fix(generic-tracker): improve logging + few possible fixes

Signed-off-by: Ilya Lesikov <ilya@lesikov.com>
werf · Jul 21, 2022 · 3524520 · 3524520
1 parent a14a35a
commit 3524520
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 15 deletions.
diff --git a/pkg/tracker/generic/resource_events_watcher.go b/pkg/tracker/generic/resource_events_watcher.go
@@ -50,7 +50,7 @@ func (i *ResourceEventsWatcher) Run(ctx context.Context, eventsCh chan<- *corev1
 	fieldsSet, eventsNs := utils.EventFieldSelectorFromUnstructured(i.object)
 
 	for _, verb := range []string{"list", "watch"} {
-		if response, err := i.client.AuthorizationV1().SelfSubjectAccessReviews().Create(
+		response, err := i.client.AuthorizationV1().SelfSubjectAccessReviews().Create(
 			ctx,
 			&authorizationv1.SelfSubjectAccessReview{
 				Spec: authorizationv1.SelfSubjectAccessReviewSpec{
@@ -63,10 +63,20 @@ func (i *ResourceEventsWatcher) Run(ctx context.Context, eventsCh chan<- *corev1
 				},
 			},
 			metav1.CreateOptions{},
-		); err != nil {
+		)
+
+		if debug.Debug() {
+			if err != nil {
+				fmt.Printf("SelfSubjectAccessReview error for %q: %+v\n", i.ResourceID, err)
+			} else {
+				fmt.Printf("SelfSubjectAccessReview for %q: %+v\n", i.ResourceID, response)
+			}
+		}
+
+		if err != nil {
 			logboek.Context(context.Background()).Default().LogF("Won't track %q events: error checking %q access: %s\n", i.ResourceID, verb, err)
 			return nil
-		} else if !response.Status.Allowed {
+		} else if !response.Status.Allowed || response.Status.Denied {
 			logboek.Context(context.Background()).Default().LogF("Won't track %q events: no %q access.\n", i.ResourceID, verb)
 			return nil
 		}

diff --git a/pkg/tracker/generic/resource_state_watcher.go b/pkg/tracker/generic/resource_state_watcher.go
@@ -10,6 +10,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
@@ -51,31 +52,41 @@ func (w *ResourceStateWatcher) Run(ctx context.Context, resourceAddedCh, resourc
 	}
 
 	for _, verb := range []string{"list", "watch"} {
-		if response, err := w.client.AuthorizationV1().SelfSubjectAccessReviews().Create(
+		response, err := w.client.AuthorizationV1().SelfSubjectAccessReviews().Create(
 			ctx,
 			&authorizationv1.SelfSubjectAccessReview{
 				Spec: authorizationv1.SelfSubjectAccessReviewSpec{
 					ResourceAttributes: &authorizationv1.ResourceAttributes{
 						Verb:      verb,
 						Resource:  gvr.Resource,
 						Namespace: w.ResourceID.Namespace,
-						Group:     w.ResourceID.GroupVersionKind.Group,
-						Version:   w.ResourceID.GroupVersionKind.Version,
+						Group:     gvr.Group,
+						Version:   gvr.Version,
 						Name:      w.ResourceID.Name,
 					},
 				},
 			},
 			metav1.CreateOptions{},
-		); err != nil {
+		)
+
+		if debug.Debug() {
+			if err != nil {
+				fmt.Printf("SelfSubjectAccessReview error for %q: %+v\n", w.ResourceID, err)
+			} else {
+				fmt.Printf("SelfSubjectAccessReview for %q: %+v\n", w.ResourceID, response)
+			}
+		}
+
+		if err != nil {
 			logboek.Context(context.Background()).Warn().LogF("Won't track %q: error checking %q access: %s\n", w.ResourceID, verb, err)
 			return nil
-		} else if !response.Status.Allowed {
+		} else if !response.Status.Allowed || response.Status.Denied {
 			logboek.Context(context.Background()).Warn().LogF("Won't track %q: no %q access.\n", w.ResourceID, verb)
 			return nil
 		}
 	}
 
-	resClient, err := w.resourceClient()
+	resClient, err := w.resourceClient(gvr)
 	if err != nil {
 		return fmt.Errorf("error getting resource client: %w", err)
 	}
@@ -95,6 +106,10 @@ func (w *ResourceStateWatcher) Run(ctx context.Context, resourceAddedCh, resourc
 		},
 	}
 
+	if debug.Debug() {
+		fmt.Printf("      %s resource watcher STARTED\n", w.ResourceID)
+	}
+
 	_, err = watchtools.UntilWithSync(ctx, listWatch, &unstructured.Unstructured{}, nil,
 		func(event watch.Event) (bool, error) {
 			if debug.Debug() {
@@ -123,12 +138,7 @@ func (w *ResourceStateWatcher) Run(ctx context.Context, resourceAddedCh, resourc
 	return tracker.AdaptInformerError(err)
 }
 
-func (w *ResourceStateWatcher) resourceClient() (dynamic.ResourceInterface, error) {
-	gvr, err := w.ResourceID.GroupVersionResource(w.mapper)
-	if err != nil {
-		return nil, fmt.Errorf("error getting GroupVersionResource: %w", err)
-	}
-
+func (w *ResourceStateWatcher) resourceClient(gvr *schema.GroupVersionResource) (dynamic.ResourceInterface, error) {
 	resClient := w.dynamicClient.Resource(*gvr)
 
 	if namespaced, err := w.ResourceID.Namespaced(w.mapper); err != nil {