search

kcp-dev / kcp

Kubernetes-like control planes for form-factors and use-cases beyond Kubernetes and container workloads.
https://kcp.io
Apache License 2.0
2.36k stars 382 forks source link

bug: synctargets not accessible via multi-tenant controller #2154

Closed mjudeikis closed 2 years ago

mjudeikis commented 2 years ago

Describe the bug

This might not be supported use-case, so if so, lets just close this one as "by-design" as I'm cautions that im going very close to "this is not how this suppose to be used" type of work here.

Idea would be that users would be able to "bring your own" syncTargets into workspaces and we help to controll interactions with them. So existance of syncTarget is "pre-existing".

Steps To Reproduce

I have 2 workspaces: compute and foo. foo workspace contains synctarget compute runs multitenant controller

  1. APIexport in compute 
    apiVersion: apis.kcp.dev/v1alpha1
kind: APIExport
metadata:
name: access.faros.sh
spec:
latestResourceSchemas:
- today.requests.access.faros.sh
permissionClaims:
- group: "access.faros.sh"
  resource: "requests"
- group: ""
  resource: "secrets"
- group: ""
  resource: "configmaps"
- group: "workload.kcp.dev"
  resource: "synctargets"
  2. APIBinding in foo: 
    apiVersion: apis.kcp.dev/v1alpha1
kind: APIBinding
metadata:
name: access.faros.sh
spec:
permissionClaims:
- group: access.faros.sh
resource: requests
state: Accepted
- group: ""
resource: secrets
state: Accepted
- group: ""
resource: configmaps
state: Accepted
- group: workload.kcp.dev
resource: synctargets
state: Accepted
reference:
workspace:
  exportName: access.faros.sh
  path: root:compute:controllers

when I try do get synctarget I get: (*meta.NoKindMatchError)(0xc003628440)(no matches for kind "SyncTarget" in version "workload.kcp.dev/v1alpha1")

    // Add the logical cluster to the context
    ctx = logicalcluster.WithCluster(ctx, logicalcluster.New(req.ClusterName))

    logger.Info("Getting Request")
    var request accessv1alpha1.Request
    if err := r.Get(ctx, req.NamespacedName, &request); err != nil {
        if errors.IsNotFound(err) {
            // Normal - was deleted
            return ctrl.Result{}, nil
        }
        return ctrl.Result{}, err
    }

    requestCopy := request.DeepCopy()

    // check if sync target exists and is ready
    synctargets := &workloadv1alpha1.SyncTargetList{}
    err := r.List(ctx, synctargets)
    spew.Dump(synctargets)
    spew.Dump(err)

I can always add global KCP client pointing to all cluster, and not VirtualWorkspace, but this would beat the purpose of "multi-tenan controller".

Expected Behaviour

Be able to access synctargets?

Additional Context

No response

ncdc commented 2 years ago

You need to include the identityHash in the permission claim for synctargets in both the APIExport and the APIBinding

ncdc commented 2 years ago

You're running into #2152

mjudeikis commented 2 years ago

Ouch, yes you are right. Just in my case Im trying to consume `SyncTarget" API exposed by the platfroms APIBindings.

Gonna close as duplicate as it worked if I added the hash:

apiVersion: apis.kcp.dev/v1alpha1
kind: APIExport
metadata:
  name: access.faros.sh
spec:
  latestResourceSchemas:
    - today.requests.access.faros.sh
  permissionClaims:
    - group: "access.faros.sh"
      resource: "requests"
    - group: ""
      resource: "secrets"
    - group: ""
      resource: "configmaps"
    - group: "workload.kcp.dev"
      identityHash: a2f09aebf5bc96033c19aaa1dbe2c1808542ad3ffd65b68e30fcdd3ae61c35cc
      resource: "synctargets"

@hasheddan let me know if you want/need any help with #2152