hendrik/lens
1
0
Fork 0
mirror of https://github.com/lensapp/lens.git synced 2025-05-20 05:10:56 +00:00
Code Issues Projects Releases Wiki Activity

Add check for incomplete SelfSubjectRulesReview to fix GKE

Browse Source 
Signed-off-by: Sebastian Malton <sebastian@malton.name>
This commit is contained in:
Sebastian Malton 2022-11-25 12:17:15 -05:00
parent 8b752981a0
commit 51d71f2856
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/common/cluster/authorization-namespace-review.injectable.ts
View File

@ -16,14 +16,14 @@ import type { KubeApiResource } from "../rbac";
* @param availableResources List of available resources in the cluster to resolve glob values fir api groups * @param availableResources List of available resources in the cluster to resolve glob values fir api groups
* @returns list of allowed resources names * @returns list of allowed resources names
*/ */
export type RequestNamespaceResources = (namespace: string, availableResources: KubeApiResource[]) => Promise<string[]>; export type RequestNamespaceResources = (namespace: string, availableResources: KubeApiResource[]) => Promise<string[]>;
/** /**
* @param proxyConfig This config's `currentContext` field must be set, and will be used as the target cluster * @param proxyConfig This config's `currentContext` field must be set, and will be used as the target cluster
*/ */
export type AuthorizationNamespaceReview = (proxyConfig: KubeConfig) => RequestNamespaceResources; export type AuthorizationNamespaceReview = (proxyConfig: KubeConfig) => RequestNamespaceResources;
interface Dependencies { interface Dependencies {
logger: Logger; logger: Logger;
} }
@ -42,7 +42,13 @@ const authorizationNamespaceReview = ({ logger }: Dependencies): AuthorizationNa
const resources = new Set<string>(); const resources = new Set<string>();
body.status?.resourceRules.forEach(resourceRule => { if (!body.status || body.status.incomplete) {
logger.warn(`[AUTHORIZATION-NAMESPACE-REVIEW]: allowing all resources in namespace="${namespace}" due to incomplete SelfSubjectRulesReview: ${body.status?.evaluationError}`);
return availableResources.map(r => r.apiName);
}
body.status.resourceRules.forEach(resourceRule => {
if (!resourceRule.verbs.some(verb => ["*", "list"].includes(verb)) || !resourceRule.resources) { if (!resourceRule.verbs.some(verb => ["*", "list"].includes(verb)) || !resourceRule.resources) {
return; return;
} }
@ -62,7 +68,6 @@ const authorizationNamespaceReview = ({ logger }: Dependencies): AuthorizationNa
} else { } else {
resourceRule.resources.forEach(resource => resources.add(resource)); resourceRule.resources.forEach(resource => resources.add(resource));
} }
}); });
return [...resources]; return [...resources];