bug: APIs bound through Permission Claims not available when using identityHash

[johnmcollier]

Describe the bug

When specifying another APIExport's identityHash in a permission claim in an APIExport / APIBinding, the APIBinding will create successfully:

E.g.:

apiVersion: apis.kcp.dev/v1alpha1
kind: APIBinding
metadata:
  name: has-binding
spec:
  reference:
    workspace:
      path: root:has
      exportName: has
  acceptedPermissionClaims:
      - group: ""
        resource: "secrets"
        verbs: ["get", "list", "watch"]
      - group: ""
        resource: "configmaps"
        verbs: ["get", "list", "watch"]
      - identityHash: 5d8e0fa5f9a10dbff668aad2cd63777e061c837e3f0a2f1adda15f7acae9fd53
        group: "appstudio.redhat.com"
        resource: "environments"
      - identityHash: 5d8e0fa5f9a10dbff668aad2cd63777e061c837e3f0a2f1adda15f7acae9fd53
        group: "appstudio.redhat.com"
        resource: "applicationsnapshotenvironmentbindings"

with the following status conditions:

  conditions:
  - lastTransitionTime: "2022-08-26T18:24:05Z"
    status: "True"
    type: Ready
  - lastTransitionTime: "2022-08-26T18:24:05Z"
    status: "True"
    type: APIExportValid
  - lastTransitionTime: "2022-08-26T18:24:05Z"
    status: "True"
    type: BindingUpToDate
  - lastTransitionTime: "2022-08-26T18:24:05Z"
    status: "True"
    type: InitialBindingCompleted
  - lastTransitionTime: "2022-08-26T18:24:05Z"
    status: "True"
    type: PermissionClaimsApplied
  - lastTransitionTime: "2022-08-26T18:24:05Z"
    status: "True"
    type: PermissionClaimsValid

But if I run kubectl get environments the command fails, saying error: the server doesn't have a resource type "environments"

Steps To Reproduce

I've created a reporducer here: https://github.com/johnmcollier/kcp-permissionclaims-reproducer

Expected Behaviour

The APIs specified in the permission claims are available.

Additional Context

No response

[ncdc]

/assign

[ncdc]

@johnmcollier please try adding another APIBinding in your workspace, to the gitops APIExport.

/priority awaiting-more-evidence

[johnmcollier]

@ncdc Yes, if I add another APIBinding the APIs in the gitops APIExport become available. But I thought the permission claims meant that wasn't needed?

kcp/pkg/apis/apis/v1alpha1/types_apiexport.go

Lines 143 to 158 in 4abc675

	// permissionClaims make resources available in APIExport's virtual workspace that are not part
	// of the actual APIExport resources.
	//
	// PermissionClaims are optional and should be the least access necessary to complete the functions
	// that the service provider needs. Access is asked for on a GroupResource + identity basis.
	//
	// PermissionClaims must be accepted by the user's explicit acknowledgement. Hence, when claims
	// change, the respecting objects are not visible immediately.
	//
	// PermissionClaims overlapping with the APIExport resources are ignored.
	//
	// +optional
	// +listType=map
	// +listMapKey=group
	// +listMapKey=resource
	PermissionClaims []PermissionClaim `json:"permissionClaims,omitempty"`

[stevekuznetsov]

Is this #1183 ?

[ncdc]

@stevekuznetsov nope, different

[ncdc]

@johnmcollier both bindings are required

[ncdc]

This is not a bug

[ncdc]

Closing

[johnmcollier]

Then should the description for PermissionClaim be updated?

Since the description:

// permissionClaims make resources available in APIExport's virtual workspace that are not part 
// of the actual APIExport resources. `

makes it seem like the second APIBinding is not needed.

[ncdc]

That is only relevant for API providers accessing their APIExport's virtual workspace.

[johnmcollier]

@ncdc So does that mean a controller running in my APIExport's virtual workspace should have the API(s) available there without a separate APIBinding?

If so, my controller still fails on start up saying those APIs aren't available in the virtual workspace.

[ncdc]

Now that is #1183 😄