Skip to content

Discover private CatalogSource only if no catalog cluster permission exists #1099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ibm-ci-bot merged 4 commits into from
Nov 29, 2024
Merged

Discover private CatalogSource only if no catalog cluster permission exists #1099

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f1bcfa6
read catalogsource permission only for non-private ctrsource
Nov 27, 2024
c8a5f6b
add test case for checkResAuth function in manager.go
Nov 28, 2024
6c7c574
add create mock test or ODLMoperator
Nov 28, 2024
8a0208b
update test case
Nov 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
read catalogsource permission only for non-private ctrsource 
Signed-off-by: YuChen <[email protected]>
  • Loading branch information
YuChen committed Nov 27, 2024
commit f1bcfa634cd88cb828efe0ab030f298daa0539ce
31 changes: 31 additions & 0 deletions controllers/operator/manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
operatorsv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apis/operators/v1"
"github.com/pkg/errors"
"golang.org/x/mod/semver"
authorizationv1 "k8s.io/api/authorization/v1"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
Expand Down Expand Up @@ -172,11 +173,19 @@ func (m *ODLMOperator) GetCatalogSourceAndChannelFromPackage(ctx context.Context
if excludedCatalogSources != nil && util.Contains(excludedCatalogSources, pm.Status.CatalogSource) {
continue
}

hasCatalogPermission := m.CheckResAuth(ctx, namespace, "operators.coreos.com", "catalogsources", "get")
if !hasCatalogPermission {
klog.V(2).Infof("No permission to get CatalogSource %s in the namespace %s", pm.Status.CatalogSource, pm.Status.CatalogSourceNamespace)
continue
}
// Fetch the CatalogSource if cluster permission allows
catalogsource := &olmv1alpha1.CatalogSource{}
if err := m.Reader.Get(ctx, types.NamespacedName{Name: pm.Status.CatalogSource, Namespace: pm.Status.CatalogSourceNamespace}, catalogsource); err != nil {
klog.Warning(err)
continue
}

currentCatalog := CatalogSource{
Name: pm.Status.CatalogSource,
Namespace: pm.Status.CatalogSourceNamespace,
Expand Down Expand Up @@ -220,6 +229,28 @@ func (m *ODLMOperator) GetCatalogSourceAndChannelFromPackage(ctx context.Context
}
}

func (m *ODLMOperator) CheckResAuth(ctx context.Context, namespace, group, resource, verb string) bool {
sar := &authorizationv1.SubjectAccessReview{
Spec: authorizationv1.SubjectAccessReviewSpec{
ResourceAttributes: &authorizationv1.ResourceAttributes{
Namespace: namespace,
Group: group,
Resource: resource,
Verb: verb,
},
},
}
if err := m.Create(ctx, sar); err != nil {
return false
}

if !sar.Status.Allowed {
return false
}

return true
}

func channelCheck(channelName string, channelList []operatorsv1.PackageChannel) bool {
for _, channel := range channelList {
if channelName == channel.Name {
Expand Down