Closed mjudeikis closed 1 year ago
ncdc
commented
1 year ago @mjudeikis now that I've had time to read through this, I don't think it's a bug. You have an APIExport that claims nothing, and the binding is accepting a claim. The claim for systemds is indeed unexpected.
mjudeikis
commented
1 year ago I was under impression that APIExports do not need to claim types they are serving from their own latestResourceSchemas schema?
This is same case for different types (dont have it replicated now for the one from original issue, but this is common case in my env. Which might be the case I use APIExports wrong).
API binding in consuming worspace. As you see it fails on user object.
[mjudeikis@unknown faros-hub]$ k get apibindings tenancy.faros.sh -o yaml
apiVersion: apis.kcp.dev/v1alpha1
kind: APIBinding
metadata:
annotations:
kcp.dev/cluster: root:faros:service:tenants
creationTimestamp: "2022-11-30T13:26:16Z"
finalizers:
- apis.kcp.dev/apibinding-finalizer
generation: 2
labels:
claimed.internal.apis.kcp.dev/3n21qnRo8ZVktZr1dHCAcWMFH2Ox5SYMteAOES: LstvmbbzVDDOn90ZbhzSQO5U3DMCf88h1pZ
internal.apis.kcp.dev/export: 3n21qnRo8ZVktZr1dHCAcWMFH2Ox5SYMteAOES
name: tenancy.faros.sh
resourceVersion: "1197"
uid: d7dd2e16-15fb-4062-b0a2-fe0c4334199f
spec:
permissionClaims:
- all: true
group: tenancy.faros.sh
identityHash: 08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee
resource: workspaces
state: Accepted
- all: true
group: tenancy.faros.sh
identityHash: 08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee
resource: users
state: Accepted
- all: true
resource: secrets
state: Accepted
reference:
workspace:
exportName: tenancy.faros.sh
path: root:faros:service:controllers
status:
appliedPermissionClaims:
- all: true
resource: secrets
boundResources:
- group: tenancy.faros.sh
resource: workspaces
schema:
UID: 14656602-d10e-4418-aa42-bedbf94fda20
identityHash: 08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee
name: today.workspaces.tenancy.faros.sh
storageVersions:
- v1alpha1
- group: tenancy.faros.sh
resource: users
schema:
UID: c7c78cd0-9769-4b8c-91c6-9296cb8ffb0f
identityHash: 08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee
name: today.users.tenancy.faros.sh
storageVersions:
- v1alpha1
conditions:
- lastTransitionTime: "2022-11-30T13:26:16Z"
status: "True"
type: Ready
- lastTransitionTime: "2022-11-30T13:26:16Z"
status: "True"
type: APIExportValid
- lastTransitionTime: "2022-11-30T13:26:16Z"
status: "True"
type: BindingUpToDate
- lastTransitionTime: "2022-11-30T13:26:16Z"
status: "True"
type: InitialBindingCompleted
- lastTransitionTime: "2022-11-30T13:26:16Z"
status: "True"
type: PermissionClaimsApplied
- lastTransitionTime: "2022-11-30T13:28:34Z"
message: '2 unexpected and/or invalid permission claims (showing first 2): [unexpected/invalid
claim for users.tenancy.faros.sh (identity "08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee"),
unexpected/invalid claim for workspaces.tenancy.faros.sh (identity "08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee")]'
reason: InvalidPermissionClaims
severity: Error
status: "False"
type: PermissionClaimsValid
exportPermissionClaims:
- all: true
resource: secretBut as you can see user api is available:
[mjudeikis@unknown faros-hub]$ k api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
configmaps cm v1 true ConfigMap
events ev v1 true Event
limitranges limits v1 true LimitRange
namespaces ns v1 false Namespace
resourcequotas quota v1 true ResourceQuota
secrets v1 true Secret
serviceaccounts sa v1 true ServiceAccount
mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition
apiresourceimports apiresource.kcp.dev/v1alpha1 false APIResourceImport
negotiatedapiresources apiresource.kcp.dev/v1alpha1 false NegotiatedAPIResource
apibindings apis.kcp.dev/v1alpha1 false APIBinding
apiexportendpointslices apis.kcp.dev/v1alpha1 false APIExportEndpointSlice
apiexports apis.kcp.dev/v1alpha1 false APIExport
apiresourceschemas apis.kcp.dev/v1alpha1 false APIResourceSchema
tokenreviews authentication.k8s.io/v1 false TokenReview
localsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReview
selfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReview
subjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReview
certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest
leases coordination.k8s.io/v1 true Lease
events ev events.k8s.io/v1 true Event
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
