manager should not panic and ignore wrong Clusterscoped type setting …

…in HNCConfiguration
kubernetes-sigs · Aug 17, 2021 · 755b769 · 755b769
1 parent 8af53fa
commit 755b769
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/api/v1alpha2/hnc_config.go b/api/v1alpha2/hnc_config.go
@@ -60,6 +60,7 @@ const (
 	// Condition reasons for BadConfiguration
 	ReasonMultipleConfigsForType = "MultipleConfigurationsForType"
 	ReasonResourceNotFound       = "ResourceNotFound"
+	ReasonResourceNotNamescoped  = "ResourceNotNamescoped"
 
 	// Condition reason for OutOfSync, e.g. errors when creating a reconciler.
 	ReasonUnknown = "Unknown"

diff --git a/internal/reconcilers/hnc_config.go b/internal/reconcilers/hnc_config.go
@@ -186,14 +186,19 @@ func (r *ConfigReconciler) reconcileConfigTypes(inst *api.HNCConfiguration, allR
 		}
 
 		// Look if the resource exists in the API server.
-		gvk, err := GVKFor(gr, allRes)
+		gvk, namescoped, err := GVKNamescopedFor(gr, allRes)
 		if err != nil {
 			// If the type is not found, log error and write conditions but don't
 			// early exit since the other types can still be reconciled.
 			r.Log.Error(err, "while trying to reconcile the configuration", "type", gr, "mode", rsc.Mode)
 			r.writeCondition(inst, api.ConditionBadTypeConfiguration, api.ReasonResourceNotFound, err.Error())
 			continue
 		}
+		if !namescoped {
+			r.Log.Error(err, "while trying to reconcile the configuration", "type", gr, "mode", rsc.Mode)
+			r.writeCondition(inst, api.ConditionBadTypeConfiguration, api.ReasonResourceNotNamescoped, fmt.Sprintf("type %s is not Namescoped", gr))
+			continue
+		}
 		r.activeGVKMode[gr] = gvkMode{gvk, rsc.Mode}
 		r.activeGR[gvk] = gr
 	}
@@ -586,6 +591,13 @@ func GetAllResources(config *rest.Config) ([]*restmapper.APIGroupResources, erro
 // GVKFor searches the GR in apiserver and returns the mapping GVK. If the GR
 // doesn't exist, return an empty GVK and the error.
 func GVKFor(gr schema.GroupResource, allRes []*restmapper.APIGroupResources) (schema.GroupVersionKind, error) {
+	gvk, _, err := GVKNamescopedFor(gr, allRes)
+	return gvk, err
+}
+
+// GVKNamescopedFor searches the GR in apiserver and returns the mapping GVK and whether it is namespaced. If the GR
+// doesn't exist, return an empty GVK and the error.
+func GVKNamescopedFor(gr schema.GroupResource, allRes []*restmapper.APIGroupResources) (schema.GroupVersionKind, bool, error) {
 	// Look for a matching resource from all resources.
 	for _, groupedResources := range allRes {
 		group := groupedResources.Group
@@ -608,10 +620,10 @@ func GVKFor(gr schema.GroupResource, allRes []*restmapper.APIGroupResources) (sc
 						Version: version.Version,
 						Kind:    resource.Kind,
 					}
-					return gvk, nil
+					return gvk, resource.Namespaced, nil
 				}
 			}
 		}
 	}
-	return schema.GroupVersionKind{}, fmt.Errorf("Resource %q not found", gr)
+	return schema.GroupVersionKind{}, false, fmt.Errorf("Resource %q not found", gr)
 }
diff --git a/internal/reconcilers/hnc_config_test.go b/internal/reconcilers/hnc_config_test.go
@@ -287,6 +287,14 @@ var _ = Describe("HNCConfiguration", func() {
 		Expect(objectInheritedFrom(ctx, "crontabs", barName, "foo-crontab")).Should(Equal(fooName))
 	})
 
+	It("manager should not panic and ignore wrong Clusterscoped type setting in HNCConfiguration", func() {
+		// Add a config for a type that hasn't been defined yet.
+		addToHNCConfig(ctx, api.RBACGroup, "clusterroles", api.Propagate)
+
+		Eventually(getHNCConfigCondition(ctx, api.ConditionBadTypeConfiguration, api.ReasonResourceNotNamescoped)).
+			Should(ContainSubstring("type clusterroles.rbac.authorization.k8s.io is not Namescoped"))
+	})
+
 	It("should set NumPropagatedObjects back to 0 after deleting the source object in propagate mode", func() {
 		addToHNCConfig(ctx, "", "limitranges", api.Propagate)
 		setParent(ctx, barName, fooName)