From f2f6531497b6e5c0d48b42a2889069e179246539 Mon Sep 17 00:00:00 2001 From: Luca Burgazzoli Date: Wed, 8 May 2024 09:35:50 +0200 Subject: [PATCH] Review permission check #5210 --- addons/master/master.go | 22 ++----------- addons/master/master_test.go | 2 +- pkg/cmd/operator/operator.go | 24 -------------- pkg/event/broadcaster.go | 62 ------------------------------------ script/Makefile | 1 + 5 files changed, 5 insertions(+), 106 deletions(-) delete mode 100644 pkg/event/broadcaster.go diff --git a/addons/master/master.go b/addons/master/master.go index 92fec2f16d..9fc0fe293e 100644 --- a/addons/master/master.go +++ b/addons/master/master.go @@ -77,12 +77,8 @@ func NewMasterTrait() trait.Trait { } const ( - masterComponent = "master" -) - -var ( - leaseResourceType = "Lease" - configMapResourceType = "ConfigMap" + masterComponent = "master" + leaseResourceType = "Lease" ) func (t *masterTrait) Configure(e *trait.Environment) (bool, *trait.TraitCondition, error) { @@ -132,15 +128,7 @@ func (t *masterTrait) Configure(e *trait.Environment) (bool, *trait.TraitConditi } if t.ResourceType == nil { - canUseLeases, err := t.canUseLeases(e) - if err != nil { - return false, nil, err - } - if canUseLeases { - t.ResourceType = &leaseResourceType - } else { - t.ResourceType = &configMapResourceType - } + t.ResourceType = pointer.String(leaseResourceType) } if t.LabelKey == nil { @@ -230,10 +218,6 @@ func (t *masterTrait) setCatalogConfiguration(e *trait.Environment) { } } -func (t *masterTrait) canUseLeases(e *trait.Environment) (bool, error) { - return kubernetes.CheckPermission(e.Ctx, t.Client, "coordination.k8s.io", "leases", e.Integration.Namespace, "", "create") -} - func findAdditionalDependencies(e *trait.Environment, meta metadata.IntegrationMetadata) []string { var dependencies []string for _, endpoint := range meta.FromURIs { diff --git a/addons/master/master_test.go b/addons/master/master_test.go index c396af1db8..c80b2abd6d 100644 --- a/addons/master/master_test.go +++ b/addons/master/master_test.go @@ -101,7 +101,7 @@ func TestMasterOn(t *testing.T) { err = mt.Apply(&environment) require.NoError(t, err) assert.Equal(t, "test-lock", environment.ApplicationProperties["camel.k.master.resourceName"]) - assert.Equal(t, "ConfigMap", environment.ApplicationProperties["camel.k.master.resourceType"]) + assert.Equal(t, leaseResourceType, environment.ApplicationProperties["camel.k.master.resourceType"]) assert.Equal(t, "camel.apache.org/integration", environment.ApplicationProperties["camel.k.master.labelKey"]) assert.Equal(t, "test", environment.ApplicationProperties["camel.k.master.labelValue"]) assert.Equal(t, "${camel.k.master.resourceName}", environment.ApplicationProperties["quarkus.camel.cluster.kubernetes.resource-name"]) diff --git a/pkg/cmd/operator/operator.go b/pkg/cmd/operator/operator.go index cf571e30e3..ad892e41eb 100644 --- a/pkg/cmd/operator/operator.go +++ b/pkg/cmd/operator/operator.go @@ -36,14 +36,12 @@ import ( appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" - coordination "k8s.io/api/coordination/v1" corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" "k8s.io/client-go/tools/leaderelection/resourcelock" - "k8s.io/client-go/tools/record" "sigs.k8s.io/controller-runtime/pkg/cache" ctrl "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/config" @@ -61,7 +59,6 @@ import ( "github.com/apache/camel-k/v2/pkg/client" "github.com/apache/camel-k/v2/pkg/controller" "github.com/apache/camel-k/v2/pkg/controller/synthetic" - "github.com/apache/camel-k/v2/pkg/event" "github.com/apache/camel-k/v2/pkg/install" "github.com/apache/camel-k/v2/pkg/platform" "github.com/apache/camel-k/v2/pkg/util/defaults" @@ -145,20 +142,6 @@ func Run(healthPort, monitoringPort int32, leaderElection bool, leaderElectionID bootstrapClient, err := client.NewClientWithConfig(false, cfg) exitOnError(err, "cannot initialize client") - // We do not rely on the event broadcaster managed by controller runtime, - // so that we can check the operator has been granted permission to create - // Events. This is required for the operator to be installable by standard - // admin users, that are not granted create permission on Events by default. - broadcaster := record.NewBroadcaster() - defer broadcaster.Shutdown() - - if ok, err := kubernetes.CheckPermission(ctx, bootstrapClient, corev1.GroupName, "events", watchNamespace, "", "create"); err != nil || !ok { - // Do not sink Events to the server as they'll be rejected - broadcaster = event.NewSinkLessBroadcaster(broadcaster) - exitOnError(err, "cannot check permissions for creating Events") - log.Info("Event broadcasting is disabled because of missing permissions to create Events") - } - operatorNamespace := platform.GetOperatorNamespace() if operatorNamespace == "" { // Fallback to using the watch namespace when the operator is not in-cluster. @@ -175,12 +158,6 @@ func Run(healthPort, monitoringPort int32, leaderElection bool, leaderElectionID platform.OperatorImage, err = getOperatorImage(ctx, bootstrapClient) exitOnError(err, "cannot get operator container image") - if ok, err := kubernetes.CheckPermission(ctx, bootstrapClient, coordination.GroupName, "leases", operatorNamespace, "", "create"); err != nil || !ok { - leaderElection = false - exitOnError(err, "cannot check permissions for creating Leases") - log.Info("The operator is not granted permissions to create Leases") - } - if !leaderElection { log.Info("Leader election is disabled!") } @@ -223,7 +200,6 @@ func Run(healthPort, monitoringPort int32, leaderElection bool, leaderElectionID } mgr, err := manager.New(cfg, manager.Options{ - EventBroadcaster: broadcaster, LeaderElection: leaderElection, LeaderElectionNamespace: operatorNamespace, LeaderElectionID: leaderElectionID, diff --git a/pkg/event/broadcaster.go b/pkg/event/broadcaster.go deleted file mode 100644 index fd8f5bef9e..0000000000 --- a/pkg/event/broadcaster.go +++ /dev/null @@ -1,62 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package event - -import ( - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/tools/record" - "k8s.io/klog/v2" -) - -type sinkLessBroadcaster struct { - broadcaster record.EventBroadcaster -} - -func (s sinkLessBroadcaster) StartEventWatcher(eventHandler func(*corev1.Event)) watch.Interface { - return s.broadcaster.StartEventWatcher(eventHandler) -} - -func (s sinkLessBroadcaster) StartRecordingToSink(sink record.EventSink) watch.Interface { - return watch.NewEmptyWatch() -} - -func (s sinkLessBroadcaster) StartLogging(logf func(format string, args ...interface{})) watch.Interface { - return s.broadcaster.StartLogging(logf) -} - -func (s sinkLessBroadcaster) StartStructuredLogging(verbosity klog.Level) watch.Interface { - return s.broadcaster.StartStructuredLogging(verbosity) -} - -func (s sinkLessBroadcaster) NewRecorder(scheme *runtime.Scheme, source corev1.EventSource) record.EventRecorder { - return s.broadcaster.NewRecorder(scheme, source) -} - -func (s sinkLessBroadcaster) Shutdown() { - s.broadcaster.Shutdown() -} - -var _ record.EventBroadcaster = &sinkLessBroadcaster{} - -func NewSinkLessBroadcaster(broadcaster record.EventBroadcaster) record.EventBroadcaster { - return &sinkLessBroadcaster{ - broadcaster: broadcaster, - } -} diff --git a/script/Makefile b/script/Makefile index db79a62ee5..69042a5213 100644 --- a/script/Makefile +++ b/script/Makefile @@ -728,6 +728,7 @@ bundle-index: opm yq CSV_SKIPS=$(CSV_SKIP_RANGE) CSV_REPLACES=$(CSV_REPLACES) CHANNELS="$(CHANNELS)" \ ./script/build_bundle_index.sh + ## Location to install dependencies to $(LOCALBIN): mkdir -p $(LOCALBIN)