2"
 edition = "2021"
 rust-version = "1.79"
 

diff --git a/charts/pod-graceful-drain/Chart.yaml b/charts/pod-graceful-drain/Chart.yaml
@@ -3,5 +3,5 @@ name: pod-graceful-drain
 description: |
   You don't need `lifecycle: { preStop: { exec: { command: ["sleep", "30"] } } }`
 type: application
-version: 0.1.0-rc.1
-appVersion: "v0.1.0-rc.1"
+version: 0.1.0-rc.2
+appVersion: "v0.1.0-rc.2"
diff --git a/charts/pod-graceful-drain/templates/rbac.yaml b/charts/pod-graceful-drain/templates/rbac.yaml
@@ -9,7 +9,7 @@ rules:
     resources: [ events ]
     verbs: [ create ]
   - apiGroups: [ "" ]
-    resources: [ users, groups ]
+    resources: [ users, groups, serviceaccounts ]
     verbs: [ impersonate ]
   - apiGroups: [ "" ]
     resources: [ nodes ]

diff --git a/src/webhooks/mod.rs b/src/webhooks/mod.rs
@@ -22,7 +22,7 @@ use k8s_openapi::api::{core::v1::Pod, policy::v1::Eviction};
 use k8s_openapi::serde::Serialize;
 use kube::core::admission::{AdmissionRequest, AdmissionResponse, AdmissionReview};
 use kube::core::DynamicObject;
-use kube::runtime::events::{EventType, Reporter};
+use kube::runtime::events::Reporter;
 use kube::runtime::reflector::ObjectRef;
 use kube::Resource;
 use serde_json::{json, Value};
@@ -40,7 +40,7 @@ use crate::webhooks::handle_delete::delete_handler;
 use crate::webhooks::handle_eviction::eviction_handler;
 pub use crate::webhooks::patch::patch_pod_isolate;
 use crate::webhooks::reactive_rustls_config::build_reactive_rustls_config;
-use crate::webhooks::report::{debug_report_for_ref, report};
+use crate::webhooks::report::{debug_report_for_ref, warn_report_for_ref};
 use crate::webhooks::try_bind::try_bind;
 use crate::{instrumented, LoadBalancingConfig, ServiceRegistry};
 
@@ -230,10 +230,9 @@ where
                     ValueOrStatusCode::Value(response.into_review())
                 }
                 Err(err) => {
-                    report(
+                    warn_report_for_ref(
                         state,
                         ObjectReference::from(object_ref),
-                        EventType::Warning,
                         "Error",
                         "Error",
                         format!("{err:#}"),

diff --git a/src/webhooks/report.rs b/src/webhooks/report.rs
@@ -5,7 +5,7 @@ use tracing::{debug, enabled, info, Level};
 
 use crate::webhooks::AppState;
 
-pub async fn report(
+async fn report(
     state: &AppState,
     reference: ObjectReference,
     type_: EventType,
@@ -70,6 +70,21 @@ pub async fn debug_report_for(
     debug_report_for_ref(state, pod.object_ref(&()), action, reason, note).await;
 }
 
+pub async fn warn_report_for_ref(
+    state: &AppState,
+    object_ref: ObjectReference,
+    action: &str,
+    reason: &str,
+    note: String,
+) {
+    if !enabled!(Level::WARN) {
+        return;
+    }
+
+    info!(action, reason, note);
+    report(state, object_ref, EventType::Warning, action, reason, note).await;
+}
+
 pub async fn report_for(state: &AppState, pod: &Pod, action: &str, reason: &str, note: String) {
     if !enabled!(Level::INFO) {
         return;