roles rbac.authorization.k8s.io/v1 true Role
locations scheduling.kcp.dev/v1alpha1 false Location
placements scheduling.kcp.dev/v1alpha1 false Placement
users tenancy.faros.sh/v1alpha1 false User
workspaces tenancy.faros.sh/v1alpha1 false Workspace
clusterworkspaces tenancy.kcp.dev/v1alpha1 false ClusterWorkspace
clusterworkspacetypes tenancy.kcp.dev/v1alpha1 false ClusterWorkspaceType
workspaces ws tenancy.kcp.dev/v1beta1 false Workspace
partitions topology.kcp.dev/v1alpha1 false Partition
partitionsets topology.kcp.dev/v1alpha1 false PartitionSet
synctargets workload.kcp.dev/v1alpha1 false SyncTargetWorkspace bellow is not KCP workspace :)
[mjudeikis@unknown faros-hub]$ k get users
NAME AGE
b0210ca2-9a81-4945-b814-ee017654c3ee 5h59m
[mjudeikis@unknown faros-hub]$ k get workspaces
NAME AGE
87e48400-b6ce-4302-8879-343344fb6143 5h56m
aff0d478-ffe9-4de9-b28c-4da64eb0f473 5h54mAnd export claim only non native types not in any of latestResourceSchemas:
k kcp workspace use root:faros:service:controllers
[mjudeikis@unknown faros-hub]$ k get apiexport tenancy.faros.sh -o yaml
apiVersion: apis.kcp.dev/v1alpha1
kind: APIExport
metadata:
annotations:
kcp.dev/cluster: root:faros:service:controllers
creationTimestamp: "2022-11-30T13:26:16Z"
generation: 8
name: tenancy.faros.sh
resourceVersion: "1196"
uid: 268dcf89-5347-4cd1-8313-9b75737c2844
spec:
identity:
secretRef:
name: tenancy.faros.sh
namespace: kcp-system
latestResourceSchemas:
- today.workspaces.tenancy.faros.sh
- today.users.tenancy.faros.sh
permissionClaims:
- all: true
group: ""
resource: secrets
status:
conditions:
- lastTransitionTime: "2022-11-30T13:26:16Z"
status: "True"
type: IdentityValid
- lastTransitionTime: "2022-11-30T13:26:16Z"
status: "True"
type: VirtualWorkspaceURLsReady
identityHash: 08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee
virtualWorkspaces:
- url: https://kcp.dev.faros.sh:443/services/apiexport/root:faros:service:controllers/tenancy.faros.sh Looking solely at your initial example, you had an APIExport with no latestResourceSchemas or permissionClaims. In effect, it was a "no-op" APIExport. Let me look at what you just pasted & get back in a bit
mjudeikis
commented
1 year ago Ah, sorry, I think I cropped this out by mistake from the copy-paste :/ this time I added them with all the details
ncdc
commented
1 year ago In your new example, your binding is trying to accept a claim for resources exported by the APIExport. So the reported condition is correct.
ncdc
commented
1 year ago Your APIBinding can only accept claims for things listed in the APIBinding's status.exportPermissionClaims (which come from the APIExport)
ncdc
commented
1 year ago i.e. secrets in this example
mjudeikis
commented
1 year ago So you don't need to accept types which are exported "by default"? In my APIBInding:
- all: true
group: tenancy.faros.sh
identityHash: 08a99b8c7478a66dff2abf0f57d3b705429937e7515d787bbc654ffa6dfc47ee
resource: users
state: Accepted is not needed?
Let me test this tomorrow and update/close the ticket :)
ncdc
commented
1 year ago Correct, by creating an APIBinding, you are declaring your intent to use the APIs exported by the APIExport. Claim acceptance is only to grant the APIExport owner the permissions they are requesting for APIs not owned and exported by the APIExport.
mjudeikis
commented
1 year ago got ya :) missunderstood the API :) lets close this one and leave for future generations to find. If you think error message can/should be improved - let me know. Else lets wait if somebody else trips over this.
Describe the bug
Invalid permission claim on native exported types
Steps To Reproduce
Bind the export :
See status:
This happens due to https://github.com/faroshq/kcp/blob/fe25bb18be22e615a38d2d3bf3de12ca497ce321/pkg/reconciler/apis/permissionclaimlabel/permissionclaimlabel_reconcile.go#L59
We read all permissions claims from export and match those with APIBinding permissions claims. Native types are exported by default, so they not always will be in the APIExport but they WILL BE in APIBinding.
Missmatch if those causes error to be raised at https://github.com/faroshq/kcp/blob/fe25bb18be22e615a38d2d3bf3de12ca497ce321/pkg/reconciler/apis/permissionclaimlabel/permissionclaimlabel_reconcile.go#L87-L88
more details https://kubernetes.slack.com/archives/C021U8WSAFK/p1668443283519279
Expected Behaviour
We should not match with types, exported by the APIExport, and should pre-add them into validation.
Additional Context
No response