Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

InAnyNamespace uses invalid api endpoint for SelfSubjectAccessReviews #2265

Closed
junweiyu opened this issue Jun 3, 2020 · 3 comments · Fixed by #2400
Closed

InAnyNamespace uses invalid api endpoint for SelfSubjectAccessReviews #2265

junweiyu opened this issue Jun 3, 2020 · 3 comments · Fixed by #2400
Assignees
Labels

Comments

@junweiyu
Copy link

junweiyu commented Jun 3, 2020

I am trying to verify if the current context user has permissions to create a deployment in a given namespace

client = new DefaultKubernetesClient(new ConfigBuilder().withMasterUrl(masterUrl).build());


    SelfSubjectAccessReview review = new SelfSubjectAccessReviewBuilder().withNewSpec()
        .withNewResourceAttributes()
        .withNamespace("test")
        .withResource("deployment")
        .withVerb("create")
        .endResourceAttributes()
        .endSpec()
        .build();
    review = client.subjectAccessReviewAuth().inAnyNamespace().create(review);

Which causes this error

Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://kubernetes.docker.internal:6443/apis/authorization.k8s.io/v1/namespaces/test/selfsubjectaccessreviews. Message: the server could not find the requested resource. Received status: Status(apiVersion=v1, code=404, details=StatusDetails(causes=[], group=null, kind=null, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=the server could not find the requested resource, metadata=ListMeta(_continue=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=NotFound, status=Failure, additionalProperties={}).

It seems like there shouldn't be a /namespaces/ in the endpoint as
Running kubectl --v=8 auth can-i create deployments --namespace test shows that the endpoint is https://kubernetes.docker.internal:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews.

Is there a reason namespaces is set to true when instantiating a Createable for inAnyNamespace as seen here?

public Createable<SelfSubjectAccessReview, SelfSubjectAccessReview, DoneableSelfSubjectAccessReview> inAnyNamespace() {
    return (new SubjectAccessReviewDSLImpl(this.context, namespace, "selfsubjectaccessreviews", true)).self();
  }

since that is what seems to be causing the endpoint to include /namespaces/

@rohanKanojia
Copy link
Member

I think we need to revisit SubjectAccessReview support. I also noticed a few abnormalities in its implementation and filed #2191 .Thanks for reporting this. We would take a look at this in coming sprints.

@manusa manusa added the bug label Jun 19, 2020
@jorsol
Copy link
Contributor

jorsol commented Jul 1, 2020

The error I'm getting is "Namespace not specified. But operation requires namespace":

io.fabric8.kubernetes.client.KubernetesClientException: Namespace not specified. But operation requires namespace.
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.checkNamespace(OperationSupport.java:175)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:250)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl.access$400(SubjectAccessReviewDSLImpl.java:40)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl$CreatableSelfSubjectAccessReview.create(SubjectAccessReviewDSLImpl.java:225)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl$CreatableSelfSubjectAccessReview.create(SubjectAccessReviewDSLImpl.java:236)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl$CreatableSelfSubjectAccessReview.create(SubjectAccessReviewDSLImpl.java:217)

But if I set the namespace in the the metadata of SelfSubjectAccessReview:

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://127.0.0.1:32768/apis/authorization.k8s.io/v1/namespaces/test/selfsubjectaccessreviews. Message: the server could not find the requested resource. Received status: Status(apiVersion=v1, code=404, details=StatusDetails(causes=[], group=null, kind=null, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=the server could not find the requested resource, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=NotFound, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:507)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:251)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl.access$400(SubjectAccessReviewDSLImpl.java:40)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl$CreatableSelfSubjectAccessReview.create(SubjectAccessReviewDSLImpl.java:225)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl$CreatableSelfSubjectAccessReview.create(SubjectAccessReviewDSLImpl.java:236)
	at io.fabric8.kubernetes.client.dsl.internal.SubjectAccessReviewDSLImpl$CreatableSelfSubjectAccessReview.create(SubjectAccessReviewDSLImpl.java:217)

This bug makes SelfSubjectAccessReview useless.

@rohanKanojia rohanKanojia self-assigned this Aug 11, 2020
rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Aug 11, 2020
rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Aug 12, 2020
+ Added new entrypoint authorization() into DSL which only allows create() operations
+ Removed old subjectAccessReviewAuth() API

This should also fix fabric8io#2191
@rohanKanojia
Copy link
Member

I have created a PR to fix this issue. I have removed old API(not sure it was usable before). Now you can access SelfSubjectAccessReview like this:

try (KubernetesClient client = new DefaultKubernetesClient()) {
    SelfSubjectAccessReview ssar = new SelfSubjectAccessReviewBuilder()
            .withNewSpec()
            .withNewResourceAttributes()
            .withGroup("apps")
            .withResource("deployments")
            .withVerb("create")
            .withNamespace("dev")
            .endResourceAttributes()
            .endSpec()
            .build();

    ssar = client.authorization().v1().selfSubjectAccessReview().create(ssar);

    System.out.println("Allowed: "+  ssar.getStatus().getAllowed());
}

rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Aug 12, 2020
+ Added new entrypoint authorization() into DSL which only allows create() operations
+ Removed old subjectAccessReviewAuth() API

This should also fix fabric8io#2191
rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Aug 12, 2020
+ Added new entrypoint authorization() into DSL which only allows create() operations
+ Removed old subjectAccessReviewAuth() API

This should also fix fabric8io#2191
rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Aug 19, 2020
+ Added new entrypoint authorization() into DSL which only allows create() operations
+ Removed old subjectAccessReviewAuth() API

This should also fix fabric8io#2191
rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Aug 21, 2020
+ Added new entrypoint authorization() into DSL which only allows create() operations
+ Removed old subjectAccessReviewAuth() API

This should also fix fabric8io#2191
rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Aug 24, 2020
+ Added new entrypoint authorization() into DSL which only allows create() operations
+ Removed old subjectAccessReviewAuth() API

This should also fix fabric8io#2191
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants