Update resource summaries only if user has permission. (#301)

Signed-off-by: Rokibul Hasan <[email protected]> Signed-off-by: Tamal Saha <[email protected]> Co-authored-by: Tamal Saha <[email protected]>
kubeops · May 31, 2024 · 643cf11 · 643cf11
1 parent 0492e26
commit 643cf11
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 12 deletions.
diff --git a/go.mod b/go.mod
@@ -43,7 +43,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f
 	k8s.io/kube-state-metrics/v2 v2.7.0
 	kmodules.xyz/apiversion v0.2.0
-	kmodules.xyz/authorizer v0.29.0
+	kmodules.xyz/authorizer v0.29.1
 	kmodules.xyz/client-go v0.30.0
 	kmodules.xyz/custom-resources v0.29.1
 	kmodules.xyz/go-containerregistry v0.0.12

diff --git a/go.sum b/go.sum
@@ -907,8 +907,8 @@ k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCI
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk=
 kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80=
-kmodules.xyz/authorizer v0.29.0 h1:ND8YGeyzExdZ8Bq5Z6UdFO794I6+oPuXbUMWyjlsYgM=
-kmodules.xyz/authorizer v0.29.0/go.mod h1:UQmE3sNXeliebUqjEeD9QYiY+Na27/C5Bg/ekVRfQ3U=
+kmodules.xyz/authorizer v0.29.1 h1:uByGGoryKbZcfiEAhjcK/Y345I9mygNQP7DVpkMbNQQ=
+kmodules.xyz/authorizer v0.29.1/go.mod h1:kZRhclL8twzyt2bQuJQJbpYww2sc+qFr8I5PPoq/sWY=
 kmodules.xyz/client-go v0.30.0 h1:sEGX5DRXQwJiMxcN2DkDtXz9WsSA6fs9ye86RgbAxeo=
 kmodules.xyz/client-go v0.30.0/go.mod h1:ekDSUC0UFLI0Jq3A62myW7VG8TYLBqCwMjqWJM1SrqU=
 kmodules.xyz/crd-schema-fuzz v0.29.1 h1:zJTlWYOrT5dsVVHW8HGcnR/vaWfxQfNh11QwTtkYpcs=

diff --git a/pkg/registry/core/genericresource/storage.go b/pkg/registry/core/genericresource/storage.go
@@ -149,7 +149,6 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 	if !ok {
 		return nil, apierrors.NewBadRequest("missing namespace")
 	}
-
 	selector := shared.NewGroupKindSelector(options.LabelSelector)
 
 	user, ok := apirequest.UserFrom(ctx)

diff --git a/pkg/registry/core/resourcesummary/storage.go b/pkg/registry/core/resourcesummary/storage.go
@@ -157,6 +157,9 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		if err := r.kc.List(ctx, &list, client.InNamespace(ns)); err != nil {
 			return nil, err
 		}
+
+		// hasPermission to check if the user has permission to list the resources
+		hasPermission := false
 		for _, item := range list.Items {
 			attrs.Name = item.GetName()
 			attrs.Namespace = item.GetNamespace()
@@ -168,6 +171,7 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 				continue
 			}
 
+			hasPermission = true
 			content := item.UnstructuredContent()
 			{
 				rv, err := resourcemetrics.TotalResourceRequests(content)
@@ -199,7 +203,9 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 			}
 		}
 
-		summary.Spec.Count = len(list.Items)
+		if hasPermission {
+			summary.Spec.Count = len(list.Items)
+		}
 		items = append(items, summary)
 	}
 	sort.Slice(items, func(i, j int) bool {

diff --git a/vendor/kmodules.xyz/authorizer/Makefile b/vendor/kmodules.xyz/authorizer/Makefile
@@ -55,10 +55,10 @@ BIN_PLATFORMS    := $(DOCKER_PLATFORMS)
 OS   := $(if $(GOOS),$(GOOS),$(shell go env GOOS))
 ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 
-BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian11
-BASEIMAGE_DBG    ?= debian:bullseye
+BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian12
+BASEIMAGE_DBG    ?= debian:bookworm
 
-GO_VERSION       ?= 1.21
+GO_VERSION       ?= 1.22
 BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)
 
 OUTBIN = bin/$(OS)_$(ARCH)/$(BIN)
@@ -225,7 +225,7 @@ test: $(BUILD_DIRS)
 	        ./hack/test.sh $(SRC_PKGS)                          \
 	    "
 
-ADDTL_LINTERS   := goconst,gofmt,goimports,unparam
+ADDTL_LINTERS   := gofmt,goimports,unparam
 
 .PHONY: lint
 lint: $(BUILD_DIRS)

diff --git a/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go b/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go
@@ -75,5 +75,8 @@ func (a APIAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attribute
 	if sar.Status.Denied {
 		return authorizer.DecisionDeny, sar.Status.Reason, nil
 	}
-	return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError)
+	if sar.Status.EvaluationError != "" {
+		return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError)
+	}
+	return authorizer.DecisionNoOpinion, sar.Status.Reason, nil
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -1913,8 +1913,8 @@ k8s.io/utils/trace
 # kmodules.xyz/apiversion v0.2.0
 ## explicit; go 1.14
 kmodules.xyz/apiversion
-# kmodules.xyz/authorizer v0.29.0
-## explicit; go 1.21.5
+# kmodules.xyz/authorizer v0.29.1
+## explicit; go 1.22.0
 kmodules.xyz/authorizer
 kmodules.xyz/authorizer/apiserver
 kmodules.xyz/authorizer/rbac