search

cybozu-go / accurate

Kubernetes controller for multi-tenancy. It propagates resources between namespaces accurately and allows tenant users to create/delete sub-namespaces.
https://cybozu-go.github.io/accurate/
Apache License 2.0
38 stars 5 forks source link

fix: check RBAC to watched resources on startup #134

Closed erikgb closed 3 months ago

erikgb commented 3 months ago

This PR adds more validation of configuration on startup. The operator must have cluster-wide RBAC to CRUD all configured watches to function as intended by the user. At startup, we will now use SelfSubjectAccessReview to check the required RBAC for all configured watches and crash if anything is missing.

Note: After migrating to SSA, we no longer need the update verb. I included this minor change in this PR, but please let me know if a dedicated PR is required.

Close https://github.com/cybozu-go/accurate/issues/102

erikgb commented 3 months ago

Thanks for the PR! Would it be difficult to add tests for this feature?

I thought about tests when preparing the PR, and I think it's a bit more difficult than usual. But I agree there should ideally be tests for everything and will take another look!

erikgb commented 3 months ago

I have now added some initial tests to this feature. Please let me know if more detailed testing is required.

zoetrope commented 3 months ago

@erikgb Thanks!