:sparkles: Add original user/group as extra to the impersonating client used by virtual workspace

kcp-dev / kcp

Kubernetes-like control planes for form-factors and use-cases beyond Kubernetes and container workloads.

https://kcp.io

Apache License 2.0

2.39k stars 383 forks source link

:sparkles: Add original user/group as extra to the impersonating client used by virtual workspace #3155

Closed turkenh closed 1 month ago

turkenh commented 3 months ago

Summary

We have some validations on our CRDs where we would like to act based on the user information, i.e., we want to allow a specific field to only be initialized by a controller but no one else. The current implementation of build virtual workspaces loses the original user info while doing impersonation.

This PR adds original user and groups information to impersonating client as extra, so that our validator can extract the user/group information and make decisions accordingly.

Related issue(s)

N/A

Release Notes

Add original user/groups information as extra to the impersonating client used by virtual workspace.

kcp-ci-bot commented 3 months ago

Hi @turkenh. Thanks for your PR.

I'm waiting for a kcp-dev member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

sttts commented 3 months ago

With https://github.com/kcp-dev/kcp/pull/3156 the problem here goes away as the external virtual workspace user is preserved.

sttts commented 1 month ago

/lgtm /approve /ok-to-test

kcp-ci-bot commented 1 month ago

LGTM label has been added.

Git tree hash: ff7c38f70b4fa926336c4744c77bfa3758356b8b

kcp-ci-bot commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kcp-dev/kcp/blob/main/OWNERS)~~ [sttts] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment