Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: getAllowedResources for all namespaces using SelfSubjectRulesReview #6614

Merged
merged 4 commits into from
Nov 22, 2022
Merged

fix: getAllowedResources for all namespaces using SelfSubjectRulesReview #6614

merged 4 commits into from
Nov 22, 2022

Conversation

ahippler
Copy link
Contributor

@ahippler ahippler commented Nov 18, 2022
edited
Loading

fixes #6613

the SelfSubjectRulesReview lists all resources for a namespaces. This reduces the api calls from resource_count * namespace_count to namespace_count

@ahippler ahippler requested a review from a team as a code owner November 18, 2022 19:18
@ahippler ahippler requested review from Nokel81 and jim-docker and removed request for a team November 18, 2022 19:18
@ahippler ahippler force-pushed the feature/use-selfsubjectrulesreviews branch from 9fd08d6 to 6124e0c Compare November 18, 2022 19:21
@Nokel81
Copy link
Collaborator

Nokel81 commented Nov 18, 2022

Very cool indeed. I wonder what the performance penalties are with clusters that have hundreds or thousands of namespaces. Maybe we should also (as future work) add the ability to disable this check and just show all the menus.

Also it seems like getAllowedResources is called every 30s which seems a bit overkill. Would you be able to make it so that it only refreshed every 15minutes like metadata is?

@Nokel81
Copy link
Collaborator

Nokel81 commented Nov 18, 2022

fixes #2609
fixes #6151
fixes #1700
fixes #4493
fixes #3363
fixes #2399

This was linked to issues Nov 18, 2022
In AWS EKS the list of pods is visible from kubectl not from Lens. #2609
Closed
Cluster permissions with narrow namespace coverage #6151
Closed
Lens 4.0 Breaking on MAC #1700
Closed
Cannot view workload after upgrading to Lens 5.3.2-latest.20211201.1 with restricted permissions #4493
Closed
Lens does not show Workloads even after full uninstall #3363
Closed
Lens making too many network call even when the UI is closed #2399
Closed
@ahippler ahippler force-pushed the feature/use-selfsubjectrulesreviews branch from 6124e0c to 396abdb Compare November 18, 2022 21:12
@Nokel81 Nokel81 added this to the 6.2.1 milestone Nov 21, 2022
@Nokel81 Nokel81 added the bug Something isn't working label Nov 21, 2022
Nokel81
Nokel81 previously approved these changes Nov 21, 2022
View reviewed changes
Copy link
Collaborator

@Nokel81 Nokel81 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks very much for this! This is a great first step. As I stated above we might want to have an option to disable this in the future for people if they have too big of a cluster

@ahippler ahippler force-pushed the feature/use-selfsubjectrulesreviews branch from 396abdb to ed33d64 Compare November 21, 2022 13:05
@ahippler
Copy link
Contributor Author

fixed the linter issues

Nokel81
Nokel81 previously approved these changes Nov 21, 2022
View reviewed changes
@Nokel81 Nokel81 modified the milestones: 6.2.1, 6.2.2 Nov 21, 2022
@ahippler ahippler force-pushed the feature/use-selfsubjectrulesreviews branch from 13ae0e0 to be9d0cf Compare November 21, 2022 20:28
@ahippler
Copy link
Contributor Author

SelfSubjectRulesReview returns * if all resources of one (more more) group(s) have the same permissions. Its is not possible to list the allowed resources for * without a list of supported resources. So i ended up collecting the available resources with some other requests

@ahippler ahippler force-pushed the feature/use-selfsubjectrulesreviews branch from be9d0cf to 26089ea Compare November 22, 2022 10:52
ahippler
ahippler commented Nov 22, 2022
View reviewed changes
integration/__tests__/cluster-pages.tests.ts
@@ -417,7 +411,7 @@ const scenarios = [
{
expectedSelector: "h5.title",
parentSidebarItemTestId: "sidebar-item-link-for-user-management",
sidebarItemTestId: "sidebar-item-link-for-pod-security-policies",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minikube does not have PodSecurityPolicy

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then why did this test pass previously?

Copy link
Contributor Author

@ahippler ahippler Nov 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like the api reports missing ressources as allowed:

$ kubectl --context minikube auth can-i list podsecuritypolicies
Warning: the server doesn't have a resource type 'podsecuritypolicies'

yes

@github-actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@Nokel81
Copy link
Collaborator

Nokel81 commented Nov 22, 2022

Please resolve conflicts

@ahippler ahippler force-pushed the feature/use-selfsubjectrulesreviews branch from 26089ea to dc3893c Compare November 22, 2022 16:18
@github-actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Nokel81 Nokel81 merged commit 6d7090f into lensapp:master Nov 22, 2022
@ahippler ahippler deleted the feature/use-selfsubjectrulesreviews branch November 22, 2022 17:49
Nokel81 pushed a commit that referenced this pull request Nov 24, 2022
@ahippler @Nokel81
fix: getAllowedResources for all namespaces using SelfSubjectRulesRev…
bc430bf 
…iew (#6614)

* fix: getAllowedResources for all namespaces using SelfSubjectRulesReview

Signed-off-by: Andreas Hippler <[email protected]>

* fix: refresh accessibility every 15 min

Signed-off-by: Andreas Hippler <[email protected]>

* chore: remove unused clusterRefreshHandler

Signed-off-by: Andreas Hippler <[email protected]>

* fix: resolve SelfSubjectRulesReview globs

Signed-off-by: Andreas Hippler <[email protected]>

Signed-off-by: Andreas Hippler <[email protected]>
Co-authored-by: Andreas Hippler <[email protected]>
Signed-off-by: Sebastian Malton <[email protected]>
@Nokel81 Nokel81 mentioned this pull request Nov 24, 2022
Merged
Nokel81 added a commit that referenced this pull request Nov 24, 2022
@Nokel81 @ahippler
@jansav @aleksfront @jakolehm @dependabot
Release 6.2.2 (#6642)
4a13f51 
* Release 6.2.2

Signed-off-by: Sebastian Malton <[email protected]>

* fix: getAllowedResources for all namespaces using SelfSubjectRulesReview (#6614)

* fix: getAllowedResources for all namespaces using SelfSubjectRulesReview

Signed-off-by: Andreas Hippler <[email protected]>

* fix: refresh accessibility every 15 min

Signed-off-by: Andreas Hippler <[email protected]>

* chore: remove unused clusterRefreshHandler

Signed-off-by: Andreas Hippler <[email protected]>

* fix: resolve SelfSubjectRulesReview globs

Signed-off-by: Andreas Hippler <[email protected]>

Signed-off-by: Andreas Hippler <[email protected]>
Co-authored-by: Andreas Hippler <[email protected]>
Signed-off-by: Sebastian Malton <[email protected]>

* Add missing gutter between sections in cluster settings (#6631)

Signed-off-by: Janne Savolainen <[email protected]>

Signed-off-by: Janne Savolainen <[email protected]>

* Adding spacing between Metrics Settings sections (#6632)

Signed-off-by: Alex Andreev <[email protected]>

Signed-off-by: Alex Andreev <[email protected]>

* Fix crash when upgrading release (#6626)

* Fix crash when upgrading release

Signed-off-by: Sebastian Malton <[email protected]>

* Fix crash when upgrading helm releases

- Fixes not being able to upgrade helm releases as well.

Signed-off-by: Sebastian Malton <[email protected]>

* Fix tests

Signed-off-by: Sebastian Malton <[email protected]>

* Fix test failures

Signed-off-by: Sebastian Malton <[email protected]>

Signed-off-by: Sebastian Malton <[email protected]>

* Removing big padding after cluster  settings avatar (#6634)

Signed-off-by: Alex Andreev <[email protected]>

Signed-off-by: Alex Andreev <[email protected]>

* Fix KubeApi watch retry on timeout (#6640)

* fix KubeApi watch retry on timeout

Signed-off-by: Jari Kolehmainen <[email protected]>

* Fix tests

Signed-off-by: Sebastian Malton <[email protected]>

Signed-off-by: Jari Kolehmainen <[email protected]>
Signed-off-by: Sebastian Malton <[email protected]>
Co-authored-by: Sebastian Malton <[email protected]>

* Bump electron from 19.1.6 to 19.1.7 (#6637)

Bumps [electron](https://github.com/electron/electron) from 19.1.6 to 19.1.7.
- [Release notes](https://github.com/electron/electron/releases)
- [Changelog](https://github.com/electron/electron/blob/main/docs/breaking-changes.md)
- [Commits](electron/electron@v19.1.6...v19.1.7)

---
updated-dependencies:
- dependency-name: electron
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Sebastian Malton <[email protected]>
Signed-off-by: Andreas Hippler <[email protected]>
Signed-off-by: Janne Savolainen <[email protected]>
Signed-off-by: Alex Andreev <[email protected]>
Signed-off-by: Jari Kolehmainen <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Andreas Hippler <[email protected]>
Co-authored-by: Andreas Hippler <[email protected]>
Co-authored-by: Janne Savolainen <[email protected]>
Co-authored-by: Alex Andreev <[email protected]>
Co-authored-by: Jari Kolehmainen <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Iku-turso added a commit that referenced this pull request Nov 25, 2022
@Iku-turso
Revert "fix: getAllowedResources for all namespaces using SelfSubject…
8e98767 
…RulesReview (#6614)"

This reverts commit 6d7090f

Signed-off-by: Iku-turso <[email protected]>
@Iku-turso Iku-turso mentioned this pull request Nov 25, 2022
Merged
Nokel81 pushed a commit that referenced this pull request Nov 25, 2022
@Iku-turso
Release/v6.2.3 (#6649)
3011bab 
* Revert "fix: getAllowedResources for all namespaces using SelfSubjectRulesReview (#6614)"

This reverts commit 6d7090f

Signed-off-by: Iku-turso <[email protected]>

* Bump version for patch release

Co-authored-by: Janne Savolainen <[email protected]>

Signed-off-by: Iku-turso <[email protected]>

Signed-off-by: Iku-turso <[email protected]>
@Nokel81 Nokel81 mentioned this pull request Jan 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nokel81 Nokel81 Nokel81 approved these changes

@jim-docker jim-docker Awaiting requested review from jim-docker jim-docker is a code owner automatically assigned from lensapp/lens-ide

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
6.2.2
2 participants
@ahippler @Nokel81