Comments (4)
ncdc
commented on June 2, 2024
authorizer_test.go:427: verify that service-provider-2-admin can lists all claimed resources using a wildcard request
authorizer_test.go:441: verify that service-provider-2-admin can lists sherriffs resources in the tenant workspace "root:e2e-workspace-f57nc:tenant" via the virtual apiexport apiserver
=== CONT TestAPIExportAuthorizers
authorizer_test.go:450: verify that service-provider-2-admin cannot list CRD shadowed cowboy resources in the tenant workspace "root:e2e-workspace-f57nc:tenant-shadowed-crd" via the virtual apiexport apiserver
I0201 20:28:00.173011 31870 bootstrap.go:236] "upserted object" apiresourceschema.workspace="1wznj91olpts85q5" apiresourceschema.namespace="" apiresourceschema.name="today.cowboys.wildwest.dev" apiresourceschema.apiVersion="apis.kcp.io/v1alpha1"
=== CONT TestAPIExportAuthorizers
assertions.go:1691: Waiting for condition, but got: expected a not-found error, but got cowboys:1bda3a4fb9f21dde8f3f0264eab425b025d7661a41b58121b2e5519f2fb20bbd.wildwest.dev is forbidden: User "system:serviceaccount:default:rest" cannot list resource "cowboys:1bda3a4fb9f21dde8f3f0264eab425b025d7661a41b58121b2e5519f2fb20bbd" in API group "wildwest.dev" at the cluster scope: access denied
E0201 20:28:06.323080 31870 memcache.go:206] couldn't get resource list for v1: Got empty response for: v1
=== CONT TestAPIExportAuthorizers
authorizer_test.go:451:
Error Trace: util.go:327
authorizer_test.go:451
Error: Condition never satisfied
Test: TestAPIExportAuthorizers
Messages: expected service-provider-2-admin to be denied to shadowed cowboy resources
--- FAIL: TestAPIExportAuthorizers (50.48s)
from kcp.
ncdc
commented on June 2, 2024
Sometimes we get the expected not-found error, sometimes we consistently get permission denied. I wonder if now that the APIBinding escalation fix is in, it should always be permission denied, and the "flake" is that it can take a tiny amount of time to go from not-found (false error) to permission denied (correct, now permanent error)?
from kcp.
ncdc
commented on June 2, 2024
"annotations":{
"authorization.k8s.io/decision":"forbid",
"authorization.k8s.io/reason":"access denied",
"request.auth.kcp.io/01-requiredgroups-decision":"Denied",
"request.auth.kcp.io/01-requiredgroups-reason":"delegating due to service account access to logical cluster",
"request.auth.kcp.io/02-content-decision":"Denied",
"request.auth.kcp.io/02-content-reason":"LogicalCluster not found",
"tenancy.kcp.io/workspace":"dpprabp7l5ygefwt"
}
from kcp.
ncdc
commented on June 2, 2024
e2e test client -> vw server -> kcp-0
logicalcluster dpprabp7l5ygefwt is on kcp-1
I'm not sure if this is a valid test scenario any more. We create workspaces on various shards, and in the failure case above, the service provider and tenant are on different shards. The service provider client goes through the front proxy to the APIExport virtual workspace, which only supports presenting data it has available (i.e., for its slice/dimension). But the front proxy in our e2e setup always proxies /services to the root shard (kcp-0).
In a real controller scenario, the client connecting to the virtual workspace is only reacting to events for the data it can see, and it wouldn't be forcibly trying to connect through the virtual workspace to some random workspace that's on a different shard. ... right?
from kcp.
Related Issues (20)
- Generation number doesn't seem correctly set on cached builtin resources.
- Unify `workload[s]` names in the tmc `controller.go` HOT 5
- bug: network policies break internal cluster communication on OpenShift
- Community Meeting April 4, 2023 HOT 3
- Create one tunneler per shard in the Syncer
- bug: unable to create APIBinding: no permission to bind to export root:my-ws:kubernetes HOT 10
- bug: 403 forbidden when kcp is enabled with OIDC HOT 2
- epic: Remove TMC from the KCP repo
- one workspace in kcp to synchronize different resources of different physical clusters HOT 5
- kcp synchronizes the resources of the physical cluster to the logical cluster HOT 2
- bug: can not sync delete namespace action HOT 2
- bug: The namespace (downstream object) in the pcluster is getting terminated after creating the APIBinding HOT 3
- bug: go install apigen does not work HOT 2
- feature: How to add all K8s core object into root:compute apiresourceschemas HOT 3
- Test issue for GitHub Projects
- Community Meeting June 20, 2023 HOT 8
- epic: Kubernetes 1.27 HOT 1
- Community Meeting July 6 2023 HOT 9
- Community Meeting July 20, 2023 HOT 3
- bug: kcp workload sync command does not work with EKS/AKS/GKE clusters HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kcp.