Simplify DataImportCron ServiceAccount authorization #3970
Conversation
kubevirt-bot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test pull-cdi-linter |
|
@arnongilboa real linter issues in there |
akalenyu
left a comment
akalenyu
left a comment
There was a problem hiding this comment.
skimmed through, looks good, will try to properly go over this later and find releases containing this API
Just a note, this might've been easier to review if it was split to
- revert commit
- reintroduce with new api
sure, fixing. |
kubevirt-bot
added
dco-signoff: no
…ubevirt#3946)" This reverts commit b578f2a. Signed-off-by: Arnon Gilboa <[email protected]>
kubevirt-bot
added
dco-signoff: yes
In case of DataImportCron with PVC source, the controller checks the namespace default ServiceAccount is authorized to clone the source PVC. This is a minimally partial backport of kubevirt#3970. Signed-off-by: Arnon Gilboa <[email protected]>
In case of DataImportCron with PVC source, the controller checks the namespace default ServiceAccount is authorized to clone the source PVC. This is a minimally partial backport of kubevirt#3970. Signed-off-by: Arnon Gilboa <[email protected]>
In case of DataImportCron with PVC source, the controller checks the namespace default ServiceAccount is authorized to clone the source PVC. This is a minimally partial backport of kubevirt#3970. Signed-off-by: Arnon Gilboa <[email protected]>
In case of DataImportCron with PVC source, the controller checks the namespace default ServiceAccount is authorized to clone the source PVC. This is a minimally partial backport of kubevirt#3970. Signed-off-by: Arnon Gilboa <[email protected]>
In case of DataImportCron with PVC source, the controller checks the namespace default ServiceAccount is authorized to clone the source PVC. This is a minimally partial backport of kubevirt#3970. Signed-off-by: Arnon Gilboa <[email protected]>
| // ServiceAccountName is the name of the ServiceAccount for creating DataVolumes. | ||
| // +optional | ||
| CreatedBy *string `json:"createdBy,omitempty"` | ||
| ServiceAccountName string `json:"serviceAccountName,omitempty"` |
There was a problem hiding this comment.
In PodSpec it's ServiceAccountName string. Afaik this is the standard choice in Kubernetes, as the zero value ("") represents the "not set" state when combined with the omitempty tag.
There was a problem hiding this comment.
Pod spec has been around for a long time, likely predating API conventions
Maybe make it a pointer and add: +kubebuilder:validation:MinLength=1
|
|
||
| var userInfo authenticationv1.UserInfo | ||
| if err := json.Unmarshal([]byte(*createdBy), &userInfo); err != nil { | ||
| if resp, err := dv.AuthorizeSA(dv.Namespace, dv.Name, r, dataImportCron.Namespace, dataImportCron.Spec.ServiceAccountName); err != nil { |
There was a problem hiding this comment.
Don't pass unset ServiceAccountName. See: https://github.com/kubevirt/kubevirt/blob/main/pkg/virt-controller/watch/vm/vm.go#L490-L495
There was a problem hiding this comment.
Sure, I'll use "default" in this case, but note that in your link if somehow vol.ServiceAccount.ServiceAccountName == "" it will also be used instead of "default".
There was a problem hiding this comment.
pretty sure you can't have a serviceaccount volume with empty sa name
arnongilboa
force-pushed
the
dic_sa
branch
2 times, most recently
from
5d5b676 to
32acdbf
Compare
|
/retest |
akalenyu
left a comment
akalenyu
left a comment
There was a problem hiding this comment.
Looks good, some comments, but the approach looks ok for me
tests/dataimportcron_test.go
Outdated
| }) | ||
| }) | ||
|
|
||
| Context("DataImportCron controller authorization when cloning from PVC source", func() { |
There was a problem hiding this comment.
bit of a shame to use functional tests for this, it's all just a bunch of APIs that could be faked
There was a problem hiding this comment.
Agree. I just recycled the tests of the previous PR which involved the webhooks, so I felt func tests are appropriate. I'll sure change to utests.
| return true, nil | ||
| } | ||
|
|
||
| func (r *DataImportCronReconciler) CreateSar(sar *authorizationv1.SubjectAccessReview) (*authorizationv1.SubjectAccessReview, error) { |
There was a problem hiding this comment.
I think it'll read nicer if there was a separate struct for AuthorizationHelperProxy impl
There was a problem hiding this comment.
Sure, I'll fix.
Add ServiceAccountName to DataImportCron spec, replacing CreatedBy which was added in kubevirt#3946. In case of DataImportCron with PVC source, the controller checks the ServiceAccount is authorized to clone the source PVC. Signed-off-by: Arnon Gilboa <[email protected]>
|
@arnongilboa: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
What this PR does / why we need it:
Add
ServiceAccountNametoDataImportCronspec, replacingCreatedBywhich was added in #3946.In case of
DataImportCronwith PVC source, the controller checks theServiceAccountis authorized to clone the source PVC.Release note: