Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure user client with service account backup when fetching namespaces. #5940

Merged
merged 2 commits into from
Feb 1, 2023
Merged

Ensure user client with service account backup when fetching namespaces. #5940

merged 2 commits into from
Feb 1, 2023

Conversation

absoludity
Copy link
Contributor

@absoludity absoludity commented Feb 1, 2023
edited
Loading

Description of the change

The main change here is to ensure that the request for namespaces uses the user client first, then the service account client. For a detailed analysis of the issue it is fixing, see my comment on 5755

While there, I have tried to clarify the code a little, so that it is clearer when the user client is being used (it now matches the comments again).

I also fixed an RBAC issue in the dev environment (so that kubeapps-user@example.com is permitted to access, in addition to oidc:kubeapps-user@example.com, since the former is what pinniped uses).

Benefits

Back to expected behavior when authenticated as a non-privileged user with or without a service account token configured in Kubeapps' clusters configuration.

Possible drawbacks

Applicable issues

Additional information

I've tested this pretty thoroughly locally with multiple clusters using both unprivileged and privileged users (with additional log lines showing exactly what token is being used when), but only in the namespaces call-site.

@absoludity
Fix use of service account client in namespaces call.
cb548e1 
Still need to check other call-sites.

Signed-off-by: Michael Nelson <minelson@vmware.com>
@absoludity
Remove unnecessary comments.
f6a13ce 
Signed-off-by: Michael Nelson <minelson@vmware.com>
@netlify
Copy link

netlify bot commented Feb 1, 2023
edited
Loading

Deploy Preview for kubeapps-dev ready!

Name Link
🔨 Latest commit f6a13ce
🔍 Latest deploy log https://app.netlify.com/sites/kubeapps-dev/deploys/63d9d2ab27721c0008de1138
😎 Deploy Preview https://deploy-preview-5940--kubeapps-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@absoludity absoludity marked this pull request as ready for review February 1, 2023 02:56
@absoludity absoludity changed the title 5755 multi cluster auth Ensure user client with service account backup when fetching namespaces. Feb 1, 2023
@absoludity absoludity merged commit 90981b5 into main Feb 1, 2023
@absoludity absoludity deleted the 5755-multi-cluster-auth branch February 1, 2023 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ppbaena ppbaena ppbaena approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

find namespaces incorrectly swapped client context and incorrectly using pinniped proxy
3 participants
@absoludity @ppbaena @vmwclabot