Skip to content

Allow RoleRemoteProxy to list kube_servers when cluster isn't licensed for Kubernetes#25461

Merged
tigrato merged 1 commit intomasterfrom
tigrato/disable-kube-if-not-supported-by-license
May 2, 2023
Merged

Allow RoleRemoteProxy to list kube_servers when cluster isn't licensed for Kubernetes#25461
tigrato merged 1 commit intomasterfrom
tigrato/disable-kube-if-not-supported-by-license

Conversation

@tigrato
Copy link
Copy Markdown
Contributor

@tigrato tigrato commented May 2, 2023
edited
Loading

When a remote proxy retrieves the list of kube clusters available in the
remote cluster and the remote cluster isn't licensed, the request fails because the remote proxy role was not
whitelisted. This PR does not return the license error if the requester is a local or remote server.

This PR also disables the kubernetes_service on startup if the cluster is
not licensed for Kubernetes access.

This prevents the process from being in the degraded state when trying to
upsert the kube_server via heartbeat.

@tigrato tigrato force-pushed the tigrato/disable-kube-if-not-supported-by-license branch 2 times, most recently from 309b40f to 1fc9f4d Compare May 2, 2023 16:32
@tigrato tigrato changed the title Disable kubernetes_service if cluster is not licensed for Kube Allow RoleRemoteProxy to list 'kube_servers` when cluster isn't licensed for Kubernetes May 2, 2023
@tigrato tigrato changed the title Allow RoleRemoteProxy to list 'kube_servers` when cluster isn't licensed for Kubernetes Allow RoleRemoteProxy to list kube_servers when cluster isn't licensed for Kubernetes May 2, 2023
fspmarshall
fspmarshall approved these changes May 2, 2023
View reviewed changes
Comment thread lib/authz/permissions.go Outdated
@tigrato tigrato force-pushed the tigrato/disable-kube-if-not-supported-by-license branch from 1fc9f4d to 9e81235 Compare May 2, 2023 16:40
@tigrato tigrato marked this pull request as ready for review May 2, 2023 16:40
@github-actions github-actions Bot requested review from greedy52 and jakule May 2, 2023 16:40
@tigrato
Allow RoleRemoteProxy to list 'kube_servers` when no Kube license
3f42c4b 
When a remote proxy retrieves the list of kube clusters available in the
remote cluster and the remote cluster isn't licensed, the request fails because the remote proxy role was not
whitelisted. This PR does not return the license error if the requester is a local or remote server.

This PR also disables the `kubernetes_service` on startup if the cluster is
not licensed for Kubernetes access.

This prevents the process from being in the degraded state when trying to
upsert the `kube_server` via heartbeat.
@tigrato tigrato force-pushed the tigrato/disable-kube-if-not-supported-by-license branch from 9e81235 to 3f42c4b Compare May 2, 2023 16:42
@tigrato tigrato added this pull request to the merge queue May 2, 2023
Merged via the queue into master with commit 4a3bd2c May 2, 2023
@tigrato tigrato deleted the tigrato/disable-kube-if-not-supported-by-license branch May 2, 2023 17:13
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented May 2, 2023

@tigrato See the table below for backport results.

Branch Result
branch/v13 Create PR

@tigrato tigrato mentioned this pull request May 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fspmarshall fspmarshall fspmarshall approved these changes

+1 more reviewer

@mdwn mdwn mdwn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tigrato @mdwn @fspmarshall