Skip to content
This repository was archived by the owner on Nov 14, 2024. It is now read-only.

feat: kubernetes: check RBAC#6

Merged
johnstcn merged 16 commits intomainfrom
cianjohnston/ch15968/check_rbac
Aug 24, 2021
Merged

feat: kubernetes: check RBAC#6
johnstcn merged 16 commits intomainfrom
cianjohnston/ch15968/check_rbac

Conversation

@johnstcn
Copy link
Copy Markdown
Member

@johnstcn johnstcn commented Aug 19, 2021
edited
Loading

This PR adds the capability to check if the current cluster context has the required permissions for Coder.

Note: I ran into a strange issue with importas alerting for authorizationv1client; I disabled this check for the moment.
Edit: worked around this.

Basing this PR against a different branch until it is merged, and will then rebase onto main.

@johnstcn johnstcn requested a review from jawnsy August 19, 2021 15:19
@shortcut-integration
Copy link
Copy Markdown

shortcut-integration bot commented Aug 19, 2021

This pull request has been linked to Clubhouse Story #15968: Checks for RBAC permissions.

@johnstcn johnstcn self-assigned this Aug 19, 2021
@johnstcn johnstcn marked this pull request as draft August 20, 2021 14:59
jawnsy
jawnsy reviewed Aug 21, 2021
View reviewed changes
jawnsy
jawnsy reviewed Aug 21, 2021
View reviewed changes
jawnsy
jawnsy reviewed Aug 21, 2021
View reviewed changes
.golangci.yml
- pkg: k8s.io/client-go/kubernetes/typed/authorization/(v[\w\d]+)
- pkg: k8s.io/api/authorization/(v[\w\d]+)
alias: authorization$1
- pkg: k8s.io/client-go/kubernetes/typed/authorization/(v[\w\d]+)
Copy link
Copy Markdown

@jawnsy jawnsy Aug 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, it's kinda unfortunate that we have to import a bunch of these this way, but makes sense to me!

jawnsy
jawnsy reviewed Aug 21, 2021
View reviewed changes
jawnsy
jawnsy reviewed Aug 21, 2021
View reviewed changes
jawnsy
jawnsy reviewed Aug 21, 2021
View reviewed changes
jawnsy
jawnsy reviewed Aug 21, 2021
View reviewed changes
@johnstcn johnstcn marked this pull request as ready for review August 23, 2021 10:02
jawnsy
jawnsy approved these changes Aug 23, 2021
View reviewed changes
internal/checks/kube/rbac.go
func (k *KubernetesChecker) CheckRBAC(ctx context.Context) []*api.CheckResult {
const checkName = "kubernetes-rbac"
authClient := k.client.AuthorizationV1()
rbacReqs := findClosestVersionRequirements(k.coderVersion)
Copy link
Copy Markdown

@jawnsy jawnsy Aug 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not important to do now, can do this as another PR -- can we check this in the Validate step, so that these errors are impossible? The idea is that only server errors or genuine failures should cause FAIL results, bad input should be caught before anything runs (calling code should call Validate, check for errors, and then Run)

Base automatically changed from cianjohnston/check_helm_version to main August 24, 2021 15:15
@johnstcn johnstcn merged commit 831e4d5 into main Aug 24, 2021
@johnstcn johnstcn deleted the cianjohnston/ch15968/check_rbac branch August 24, 2021 15:26
@johnstcn johnstcn mentioned this pull request Aug 24, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@jawnsy jawnsy jawnsy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@johnstcn johnstcn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnstcn @jawnsy