Skip to content

Commit

Permalink
Review permission check apache#5210
Browse files Browse the repository at this point in the history
  • Loading branch information
@lburgazzoli
lburgazzoli committed May 8, 2024
1 parent 6be1c1b commit f2f6531
Show file tree
Hide file tree
Showing 5 changed files with 5 additions and 106 deletions.
22 changes: 3 additions & 19 deletions addons/master/master.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,12 +77,8 @@ func NewMasterTrait() trait.Trait {
}

const (
masterComponent = "master"
)

var (
leaseResourceType = "Lease"
configMapResourceType = "ConfigMap"
masterComponent = "master"
leaseResourceType = "Lease"
)

func (t *masterTrait) Configure(e *trait.Environment) (bool, *trait.TraitCondition, error) {
Expand Down Expand Up @@ -132,15 +128,7 @@ func (t *masterTrait) Configure(e *trait.Environment) (bool, *trait.TraitConditi
}

if t.ResourceType == nil {
canUseLeases, err := t.canUseLeases(e)
if err != nil {
return false, nil, err
}
if canUseLeases {
t.ResourceType = &leaseResourceType
} else {
t.ResourceType = &configMapResourceType
}
t.ResourceType = pointer.String(leaseResourceType)
}

if t.LabelKey == nil {
Expand Down Expand Up @@ -230,10 +218,6 @@ func (t *masterTrait) setCatalogConfiguration(e *trait.Environment) {
}
}

func (t *masterTrait) canUseLeases(e *trait.Environment) (bool, error) {
return kubernetes.CheckPermission(e.Ctx, t.Client, "coordination.k8s.io", "leases", e.Integration.Namespace, "", "create")
}

func findAdditionalDependencies(e *trait.Environment, meta metadata.IntegrationMetadata) []string {
var dependencies []string
for _, endpoint := range meta.FromURIs {
Expand Down
2 changes: 1 addition & 1 deletion addons/master/master_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ func TestMasterOn(t *testing.T) {
err = mt.Apply(&environment)
require.NoError(t, err)
assert.Equal(t, "test-lock", environment.ApplicationProperties["camel.k.master.resourceName"])
assert.Equal(t, "ConfigMap", environment.ApplicationProperties["camel.k.master.resourceType"])
assert.Equal(t, leaseResourceType, environment.ApplicationProperties["camel.k.master.resourceType"])
assert.Equal(t, "camel.apache.org/integration", environment.ApplicationProperties["camel.k.master.labelKey"])
assert.Equal(t, "test", environment.ApplicationProperties["camel.k.master.labelValue"])
assert.Equal(t, "${camel.k.master.resourceName}", environment.ApplicationProperties["quarkus.camel.cluster.kubernetes.resource-name"])
Expand Down
24 changes: 0 additions & 24 deletions pkg/cmd/operator/operator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,12 @@ import (

appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
coordination "k8s.io/api/coordination/v1"
corev1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/selection"
"k8s.io/client-go/tools/leaderelection/resourcelock"
"k8s.io/client-go/tools/record"
"sigs.k8s.io/controller-runtime/pkg/cache"
ctrl "sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/config"
Expand All @@ -61,7 +59,6 @@ import (
"github.com/apache/camel-k/v2/pkg/client"
"github.com/apache/camel-k/v2/pkg/controller"
"github.com/apache/camel-k/v2/pkg/controller/synthetic"
"github.com/apache/camel-k/v2/pkg/event"
"github.com/apache/camel-k/v2/pkg/install"
"github.com/apache/camel-k/v2/pkg/platform"
"github.com/apache/camel-k/v2/pkg/util/defaults"
Expand Down Expand Up @@ -145,20 +142,6 @@ func Run(healthPort, monitoringPort int32, leaderElection bool, leaderElectionID
bootstrapClient, err := client.NewClientWithConfig(false, cfg)
exitOnError(err, "cannot initialize client")

// We do not rely on the event broadcaster managed by controller runtime,
// so that we can check the operator has been granted permission to create
// Events. This is required for the operator to be installable by standard
// admin users, that are not granted create permission on Events by default.
broadcaster := record.NewBroadcaster()
defer broadcaster.Shutdown()

if ok, err := kubernetes.CheckPermission(ctx, bootstrapClient, corev1.GroupName, "events", watchNamespace, "", "create"); err != nil || !ok {
// Do not sink Events to the server as they'll be rejected
broadcaster = event.NewSinkLessBroadcaster(broadcaster)
exitOnError(err, "cannot check permissions for creating Events")
log.Info("Event broadcasting is disabled because of missing permissions to create Events")
}

operatorNamespace := platform.GetOperatorNamespace()
if operatorNamespace == "" {
// Fallback to using the watch namespace when the operator is not in-cluster.
Expand All @@ -175,12 +158,6 @@ func Run(healthPort, monitoringPort int32, leaderElection bool, leaderElectionID
platform.OperatorImage, err = getOperatorImage(ctx, bootstrapClient)
exitOnError(err, "cannot get operator container image")

if ok, err := kubernetes.CheckPermission(ctx, bootstrapClient, coordination.GroupName, "leases", operatorNamespace, "", "create"); err != nil || !ok {
leaderElection = false
exitOnError(err, "cannot check permissions for creating Leases")
log.Info("The operator is not granted permissions to create Leases")
}

if !leaderElection {
log.Info("Leader election is disabled!")
}
Expand Down Expand Up @@ -223,7 +200,6 @@ func Run(healthPort, monitoringPort int32, leaderElection bool, leaderElectionID
}

mgr, err := manager.New(cfg, manager.Options{
EventBroadcaster: broadcaster,
LeaderElection: leaderElection,
LeaderElectionNamespace: operatorNamespace,
LeaderElectionID: leaderElectionID,
Expand Down
62 changes: 0 additions & 62 deletions pkg/event/broadcaster.go
View file

This file was deleted.

1 change: 1 addition & 0 deletions script/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -728,6 +728,7 @@ bundle-index: opm yq
CSV_SKIPS=$(CSV_SKIP_RANGE) CSV_REPLACES=$(CSV_REPLACES) CHANNELS="$(CHANNELS)" \
./script/build_bundle_index.sh


## Location to install dependencies to
$(LOCALBIN):
mkdir -p $(LOCALBIN)
Expand Down

0 comments on commit f2f6531

Please sign in to comment.