devscope.io

πŸ› Only delete ClusterRoles and ClusterRoleBindings when Workspace finalizer is removed

kcp-dev/kcp

Issue

Summary

Drops the cleanup of ClusterRoles and ClusterRoleBindings from the projected Workspace deletion handler. Because Workspace is typically deleted immediately, but the underlying ClusterWorkspace may take longer to clean up, or may never get cleaned up, we want to continue to allow users to access the terminating workspace to observe resources within it.

Signed-off-by: hasheddan [email protected]

Updates the ClusterWorkspace deletion controller to delete ClusterRoles and ClusterRoleBindings associated with a Workspace as a final step before removing the Workspace finalizer. This ensures that users are able to access the contents of a Workspace during termination and only have access removed when the Workspace is actually removed.

Signed-off-by: hasheddan [email protected]

I was able to reproduce the behavior described in https://github.com/kcp-dev/kcp/issues/1964 prior to the patch set in this PR:

πŸ€– (kcp) k ws use '~'
Current workspace is "root:users:py:ov:user".
πŸ€– (kcp) k ws tree
.
└── user

 πŸ€– (kcp) k ws create child
Workspace "child" (type root:universal) created. Waiting for it to be ready...
Workspace "child" (type root:universal) is ready to use.
πŸ€– (kcp) k get ws
NAME    TYPE        PHASE   URL
child   universal   Ready   https://192.168.1.189:6443/clusters/root:users:py:ov:user:child
πŸ€– (kcp) go run ./cmd/kubectl-workspace/ tree
.
└── user
    └── child

πŸ€– (kcp) k ws use child
Current workspace is "root:users:py:ov:user:child" (type "root:universal").
πŸ€– (kcp) k create ns cool-ns
namespace/cool-ns created
πŸ€– (kcp) k edit ns cool-ns
namespace/cool-ns edited
πŸ€– (kcp) k get ns
NAME      STATUS   AGE
cool-ns   Active   62s
default   Active   91s
πŸ€– (kcp) k ws use '~'
Current workspace is "root:users:py:ov:user".
πŸ€– (kcp) k get ws
NAME    TYPE        PHASE   URL
child   universal   Ready   https://192.168.1.189:6443/clusters/root:users:py:ov:user:child
πŸ€– (kcp) k delete ns child
Error from server (NotFound): namespaces "child" not found
πŸ€– (kcp) k delete ws child
workspace.tenancy.kcp.dev "child" deleted
πŸ€– (kcp) k get ws
NAME    TYPE        PHASE      URL
child   universal   Deleting   https://192.168.1.189:6443/clusters/root:users:py:ov:user:child
πŸ€– (kcp) k ws use child
error checking APIBindings: apibindings.apis.kcp.dev is forbidden: User "user" cannot list resource "apibindings" in API group "apis.kcp.dev" at the cluster scope: workspace access not permittedCurrent workspace is "root:users:py:ov:user:child" (type "root:universal").

After applying patches, behavior matches what is expected:

πŸ€– (kcp) k ws use '~'
Current workspace is "root:users:py:ov:user".
πŸ€– (kcp) k ws tree
.
└── user

πŸ€– (kcp) k ws create child
Workspace "child" (type root:universal) created. Waiting for it to be ready...
Workspace "child" (type root:universal) is ready to use.
πŸ€– (kcp) k ws use child
Current workspace is "root:users:py:ov:user:child" (type "root:universal").
πŸ€– (kcp) k get ns
NAME      STATUS   AGE
default   Active   26s
πŸ€– (kcp) k create ns cool-ns
namespace/cool-ns created
πŸ€– (kcp) k edit ns cool-ns
namespace/cool-ns edited
πŸ€– (kcp) k get ns
NAME      STATUS   AGE
cool-ns   Active   28s
default   Active   60s
πŸ€– (kcp) k ws use '~'
Current workspace is "root:users:py:ov:user".
πŸ€– (kcp) k get ws
NAME    TYPE        PHASE   URL
child   universal   Ready   https://192.168.1.189:6443/clusters/root:users:py:ov:user:child
πŸ€– (kcp) k delete ws child
workspace.tenancy.kcp.dev "child" deleted
πŸ€– (kcp) k get ws
NAME    TYPE        PHASE      URL
child   universal   Deleting   https://192.168.1.189:6443/clusters/root:users:py:ov:user:child
πŸ€– (kcp) k ws use child
Current workspace is "root:users:py:ov:user:child" (type "root:universal").
πŸ€– (kcp) k get ns
NAME      STATUS        AGE
cool-ns   Terminating   56s

Related issue(s)

Fixes https://github.com/kcp-dev/kcp/issues/1964

2022-10-02 01:24:42


Add a Comment


Top 3 Comments

  openshift-ci[bot] answered on 2022-10-03 15:07:23

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kcp-dev/kcp/blob/main/OWNERS)~~ [ncdc] - ~~[pkg/apis/OWNERS](https://github.com/kcp-dev/kcp/blob/main/pkg/apis/OWNERS)~~ [ncdc] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
0 positive reactions.
  sttts answered on 2022-10-03 09:00:43

/ok-to-test

0 positive reactions.
  openshift-ci[bot] answered on 2022-10-02 01:24:54

Hi @hasheddan. Thanks for your PR.

I'm waiting for a kcp-dev member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
0 positive reactions.

Repo Information


Age 1yr
Vendor kcp-dev
Repo Name kcp
Primary Language Go
Default Branch main
Last Update 17 hours ago

Similar Issues

πŸ’Ύ kcp :sparkles: Front proxy user gating πŸ’¬ 3 open πŸ—“οΈ 3 weeks ago
πŸ’Ύ kcp :seedling: test-server: split New/Start/Ready phases πŸ’¬ 8 open πŸ—“οΈ 4 weeks ago
πŸ’Ύ kcp :bug: Clean up shadow CRDs after API bindings are deleted πŸ’¬ 3 open πŸ—“οΈ 4 weeks ago
πŸ’Ύ kcp :seedling: sharded-test-server: consistently use workDirPath πŸ’¬ 3 closed πŸ—“οΈ 4 weeks ago
πŸ’Ύ kcp πŸ› Fix: watch a certain synctarget only πŸ’¬ 4 closed πŸ—“οΈ 1 month ago
πŸ’Ύ kcp :sparkles: one DNS nameserver per workspace πŸ’¬ 3 open πŸ—“οΈ 1 month ago