diff --git a/go.mod b/go.mod index 2581ba562..a73e29940 100644 --- a/go.mod +++ b/go.mod @@ -43,7 +43,7 @@ require ( k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f k8s.io/kube-state-metrics/v2 v2.7.0 kmodules.xyz/apiversion v0.2.0 - kmodules.xyz/authorizer v0.29.0 + kmodules.xyz/authorizer v0.29.1 kmodules.xyz/client-go v0.30.0 kmodules.xyz/custom-resources v0.29.1 kmodules.xyz/go-containerregistry v0.0.12 diff --git a/go.sum b/go.sum index c7fa45775..f8b6fb2ae 100644 --- a/go.sum +++ b/go.sum @@ -907,8 +907,8 @@ k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCI k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk= kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80= -kmodules.xyz/authorizer v0.29.0 h1:ND8YGeyzExdZ8Bq5Z6UdFO794I6+oPuXbUMWyjlsYgM= -kmodules.xyz/authorizer v0.29.0/go.mod h1:UQmE3sNXeliebUqjEeD9QYiY+Na27/C5Bg/ekVRfQ3U= +kmodules.xyz/authorizer v0.29.1 h1:uByGGoryKbZcfiEAhjcK/Y345I9mygNQP7DVpkMbNQQ= +kmodules.xyz/authorizer v0.29.1/go.mod h1:kZRhclL8twzyt2bQuJQJbpYww2sc+qFr8I5PPoq/sWY= kmodules.xyz/client-go v0.30.0 h1:sEGX5DRXQwJiMxcN2DkDtXz9WsSA6fs9ye86RgbAxeo= kmodules.xyz/client-go v0.30.0/go.mod h1:ekDSUC0UFLI0Jq3A62myW7VG8TYLBqCwMjqWJM1SrqU= kmodules.xyz/crd-schema-fuzz v0.29.1 h1:zJTlWYOrT5dsVVHW8HGcnR/vaWfxQfNh11QwTtkYpcs= diff --git a/pkg/registry/core/genericresource/storage.go b/pkg/registry/core/genericresource/storage.go index e0b780c31..22ada1bd9 100644 --- a/pkg/registry/core/genericresource/storage.go +++ b/pkg/registry/core/genericresource/storage.go @@ -149,7 +149,6 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions if !ok { return nil, apierrors.NewBadRequest("missing namespace") } - selector := shared.NewGroupKindSelector(options.LabelSelector) user, ok := apirequest.UserFrom(ctx) diff --git a/pkg/registry/core/resourcesummary/storage.go b/pkg/registry/core/resourcesummary/storage.go index f24d5cfdc..f82cc49ac 100644 --- a/pkg/registry/core/resourcesummary/storage.go +++ b/pkg/registry/core/resourcesummary/storage.go @@ -157,6 +157,9 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions if err := r.kc.List(ctx, &list, client.InNamespace(ns)); err != nil { return nil, err } + + // hasPermission to check if the user has permission to list the resources + hasPermission := false for _, item := range list.Items { attrs.Name = item.GetName() attrs.Namespace = item.GetNamespace() @@ -168,6 +171,7 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions continue } + hasPermission = true content := item.UnstructuredContent() { rv, err := resourcemetrics.TotalResourceRequests(content) @@ -199,7 +203,9 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions } } - summary.Spec.Count = len(list.Items) + if hasPermission { + summary.Spec.Count = len(list.Items) + } items = append(items, summary) } sort.Slice(items, func(i, j int) bool { diff --git a/vendor/kmodules.xyz/authorizer/Makefile b/vendor/kmodules.xyz/authorizer/Makefile index da7927bcf..af8b82cef 100644 --- a/vendor/kmodules.xyz/authorizer/Makefile +++ b/vendor/kmodules.xyz/authorizer/Makefile @@ -55,10 +55,10 @@ BIN_PLATFORMS := $(DOCKER_PLATFORMS) OS := $(if $(GOOS),$(GOOS),$(shell go env GOOS)) ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH)) -BASEIMAGE_PROD ?= gcr.io/distroless/static-debian11 -BASEIMAGE_DBG ?= debian:bullseye +BASEIMAGE_PROD ?= gcr.io/distroless/static-debian12 +BASEIMAGE_DBG ?= debian:bookworm -GO_VERSION ?= 1.21 +GO_VERSION ?= 1.22 BUILD_IMAGE ?= ghcr.io/appscode/golang-dev:$(GO_VERSION) OUTBIN = bin/$(OS)_$(ARCH)/$(BIN) @@ -225,7 +225,7 @@ test: $(BUILD_DIRS) ./hack/test.sh $(SRC_PKGS) \ " -ADDTL_LINTERS := goconst,gofmt,goimports,unparam +ADDTL_LINTERS := gofmt,goimports,unparam .PHONY: lint lint: $(BUILD_DIRS) diff --git a/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go b/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go index 29813e053..d50935169 100644 --- a/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go +++ b/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go @@ -75,5 +75,8 @@ func (a APIAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attribute if sar.Status.Denied { return authorizer.DecisionDeny, sar.Status.Reason, nil } - return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError) + if sar.Status.EvaluationError != "" { + return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError) + } + return authorizer.DecisionNoOpinion, sar.Status.Reason, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 8abad1098..e3d08fb79 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1913,8 +1913,8 @@ k8s.io/utils/trace # kmodules.xyz/apiversion v0.2.0 ## explicit; go 1.14 kmodules.xyz/apiversion -# kmodules.xyz/authorizer v0.29.0 -## explicit; go 1.21.5 +# kmodules.xyz/authorizer v0.29.1 +## explicit; go 1.22.0 kmodules.xyz/authorizer kmodules.xyz/authorizer/apiserver kmodules.xyz/authorizer/rbac