Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make k8s permissions test optional #4618

Merged
merged 2 commits into from
Oct 23, 2020
Merged

Make k8s permissions test optional #4618

merged 2 commits into from
Oct 23, 2020

Conversation

awly
Copy link
Contributor

@awly awly commented Oct 21, 2020

There are several legitimate cases where it can fail:

  • root proxy running inside k8s but without access to local k8s cluster
  • root proxy running with a dummy kubeconfig that we recommended in the
    past

Leave a ForwarderConfig flag to enforce this check, it will be useful in
kubernetes_service later that should always have the right permissions.

webvictim
webvictim reviewed Oct 22, 2020
View reviewed changes
lib/kube/proxy/auth.go Outdated Show resolved Hide resolved
lib/kube/proxy/auth.go Outdated Show resolved Hide resolved
lib/kube/proxy/auth.go Outdated Show resolved Hide resolved
lib/kube/proxy/auth.go Outdated Show resolved Hide resolved
@awly awly force-pushed the andrew/kube_impersonation_check_optional branch 2 times, most recently from 0aa1913 to 7591d3c Compare October 22, 2020 17:15
@awly awly requested a review from webvictim October 22, 2020 17:15
webvictim
webvictim reviewed Oct 22, 2020
View reviewed changes
lib/kube/proxy/forwarder.go
@@ -91,6 +91,9 @@ type ForwarderConfig struct {
// PingPeriod is a period for sending ping messages on the incoming
// connection.
PingPeriod time.Duration
// StrictImpersonationCheck specifies whether to fail when impersonation
// permissions of this forwarder can't be tested.
StrictImpersonationCheck bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to set a default value for this somewhere?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default is the zero value (false).
This will only be set to true in the new kubernetes_service (when it's ready #4611).

webvictim
webvictim approved these changes Oct 22, 2020
View reviewed changes
Copy link
Contributor

@webvictim webvictim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Andrew Lytvynov and others added 2 commits October 23, 2020 11:19
Make k8s permissions test optional
cc343c2 
There are several legitimate cases where it can fail:
- root proxy running inside k8s but without access to local k8s cluster
- root proxy running with a dummy kubeconfig that we recommended in the
  past

Leave a ForwarderConfig flag to enforce this check, it will be useful in
kubernetes_service later that should always have the right permissions.
@webvictim
Apply suggestions from code review
bf28d8c 
Co-authored-by: Gus Luxton <[email protected]>
@awly awly force-pushed the andrew/kube_impersonation_check_optional branch from 7591d3c to bf28d8c Compare October 23, 2020 18:20
@awly awly merged commit f56014f into master Oct 23, 2020
@awly awly deleted the andrew/kube_impersonation_check_optional branch October 23, 2020 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webvictim webvictim webvictim approved these changes

@fspmarshall fspmarshall Awaiting requested review from fspmarshall

@klizhentas klizhentas Awaiting requested review from klizhentas

@russjones russjones Awaiting requested review from russjones

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@awly @webvictim