Be more benign towards cluster-access errors

Not being able to access a missing resource or forbidden resource kind in the cluster shouldn't, in general, cause operations affecting other resources to abort.
fluxcd · Mar 14, 2019 · 101f29c · 101f29c
1 parent 93cbed5
commit 101f29c
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 33 deletions.
diff --git a/cluster/kubernetes/images.go b/cluster/kubernetes/images.go
@@ -134,12 +134,11 @@ func (c *Cluster) ImagesToFetch() registry.ImageCreds {
 		for kind, resourceKind := range resourceKinds {
 			workloads, err := resourceKind.getWorkloads(c, ns.Name)
 			if err != nil {
-				if se, ok := err.(*apierrors.StatusError); ok && se.ErrStatus.Reason == meta_v1.StatusReasonNotFound {
-					// Kind not supported by API server, skip
-				} else {
-					c.logger.Log("err", errors.Wrapf(err, "getting kind %s for namespace %s", kind, ns.Name))
+				if apierrors.IsNotFound(err) || apierrors.IsForbidden(err) {
+					// Skip unsupported or forbidden resource kinds
+					continue
 				}
-				continue
+				c.logger.Log("err", errors.Wrapf(err, "getting kind %s for namespace %s", kind, ns.Name)
 			}
 
 			imageCreds := make(registry.ImageCreds)

diff --git a/cluster/kubernetes/kubernetes.go b/cluster/kubernetes/kubernetes.go
@@ -119,8 +119,8 @@ func NewCluster(client ExtendedClient, applier Applier, sshKeyRing ssh.KeyRing,
 
 // --- cluster.Cluster
 
-// SomeWorkloads returns the workloads named, missing out any that don't
-// exist in the cluster. They do not necessarily have to be returned
+// SomeWorkloads returns the workloads named, missing out any that aren't
+// accessible in the cluster. They do not necessarily have to be returned
 // in the order requested.
 func (c *Cluster) SomeWorkloads(ids []flux.ResourceID) (res []cluster.Workload, err error) {
 	var workloads []cluster.Workload
@@ -134,6 +134,9 @@ func (c *Cluster) SomeWorkloads(ids []flux.ResourceID) (res []cluster.Workload,
 
 		workload, err := resourceKind.getWorkload(c, ns, name)
 		if err != nil {
+			if apierrors.IsForbidden(err) || apierrors.IsNotFound(err) {
+				continue
+			}
 			return nil, err
 		}
 
@@ -164,19 +167,15 @@ func (c *Cluster) AllWorkloads(namespace string) (res []cluster.Workload, err er
 		for kind, resourceKind := range resourceKinds {
 			workloads, err := resourceKind.getWorkloads(c, ns.Name)
 			if err != nil {
-				if se, ok := err.(*apierrors.StatusError); ok {
-					switch se.ErrStatus.Reason {
-					case meta_v1.StatusReasonNotFound:
-						// Kind not supported by API server, skip
-						continue
-					case meta_v1.StatusReasonForbidden:
-						// K8s can return forbidden instead of not found for non super admins
-						c.logger.Log("warning", "not allowed to list resources", "err", err)
-						continue
-					default:
-						return nil, err
-					}
-				} else {
+				switch {
+				case apierrors.IsNotFound(err):
+					// Kind not supported by API server, skip
+					continue
+				case apierrors.IsForbidden(err):
+					// K8s can return forbidden instead of not found for non super admins
+					c.logger.Log("warning", "not allowed to list resources", "err", err)
+					continue
+				default:
 					return nil, err
 				}
 			}
@@ -228,19 +227,15 @@ func (c *Cluster) Export() ([]byte, error) {
 		for _, resourceKind := range resourceKinds {
 			workloads, err := resourceKind.getWorkloads(c, ns.Name)
 			if err != nil {
-				if se, ok := err.(*apierrors.StatusError); ok {
-					switch se.ErrStatus.Reason {
-					case meta_v1.StatusReasonNotFound:
-						// Kind not supported by API server, skip
-						continue
-					case meta_v1.StatusReasonForbidden:
-						// K8s can return forbidden instead of not found for non super admins
-						c.logger.Log("warning", "not allowed to list resources", "err", err)
-						continue
-					default:
-						return nil, err
-					}
-				} else {
+				switch {
+				case apierrors.IsNotFound(err):
+					// Kind not supported by API server, skip
+					continue
+				case apierrors.IsForbidden(err):
+					// K8s can return forbidden instead of not found for non super admins
+					c.logger.Log("warning", "not allowed to list resources", "err", err)
+					continue
+				default:
 					return nil, err
 				}
 			}

diff --git a/cluster/kubernetes/sync.go b/cluster/kubernetes/sync.go
@@ -17,6 +17,7 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v2"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -224,6 +225,11 @@ func (c *Cluster) getResourcesBySelector(selector string) (map[string]*kuberesou
 			resourceClient := c.client.dynamicClient.Resource(groupVersion.WithResource(apiResource.Name))
 			data, err := resourceClient.List(listOptions)
 			if err != nil {
+				if apierrors.IsForbidden(err) {
+					// we are not allowed to list this resource but
+					// shouldn't prevent us from listing the rest
+					continue
+				}
 				return nil, err
 			}