Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[plugin] use namespace to get the PodDisruptionBudgetList #4530

Merged
merged 4 commits into from
May 15, 2024
Merged

[plugin] use namespace to get the PodDisruptionBudgetList #4530

merged 4 commits into from
May 15, 2024

Conversation

HaveFun83
Copy link
Contributor

@HaveFun83 HaveFun83 commented May 14, 2024
edited by leonardoce

This PR mitigate the behavior of kubectl cnpg status when the user don't have sufficient rights to list poddisruptionbudgets at the cluster scrope an error and the cnpg status output will be displayed.

example output

❯ kubectl cnpg status -n db-test db-test  --as-group namespace-admin --as foobar
poddisruptionbudgets.policy is forbidden: User "foobar" cannot list resource "poddisruptionbudgets" in API group "policy" at the cluster scope
Cluster Summary
Name:                db-test
Namespace:           db-test
System ID:           7237111851009441825
PostgreSQL Image:    cloudnative-pg/postgresql:14.8-4
Primary instance:    db-test-1
Primary start time:  2024-04-25 16:11:26 +0000 UTC (uptime 451h23m46s)
Status:              Cluster in healthy state 
Instances:           2
Ready instances:     2
Current Write LSN:   0/31000000 (Timeline: 11 - WAL File: 0000000B0000000000000030)
<omit>

Fixes #4522

@HaveFun83 HaveFun83 requested a review from a team as a code owner May 14, 2024 11:46
@github-actions github-actions bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.21 release-1.22 release-1.23 labels May 14, 2024
@github-actions GitHub Actions
Copy link
Contributor

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@HaveFun83
Copy link
Contributor Author

i think b4c24da fixed it in a better way as the namespace is mandatory to get the cluster status. Now also non cluster-admin users are able to receive the correct pdb status.

@HaveFun83 HaveFun83 changed the title [plugin] only print an error when PodDisruptionBudgetList fail [plugin] use namespace to get the PodDisruptionBudgetList May 14, 2024
@smartbit
Copy link

github-actions added backport-requested ◀️ release-1.21 ◀️release-1.22 ◀️ release-1.23

As these lines are added to internal/cmd/plugin/status/status.go in 1.22.2..1.22.3

157 var pdbl policyv1.PodDisruptionBudgetList
158 if err := plugin.Client.List(ctx, &pdbl, client.MatchingLabels{utils.ClusterLabelName: clusterName}); err != nil {
159		return nil, fmt.Errorf("while extracting PodDisruptionBudgetList: %w", err)
160 }

it can be backported to

  • 1.22.3
  • 1.23.0
  • 1.23.1

@leonardoce leonardoce self-assigned this May 14, 2024
@leonardoce
Copy link
Contributor

Hi @HaveFun83, thank you for contributing to CNPG!
Can you please fix the issues raised by the linter?

@HaveFun83
Copy link
Contributor Author

sure i will try

@leonardoce leonardoce force-pushed the cnpg_pdb_status_fix branch 2 times, most recently from 948b21c to 3b08dc8 Compare May 15, 2024 11:22
@leonardoce
Copy link
Contributor

Started an E2e test run on the EDB repo to save some OSS workers: https://github.com/EnterpriseDB/cloudnative-pg/actions/runs/9094968817

@HaveFun83
Copy link
Contributor Author

HaveFun83 commented May 15, 2024
edited

@leonardoce thanks a lot for your support

@leonardoce
Copy link
Contributor

E2e tests are green

HaveFun83 and others added 4 commits May 15, 2024 15:57
@HaveFun83 @leonardoce
[plugin] only print an error when PodDisruptionBudgetList fail
098cc5a 
Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
@HaveFun83 @leonardoce
[plugin] recognise namespace to get PodDisruptionBudgetList
2d84541 
Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
@HaveFun83 @leonardoce
[plugin] fix linter
b9cc187 
Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
@leonardoce
chore: cosmetic
f9bfc6b 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@leonardoce
Copy link
Contributor

Looks good to me. Waiting for another maintainer to review it.

@leonardoce leonardoce removed their assignment May 15, 2024
@leonardoce leonardoce self-assigned this May 15, 2024
@leonardoce
Copy link
Contributor

/ok-to-merge e2e tests are green

@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label May 15, 2024
@leonardoce leonardoce merged commit 7420aed into cloudnative-pg:main May 15, 2024
28 of 29 checks passed
cnpg-bot pushed a commit that referenced this pull request May 15, 2024
@HaveFun83
fix: kubectl cnpg status PDB list (#4530)
49b33f6 
In the kubectl plugin, when getting the list of PodDisruptionBudgets,
the code wasn't restricting the selection to the namespace where
the target Cluster resource has been created.

This patch fixes that, with the added benefit of restricting the set
of privileges needed by the user.

Fixes #4522

Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
(cherry picked from commit 7420aed)
cnpg-bot pushed a commit that referenced this pull request May 15, 2024
@HaveFun83
fix: kubectl cnpg status PDB list (#4530)
8cb7fb0 
In the kubectl plugin, when getting the list of PodDisruptionBudgets,
the code wasn't restricting the selection to the namespace where
the target Cluster resource has been created.

This patch fixes that, with the added benefit of restricting the set
of privileges needed by the user.

Fixes #4522

Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
(cherry picked from commit 7420aed)
cnpg-bot pushed a commit that referenced this pull request May 15, 2024
@HaveFun83
fix: kubectl cnpg status PDB list (#4530)
1b899cf 
In the kubectl plugin, when getting the list of PodDisruptionBudgets,
the code wasn't restricting the selection to the namespace where
the target Cluster resource has been created.

This patch fixes that, with the added benefit of restricting the set
of privileges needed by the user.

Fixes #4522

Signed-off-by: HaveFun83 <38665716+HaveFun83@users.noreply.github.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
(cherry picked from commit 7420aed)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnencia mnencia mnencia approved these changes

@leonardoce leonardoce leonardoce approved these changes

Assignees

@leonardoce leonardoce

Labels
backport-requested ◀️ This pull request should be backported to all supported releases ok to merge 👌 This PR can be merged release-1.21 release-1.22 release-1.23
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Kubectl cnpg status forbidden for non cluster-admins
5 participants
@HaveFun83 @smartbit @leonardoce @mnencia @cnpg-bot