Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optional ability to check if client has permissions to perform CRUD actions before trying them #1381

Open
ncdc opened this issue Oct 27, 2023 · 6 comments
Labels
carvel-accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request

Comments

@ncdc
Copy link

ncdc commented Oct 27, 2023

Describe the problem/challenge you have
When reconciling an App and making changes to a cluster, kapp immediately tries to perform all the CRUD changes. If/when it encounters an error, it stops immediately. This can leave the content on the cluster in some intermediate or unknown state.

Describe the solution you'd like
Add an optional field to the App spec to allow the user to indicate they'd like kapp to check if the client (service account or cluster credentials) has permissions to perform every operation needed before executing any of them. If any of the checks fails, kapp makes no modifications to the cluster and returns an error.

Anything else you would like to add:
The SubjectAccessReview API can be used for these checks.

The related kapp issue is carvel-dev/kapp#855.


Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

@ncdc ncdc added carvel-triage This issue has not yet been reviewed for validity enhancement This issue is a feature request labels Oct 27, 2023
@praveenrewar praveenrewar added carvel-accepted This issue should be considered for future work and that the triage process has been completed and removed carvel-triage This issue has not yet been reviewed for validity labels Nov 4, 2023
@100mik
Copy link
Contributor

100mik commented Jan 10, 2024

We do have access to al the GVKs we need CRUD on before we actually deploy. In theory, we could do SubjectAccessReviews on these in the diffing phase if a certain flag is provided 🤔

@praveenrewar
Copy link
Member

(Related slack thread)

@everettraven
Copy link

@100mik @praveenrewar Now that there is a preflight check for this in kapp as of carvel-dev/kapp#887 is there anything left to do for this functionality besides waiting for a new release of kapp?

It looks like the App resource already has an option to pass in a set of raw options via the App.spec.deploy.kapp.rawOptions field that can be used to enable/disable preflight checks

@praveenrewar
Copy link
Member

@everettraven We have a list of kapp flags that are allowed in kapp-controller. We need to add the preflight flag in there while bumping the kapp version in kapp-controller.

@praveenrewar
Copy link
Member

@everettraven Since the version of kapp with the preflight checks is now available in kapp-controller, do you want to add it to the allowed list?

@everettraven
Copy link

@praveenrewar I can add it to my list of things to do, but it will likely fall fairly low in priority on that list. If someone else has the cycles to do it sooner, please feel free to do so!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
carvel-accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request
Projects
Status: No status
Development

No branches or pull requests

4 participants