Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(server): don't use cluster scope list + watch in namespaced mode. Fixes #13177 #13189

Merged
merged 3 commits into from
Jun 16, 2024
Merged

fix(server): don't use cluster scope list + watch in namespaced mode. Fixes #13177 #13189

merged 3 commits into from
Jun 16, 2024

Conversation

jiachengxu
Copy link
Member

@jiachengxu jiachengxu commented Jun 14, 2024
edited
Loading

Fixes #13177

Verification

Try to apply the following manifests into a k8s cluster:

kubectl apply -n argo -f https://github.com/argoproj/argo-workflows/releases/download/v3.5.7/namespace-install.yaml

With the image built from this PR, don't see the following permission errors anymore:

14.612814 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1alpha1.Workflow: workflows.argoproj.io is forbidden: User "system:serviceaccount:argo:argo-server" cannot list resource "workflows" in API group "argoproj.io" at the cluster scope
E0614 16:39:14.612865 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1alpha1.Workflow: failed to list *v1alpha1.Workflow: workflows.argoproj.io is forbidden: User "system:serviceaccount:argo:argo-server" cannot list resource "workflows" in API group "argoproj.io" at the cluster scope

@jiachengxu jiachengxu marked this pull request as ready for review June 14, 2024 16:41
@jiachengxu
Copy link
Member Author

Hi @Joibel @agilgur5, could you take a look at the PR?

@jiachengxu jiachengxu changed the title fix: list and watch permission missing for server in namespaced mode fix: list and watch permission missing for server in namespaced mode. Fixes #13177 Jun 14, 2024
@agilgur5 agilgur5 changed the title fix: list and watch permission missing for server in namespaced mode. Fixes #13177 fix(server): don't use cluster scope list + watch in namespaced mode. Fixes #13177 Jun 14, 2024
@agilgur5 agilgur5 added this to the v3.5.x patches milestone Jun 14, 2024
agilgur5
agilgur5 reviewed Jun 14, 2024
View reviewed changes
Copy link
Member

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this, just one small comment

server/apiserver/argoserver.go Show resolved Hide resolved
pkg/apiclient/argo-kube-client.go Outdated Show resolved Hide resolved
@jiachengxu
make the namespace a pointer
56e8e45 
Signed-off-by: Jiacheng Xu <[email protected]>
agilgur5
agilgur5 reviewed Jun 16, 2024
View reviewed changes
server/workflow/workflow_server_test.go Outdated
@@ -638,7 +638,7 @@ func getWorkflowServer() (workflowpkg.WorkflowServiceServer, context.Context) {
if err = wfStore.Add(&wfObj5); err != nil {
panic(err)
}
server := NewWorkflowServer(instanceIdSvc, offloadNodeStatusRepo, archivedRepo, wfClientset, wfStore, wfStore)
server := NewWorkflowServer(instanceIdSvc, offloadNodeStatusRepo, archivedRepo, wfClientset, wfStore, wfStore, nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wasn't this one previously correct with metav1.NamespaceAll?

With the new && namespace != nil check, this now takes a different path (but still passes apparently?)

Copy link
Member Author

@jiachengxu jiachengxu Jun 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, I think I changed it by accident and I change it back to the metav1.NamespaceAll.

With the new && namespace != nil check, this now takes a different path (but still passes apparently?)

The value of the namespace doesn't matter regarding the test because we don't start the reflector to perform list and watch in the test and we just manually add objects to the store.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the reflector is set since the store is not nil in this case, so it would start wouldn't it? It just isn't used actively in this test

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the Run method is not called in the test, so the reflector is not started.

@agilgur5 agilgur5 self-assigned this Jun 16, 2024
@jiachengxu
fix the workflow server test
ccec14a 
Signed-off-by: Jiacheng Xu <[email protected]>
agilgur5
agilgur5 approved these changes Jun 16, 2024
View reviewed changes
Copy link
Member

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for fixing this! Will have a patch out soon!

@agilgur5 agilgur5 enabled auto-merge (squash) June 16, 2024 14:57
@agilgur5 agilgur5 merged commit 8f3860d into argoproj:main Jun 16, 2024
28 checks passed
@jiachengxu jiachengxu deleted the 13177-namespaced branch June 16, 2024 15:00
yulin-li pushed a commit to yulin-li/argo-workflows that referenced this pull request Jun 17, 2024
@jiachengxu
fix(server): don't use cluster scope list + watch in namespaced mode. F…
12c198c 
…ixes argoproj#13177 (argoproj#13189)

Signed-off-by: Jiacheng Xu <[email protected]>
Signed-off-by: Yulin Li <[email protected]>
agilgur5 pushed a commit that referenced this pull request Jun 17, 2024
@jiachengxu @agilgur5
fix(server): don't use cluster scope list + watch in namespaced mode. F…
c2204ae 
…ixes #13177 (#13189)

Signed-off-by: Jiacheng Xu <[email protected]>
(cherry picked from commit 8f3860d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agilgur5 agilgur5 agilgur5 approved these changes

Assignees

@agilgur5 agilgur5

Labels
area/server
Projects
None yet
Milestone
v3.5.x patches
Development

Successfully merging this pull request may close these issues.

v3.5.7: namespaced install causes the server to complain about list+watch on cluster scoped workflows
2 participants
@jiachengxu @agilgur5