-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: APIExport permission claims are not respected #2818
Comments
Looks like
Realistically, shouldn't this be a 403? We need to indicate to the provider somehow that no claims have been accepted, although it's not clear to me that this would work with a Second, it does not attempt to do any mutating requests before the claims are accepted. I think it will be more appropriate (or the only appropriate thing, once we have scoped claims?) for us to dynamically handle the set of a) resources and b) verbs on those resources that our forwarding storage allows as a function of the accepted claims? Although, this would mean that discovery is per-cluster, which ... unclear if we can support that or if clients would know what to do. |
The namespace creation looks odd, would expect it to be 403 (if I don't miss anything). The |
The prerequisite to fix this is to introduce admission in the virtual apiserver view which is done in #2456, see #2456 (comment). Once admission in the virtual apiserver view lands, checks can be implemented there to handle the case described here. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with /lifecycle rotten |
Describe the bug
APIExport permission claims are not respected.
Steps To Reproduce
kcp start
)export KUBECONFIG=$(pwd)/.kcp/admin.kubeconfig
kubectl kcp ws create provider --enter
kubectl ws
kubectl kcp bind apiexport root:provider:example
export MYWS=$(kubectl get namespace default -ojsonpath="{.metadata.annotations['kcp\.io/cluster']}")
kubectl ws root:provider
export VWURL=$(kubectl get apiexport example -ojsonpath='{.status.virtualWorkspaces[0].url}')
export PROVIDER_TOKEN=$(kubectl get secret default-token-hl48b -ojsonpath='{.data.token}' | base64 -D)
Expected Behaviour
I would expect a 503 (or 404) for both operations.
Additional Context
No response
The text was updated successfully, but these errors were encountered: