mirror of
https://github.com/lensapp/lens.git
synced 2025-05-20 05:10:56 +00:00
4a13f516f5
* Release 6.2.2 Signed-off-by: Sebastian Malton <sebastian@malton.name> * fix: getAllowedResources for all namespaces using SelfSubjectRulesReview (#6614) * fix: getAllowedResources for all namespaces using SelfSubjectRulesReview Signed-off-by: Andreas Hippler <andreas.hippler@goto.com> * fix: refresh accessibility every 15 min Signed-off-by: Andreas Hippler <andreas.hippler@goto.com> * chore: remove unused clusterRefreshHandler Signed-off-by: Andreas Hippler <andreas.hippler@goto.com> * fix: resolve SelfSubjectRulesReview globs Signed-off-by: Andreas Hippler <andreas.hippler@goto.com> Signed-off-by: Andreas Hippler <andreas.hippler@goto.com> Co-authored-by: Andreas Hippler <andreas.hippler@goto.com> Signed-off-by: Sebastian Malton <sebastian@malton.name> * Add missing gutter between sections in cluster settings (#6631) Signed-off-by: Janne Savolainen <janne.savolainen@live.fi> Signed-off-by: Janne Savolainen <janne.savolainen@live.fi> * Adding spacing between Metrics Settings sections (#6632) Signed-off-by: Alex Andreev <alex.andreev.email@gmail.com> Signed-off-by: Alex Andreev <alex.andreev.email@gmail.com> * Fix crash when upgrading release (#6626) * Fix crash when upgrading release Signed-off-by: Sebastian Malton <sebastian@malton.name> * Fix crash when upgrading helm releases - Fixes not being able to upgrade helm releases as well. Signed-off-by: Sebastian Malton <sebastian@malton.name> * Fix tests Signed-off-by: Sebastian Malton <sebastian@malton.name> * Fix test failures Signed-off-by: Sebastian Malton <sebastian@malton.name> Signed-off-by: Sebastian Malton <sebastian@malton.name> * Removing big padding after cluster settings avatar (#6634) Signed-off-by: Alex Andreev <alex.andreev.email@gmail.com> Signed-off-by: Alex Andreev <alex.andreev.email@gmail.com> * Fix KubeApi watch retry on timeout (#6640) * fix KubeApi watch retry on timeout Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com> * Fix tests Signed-off-by: Sebastian Malton <sebastian@malton.name> Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com> Signed-off-by: Sebastian Malton <sebastian@malton.name> Co-authored-by: Sebastian Malton <sebastian@malton.name> * Bump electron from 19.1.6 to 19.1.7 (#6637) Bumps [electron](https://github.com/electron/electron) from 19.1.6 to 19.1.7. - [Release notes](https://github.com/electron/electron/releases) - [Changelog](https://github.com/electron/electron/blob/main/docs/breaking-changes.md) - [Commits](https://github.com/electron/electron/compare/v19.1.6...v19.1.7) --- updated-dependencies: - dependency-name: electron dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Sebastian Malton <sebastian@malton.name> Signed-off-by: Andreas Hippler <andreas.hippler@goto.com> Signed-off-by: Janne Savolainen <janne.savolainen@live.fi> Signed-off-by: Alex Andreev <alex.andreev.email@gmail.com> Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Andreas Hippler <andreas.hippler@logmein.com> Co-authored-by: Andreas Hippler <andreas.hippler@goto.com> Co-authored-by: Janne Savolainen <janne.savolainen@live.fi> Co-authored-by: Alex Andreev <alex.andreev.email@gmail.com> Co-authored-by: Jari Kolehmainen <jari.kolehmainen@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
88 lines
3.0 KiB
TypeScript
88 lines
3.0 KiB
TypeScript
/**
|
|
* Copyright (c) OpenLens Authors. All rights reserved.
|
|
* Licensed under MIT License. See LICENSE in root directory for more information.
|
|
*/
|
|
|
|
import type { KubeConfig } from "@kubernetes/client-node";
|
|
import { AuthorizationV1Api } from "@kubernetes/client-node";
|
|
import { getInjectable } from "@ogre-tools/injectable";
|
|
import type { Logger } from "../logger";
|
|
import loggerInjectable from "../logger.injectable";
|
|
import type { KubeApiResource } from "../rbac";
|
|
|
|
/**
|
|
* Requests the permissions for actions on the kube cluster
|
|
* @param namespace The namespace of the resources
|
|
* @param availableResources List of available resources in the cluster to resolve glob values fir api groups
|
|
* @returns list of allowed resources names
|
|
*/
|
|
export type RequestNamespaceResources = (namespace: string, availableResources: KubeApiResource[]) => Promise<string[]>;
|
|
|
|
/**
|
|
* @param proxyConfig This config's `currentContext` field must be set, and will be used as the target cluster
|
|
*/
|
|
export type AuthorizationNamespaceReview = (proxyConfig: KubeConfig) => RequestNamespaceResources;
|
|
|
|
interface Dependencies {
|
|
logger: Logger;
|
|
}
|
|
|
|
const authorizationNamespaceReview = ({ logger }: Dependencies): AuthorizationNamespaceReview => {
|
|
return (proxyConfig) => {
|
|
|
|
const api = proxyConfig.makeApiClient(AuthorizationV1Api);
|
|
|
|
return async (namespace, availableResources) => {
|
|
try {
|
|
const { body } = await api.createSelfSubjectRulesReview({
|
|
apiVersion: "authorization.k8s.io/v1",
|
|
kind: "SelfSubjectRulesReview",
|
|
spec: { namespace },
|
|
});
|
|
|
|
const resources = new Set<string>();
|
|
|
|
body.status?.resourceRules.forEach(resourceRule => {
|
|
if (!resourceRule.verbs.some(verb => ["*", "list"].includes(verb)) || !resourceRule.resources) {
|
|
return;
|
|
}
|
|
|
|
const apiGroups = resourceRule.apiGroups;
|
|
|
|
if (resourceRule.resources.length === 1 && resourceRule.resources[0] === "*" && apiGroups) {
|
|
if (apiGroups[0] === "*") {
|
|
availableResources.forEach(resource => resources.add(resource.apiName));
|
|
} else {
|
|
availableResources.forEach((apiResource)=> {
|
|
if (apiGroups.includes(apiResource.group || "")) {
|
|
resources.add(apiResource.apiName);
|
|
}
|
|
});
|
|
}
|
|
} else {
|
|
resourceRule.resources.forEach(resource => resources.add(resource));
|
|
}
|
|
|
|
});
|
|
|
|
return [...resources];
|
|
} catch (error) {
|
|
logger.error(`[AUTHORIZATION-NAMESPACE-REVIEW]: failed to create subject rules review: ${error}`, { namespace });
|
|
|
|
return [];
|
|
}
|
|
};
|
|
};
|
|
};
|
|
|
|
const authorizationNamespaceReviewInjectable = getInjectable({
|
|
id: "authorization-namespace-review",
|
|
instantiate: (di) => {
|
|
const logger = di.inject(loggerInjectable);
|
|
|
|
return authorizationNamespaceReview({ logger });
|
|
},
|
|
});
|
|
|
|
export default authorizationNamespaceReviewInjectable;
|