Skip to content

Commit

Permalink
the cluster-admin should be respected for the propagated appsub (#391)
Browse files Browse the repository at this point in the history 
Signed-off-by: Xiangjing Li <xiangli@redhat.com>
  • Loading branch information
@xiangjingli
xiangjingli authored Feb 21, 2024
1 parent 3975885 commit dd8f192
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 5 deletions.
15 changes: 12 additions & 3 deletions pkg/utils/gitrepo.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -934,9 +934,12 @@ func IsClusterAdmin(client client.Client, sub *appv1.Subscription, eventRecorder
}
}

// If subscription has cluster-admin:true and propagated from hub and cannot find the webhook, we know we are
// on the managed cluster so trust the annotations to decide that the subscription is from subscription-admin.
// But the subscription can also be propagated to the self-managed hub cluster.
// When the appsub has hosting-subscription annotation, the cluster-admin: true annotation is always respected, including 3 cases:
// 1: the appsub is on the managed cluster propagated by a hub appsub, there is no ocm-mutating-webhook found in the current cluster
// 2: the appsub is on the hub containing -local name suffix, the appsub is propagated by a hub appsub.
// 3: the appsub is on the hub not containing -local name suffix, the appsub is propagated by a hub sub of sub.
isHubSubOfHubSub := isSubPropagatedFromHub && doesWebhookExist && !strings.HasSuffix(sub.GetName(), "-local")

if isClusterAdminAnnotationTrue && isSubPropagatedFromHub {
if !doesWebhookExist || // not on the hub cluster
(doesWebhookExist && strings.HasSuffix(sub.GetName(), "-local")) { // on the hub cluster and the subscription has -local suffix
Expand All @@ -945,6 +948,12 @@ func IsClusterAdmin(client client.Client, sub *appv1.Subscription, eventRecorder
"Role was elevated to cluster admin for subscription "+sub.Name, nil)
}

isClusterAdmin = true
} else if isHubSubOfHubSub { // hub appsub of a hub appsub
if eventRecorder != nil {
eventRecorder.RecordEvent(sub, "RoleElevation",
"Role was elevated to cluster admin for hub subscription of hub subscription "+sub.Name, nil)
}
isClusterAdmin = true
}
} else if isUserSubAdmin {
Expand Down
22 changes: 20 additions & 2 deletions pkg/utils/gitrepo_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -646,6 +646,9 @@ func TestIsClusterAdminLocal(t *testing.T) {

// The mutation webhook does not exist.

// Don't specify hosting-subscription annotation
// Don't specify cluster-admin annotation
// In this case, IsClusterAdmin is expected to return false
subscriptionYAML := `apiVersion: apps.open-cluster-management.io/v1
kind: Subscription
metadata:
Expand All @@ -662,6 +665,9 @@ spec:

g.Expect(IsClusterAdmin(c, subscription, nil)).To(gomega.BeFalse())

// specify hosting-subscription annotation
// Don't specify cluster-admin annotation
// In this case, IsClusterAdmin is expected to return false
subscriptionYAML = `apiVersion: apps.open-cluster-management.io/v1
kind: Subscription
metadata:
Expand All @@ -680,6 +686,9 @@ spec:

g.Expect(IsClusterAdmin(c, subscription, nil)).To(gomega.BeFalse())

// specify hosting-subscription annotation
// specify cluster-admin annotation to be false
// In this case, IsClusterAdmin is expected to return false
subscriptionYAML = `apiVersion: apps.open-cluster-management.io/v1
kind: Subscription
metadata:
Expand All @@ -699,6 +708,9 @@ spec:

g.Expect(IsClusterAdmin(c, subscription, nil)).To(gomega.BeFalse())

// specify hosting-subscription annotation
// specify cluster-admin annotation to be true
// In this case, IsClusterAdmin is expected to return true
subscriptionYAML = `apiVersion: apps.open-cluster-management.io/v1
kind: Subscription
metadata:
Expand All @@ -718,6 +730,9 @@ spec:

g.Expect(IsClusterAdmin(c, subscription, nil)).To(gomega.BeTrue())

// Don't specify hosting-subscription annotation
// specify cluster-admin annotation to be true
// In this case, IsClusterAdmin is expected to return false
subscriptionYAML = `apiVersion: apps.open-cluster-management.io/v1
kind: Subscription
metadata:
Expand All @@ -735,7 +750,10 @@ spec:
g.Expect(err).NotTo(gomega.HaveOccurred())

g.Expect(IsClusterAdmin(c, subscription, nil)).To(gomega.BeFalse())

// specify ocm-mutating-webhook webhook to indicate the appsub is on hub
// specify hosting-subscription annotation
// specify cluster-admin annotation to be true
// In this case, IsClusterAdmin is expected to return true
webhookYAML := `apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
Expand Down Expand Up @@ -780,7 +798,7 @@ metadata:
err = yaml.Unmarshal([]byte(subscriptionYAML), &subscription)
g.Expect(err).NotTo(gomega.HaveOccurred())

g.Expect(IsClusterAdmin(c, subscription, nil)).To(gomega.BeFalse())
g.Expect(IsClusterAdmin(c, subscription, nil)).To(gomega.BeTrue())
}

func TestIsClusterAdminRemote(t *testing.T) {
Expand Down

0 comments on commit dd8f192

Please sign in to comment.