diff --git a/README.md b/README.md index 2540eba6f..8ca7009bd 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ helm install kube-ui-server appscode/kube-ui-server ## Usage ```console -$ kubectl create -f artifacts/whoami.yaml -o yaml +$ kubectl create -f artifacts/whoami.yaml -o yaml --validate=false apiVersion: authentication.k8s.io/v1 kind: SelfSubjectReview diff --git a/go.mod b/go.mod index f69e8663c..26bddc0c0 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 kmodules.xyz/apiversion v0.2.0 kmodules.xyz/authorizer v0.29.1 - kmodules.xyz/client-go v0.30.38-0.20241117075231-750051a8f0b9 + kmodules.xyz/client-go v0.30.38-0.20241118091954-9f659a58032e kmodules.xyz/custom-resources v0.30.0 kmodules.xyz/go-containerregistry v0.0.12 kmodules.xyz/monitoring-agent-api v0.30.2 diff --git a/go.sum b/go.sum index 41973f54d..475d26351 100644 --- a/go.sum +++ b/go.sum @@ -927,8 +927,8 @@ kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk= kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80= kmodules.xyz/authorizer v0.29.1 h1:uByGGoryKbZcfiEAhjcK/Y345I9mygNQP7DVpkMbNQQ= kmodules.xyz/authorizer v0.29.1/go.mod h1:kZRhclL8twzyt2bQuJQJbpYww2sc+qFr8I5PPoq/sWY= -kmodules.xyz/client-go v0.30.38-0.20241117075231-750051a8f0b9 h1:8qSZylUUBcY1rKlVLgm3mRjw3/mG8QT0tSuCCflmIeU= -kmodules.xyz/client-go v0.30.38-0.20241117075231-750051a8f0b9/go.mod h1:CAu+JlA8RVGtj6LQHu0Q1w2mnFUajuti49c7T1AvGdM= +kmodules.xyz/client-go v0.30.38-0.20241118091954-9f659a58032e h1:M++YOemIa3px37C984O7eiDaJjEKNV5EP+QV9z6ic3w= +kmodules.xyz/client-go v0.30.38-0.20241118091954-9f659a58032e/go.mod h1:CAu+JlA8RVGtj6LQHu0Q1w2mnFUajuti49c7T1AvGdM= kmodules.xyz/crd-schema-fuzz v0.29.1 h1:zJTlWYOrT5dsVVHW8HGcnR/vaWfxQfNh11QwTtkYpcs= kmodules.xyz/crd-schema-fuzz v0.29.1/go.mod h1:n708z9YQqLMP2KNLQVgBcRJw1QpSWLvpNCEi+KJDOYE= kmodules.xyz/custom-resources v0.30.0 h1:vR3CbseHMLwR4GvtcJJuRuwIV8voKqFqNii27rMcm1o= diff --git a/pkg/graph/renderer.go b/pkg/graph/renderer.go index 05a06503f..067164c1c 100644 --- a/pkg/graph/renderer.go +++ b/pkg/graph/renderer.go @@ -222,7 +222,11 @@ func renderPageBlock(ctx context.Context, kc client.Client, oc openvizcs.Interfa } func _renderPageBlock(ctx context.Context, kc client.Client, oc openvizcs.Interface, srcRID *kmapi.ResourceID, srcObj *unstructured.Unstructured, block *rsapi.PageBlockLayout, convertToTable bool) (*rsapi.PageBlockView, error) { - cc, err := getClient(ctx, kc, block.Impersonate) + var impersonate bool + if block != nil && block.ResourceLocator != nil && block.Impersonate { + impersonate = true + } + cc, err := getClient(ctx, kc, impersonate) if err != nil { return nil, err } diff --git a/pkg/graph/setup.go b/pkg/graph/setup.go index 46878ca19..b299aed0a 100644 --- a/pkg/graph/setup.go +++ b/pkg/graph/setup.go @@ -339,8 +339,18 @@ func getClient(ctx context.Context, kc client.Client, impersonate bool) (client. return kc, nil } + fmt.Printf("impersonating: %v\n", u.GetName()) + if rw, ok := kc.(*cu.DelegatingClient); ok { return rw.Impersonate(u) } return nil, fmt.Errorf("can't impersonate client") } + +func NewUserContext(in context.Context) context.Context { + ctx := context.TODO() + if u, ok := request.UserFrom(in); ok { + ctx = request.WithUser(ctx, u) + } + return ctx +} diff --git a/pkg/registry/meta/render/storage.go b/pkg/registry/meta/render/storage.go index fb83c41fc..bad2974f2 100644 --- a/pkg/registry/meta/render/storage.go +++ b/pkg/registry/meta/render/storage.go @@ -107,7 +107,7 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat autoColumns = true } - bv, err := graph.RenderPageBlock(ctx, r.kc, r.oc, req.Source, req.Block, req.ConvertToTable) + bv, err := graph.RenderPageBlock(graph.NewUserContext(ctx), r.kc, r.oc, req.Source, req.Block, req.ConvertToTable) if err != nil { return nil, err } @@ -121,7 +121,7 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat renderBlocks.Insert(string(k)) } rv, err := graph.RenderLayout( - ctx, + graph.NewUserContext(ctx), r.kc, r.oc, req.Source, diff --git a/pkg/registry/meta/renderdashboard/storage.go b/pkg/registry/meta/renderdashboard/storage.go index 0393765d2..239eff6da 100644 --- a/pkg/registry/meta/renderdashboard/storage.go +++ b/pkg/registry/meta/renderdashboard/storage.go @@ -132,7 +132,7 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat } } - dg, err := graph.RenderDashboard(ctx, r.kc, r.oc, rd, src, req.EmbeddedLink) + dg, err := graph.RenderDashboard(graph.NewUserContext(ctx), r.kc, r.oc, rd, src, req.EmbeddedLink) if err != nil { return nil, err } diff --git a/pkg/registry/meta/resourcequery/storage.go b/pkg/registry/meta/resourcequery/storage.go index b03df2cd3..2dfa724fc 100644 --- a/pkg/registry/meta/resourcequery/storage.go +++ b/pkg/registry/meta/resourcequery/storage.go @@ -106,7 +106,7 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat src := kmapi.NewObjectID(&out) if req.OutputFormat == rsapi.OutputFormatRef { - _, refs, err := graph.ExecRawQuery(ctx, r.kc, src.OID(), *req.Target) + _, refs, err := graph.ExecRawQuery(graph.NewUserContext(ctx), r.kc, src.OID(), *req.Target) if err != nil { return nil, err } @@ -116,7 +116,7 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat } in.Response = &runtime.RawExtension{Raw: data} } else { - rid2, items, err := graph.ExecQuery(ctx, r.kc, src.OID(), *req.Target) + rid2, items, err := graph.ExecQuery(graph.NewUserContext(ctx), r.kc, src.OID(), *req.Target) if err != nil { return nil, err } diff --git a/vendor/kmodules.xyz/client-go/client/delegated.go b/vendor/kmodules.xyz/client-go/client/delegated.go index 445ecf09d..021e45d44 100644 --- a/vendor/kmodules.xyz/client-go/client/delegated.go +++ b/vendor/kmodules.xyz/client-go/client/delegated.go @@ -18,6 +18,7 @@ package client import ( "context" + "net/http" "strings" apiutil2 "kmodules.xyz/client-go/client/apiutil" @@ -28,6 +29,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authentication/user" restclient "k8s.io/client-go/rest" + "k8s.io/client-go/transport" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/apiutil" ) @@ -106,7 +108,20 @@ func (d *DelegatingClient) Impersonate(u user.Info) (client.Client, error) { Groups: u.GetGroups(), Extra: u.GetExtra(), } - return NewClient(config, d.options) + + // share the transport between all clients + optionsShallowCopy := d.options + if d.options.HTTPClient != nil { + optionsShallowCopy.HTTPClient = &http.Client{ + Transport: transport.NewImpersonatingRoundTripper(transport.ImpersonationConfig{ + UserName: u.GetName(), + UID: u.GetUID(), + Groups: u.GetGroups(), + Extra: u.GetExtra(), + }, d.options.HTTPClient.Transport), + } + } + return NewClient(config, optionsShallowCopy) } // GroupVersionKindFor returns the GroupVersionKind for the given object. diff --git a/vendor/modules.txt b/vendor/modules.txt index d22d6c44f..78cc1de9c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2020,7 +2020,7 @@ kmodules.xyz/authorizer/apiserver kmodules.xyz/authorizer/rbac kmodules.xyz/authorizer/rbac/helpers kmodules.xyz/authorizer/rbac/validation -# kmodules.xyz/client-go v0.30.38-0.20241117075231-750051a8f0b9 +# kmodules.xyz/client-go v0.30.38-0.20241118091954-9f659a58032e ## explicit; go 1.22.0 kmodules.xyz/client-go kmodules.xyz/client-go/api/v1