diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index d1e94fc15cc..8ff7f938e51 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -65721,141 +65721,6 @@ } }, "/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions": { - "delete": { - "consumes": [ - "*/*" - ], - "description": "delete collection of CustomResourceDefinition", - "operationId": "deleteApiextensionsV1beta1CollectionLegacyTenantedCustomResourceDefinition", - "parameters": [ - { - "description": "Whether needs to watch all api server data partition. Used to for some data that is only available for one partition. Hence could fail on watching other partition Generally used in client only to indicate partial failure is allowed", - "in": "query", - "name": "allowPartialWatch", - "type": "boolean", - "uniqueItems": true - }, - { - "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.\n\nThis field is alpha and can be changed or removed without notice.", - "in": "query", - "name": "allowWatchBookmarks", - "type": "boolean", - "uniqueItems": true - }, - { - "in": "body", - "name": "body", - "schema": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions" - } - }, - { - "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", - "in": "query", - "name": "continue", - "type": "string", - "uniqueItems": true - }, - { - "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", - "in": "query", - "name": "dryRun", - "type": "string", - "uniqueItems": true - }, - { - "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", - "in": "query", - "name": "fieldSelector", - "type": "string", - "uniqueItems": true - }, - { - "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", - "in": "query", - "name": "gracePeriodSeconds", - "type": "integer", - "uniqueItems": true - }, - { - "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", - "in": "query", - "name": "labelSelector", - "type": "string", - "uniqueItems": true - }, - { - "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", - "in": "query", - "name": "limit", - "type": "integer", - "uniqueItems": true - }, - { - "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", - "in": "query", - "name": "orphanDependents", - "type": "boolean", - "uniqueItems": true - }, - { - "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", - "in": "query", - "name": "propagationPolicy", - "type": "string", - "uniqueItems": true - }, - { - "description": "When specified with a watch call, shows changes that occur after that particular version of a resource. Defaults to changes from the beginning of history. When specified for list: - if unset, then the result is returned from remote storage based on quorum-read flag; - if it's 0, then we simply return what we currently have in cache, no guarantee; - if set to non zero, then the result is at least as fresh as given rv.", - "in": "query", - "name": "resourceVersion", - "type": "string", - "uniqueItems": true - }, - { - "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", - "in": "query", - "name": "timeoutSeconds", - "type": "integer", - "uniqueItems": true - }, - { - "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", - "in": "query", - "name": "watch", - "type": "boolean", - "uniqueItems": true - } - ], - "produces": [ - "application/json", - "application/yaml", - "application/vnd.kubernetes.protobuf" - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" - } - }, - "401": { - "description": "Unauthorized" - } - }, - "schemes": [ - "https" - ], - "tags": [ - "apiextensions_v1beta1" - ], - "x-kubernetes-action": "deletecollection", - "x-kubernetes-group-version-kind": { - "group": "apiextensions.k8s.io", - "kind": "CustomResourceDefinition", - "version": "v1beta1" - } - }, "get": { "consumes": [ "*/*" @@ -66508,141 +66373,6 @@ } }, "/apis/apiextensions.k8s.io/v1beta1/tenants/{tenant}/customresourcedefinitions": { - "delete": { - "consumes": [ - "*/*" - ], - "description": "delete collection of CustomResourceDefinition", - "operationId": "deleteApiextensionsV1beta1CollectiontenantedCustomResourceDefinition", - "parameters": [ - { - "description": "Whether needs to watch all api server data partition. Used to for some data that is only available for one partition. Hence could fail on watching other partition Generally used in client only to indicate partial failure is allowed", - "in": "query", - "name": "allowPartialWatch", - "type": "boolean", - "uniqueItems": true - }, - { - "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.\n\nThis field is alpha and can be changed or removed without notice.", - "in": "query", - "name": "allowWatchBookmarks", - "type": "boolean", - "uniqueItems": true - }, - { - "in": "body", - "name": "body", - "schema": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions" - } - }, - { - "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", - "in": "query", - "name": "continue", - "type": "string", - "uniqueItems": true - }, - { - "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", - "in": "query", - "name": "dryRun", - "type": "string", - "uniqueItems": true - }, - { - "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", - "in": "query", - "name": "fieldSelector", - "type": "string", - "uniqueItems": true - }, - { - "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", - "in": "query", - "name": "gracePeriodSeconds", - "type": "integer", - "uniqueItems": true - }, - { - "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", - "in": "query", - "name": "labelSelector", - "type": "string", - "uniqueItems": true - }, - { - "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", - "in": "query", - "name": "limit", - "type": "integer", - "uniqueItems": true - }, - { - "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", - "in": "query", - "name": "orphanDependents", - "type": "boolean", - "uniqueItems": true - }, - { - "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", - "in": "query", - "name": "propagationPolicy", - "type": "string", - "uniqueItems": true - }, - { - "description": "When specified with a watch call, shows changes that occur after that particular version of a resource. Defaults to changes from the beginning of history. When specified for list: - if unset, then the result is returned from remote storage based on quorum-read flag; - if it's 0, then we simply return what we currently have in cache, no guarantee; - if set to non zero, then the result is at least as fresh as given rv.", - "in": "query", - "name": "resourceVersion", - "type": "string", - "uniqueItems": true - }, - { - "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", - "in": "query", - "name": "timeoutSeconds", - "type": "integer", - "uniqueItems": true - }, - { - "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", - "in": "query", - "name": "watch", - "type": "boolean", - "uniqueItems": true - } - ], - "produces": [ - "application/json", - "application/yaml", - "application/vnd.kubernetes.protobuf" - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" - } - }, - "401": { - "description": "Unauthorized" - } - }, - "schemes": [ - "https" - ], - "tags": [ - "apiextensions_v1beta1" - ], - "x-kubernetes-action": "deletecollection", - "x-kubernetes-group-version-kind": { - "group": "apiextensions.k8s.io", - "kind": "CustomResourceDefinition", - "version": "v1beta1" - } - }, "get": { "consumes": [ "*/*" diff --git a/pkg/controller/tenant/deletion/BUILD b/pkg/controller/tenant/deletion/BUILD index ecad611a0a9..e325e1fd95b 100644 --- a/pkg/controller/tenant/deletion/BUILD +++ b/pkg/controller/tenant/deletion/BUILD @@ -12,6 +12,7 @@ go_library( importpath = "k8s.io/kubernetes/pkg/controller/tenant/deletion", deps = [ "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured:go_default_library", diff --git a/pkg/controller/tenant/deletion/tenanted_resources_deleter.go b/pkg/controller/tenant/deletion/tenanted_resources_deleter.go index 427dae3bdc2..1dac6369d95 100644 --- a/pkg/controller/tenant/deletion/tenanted_resources_deleter.go +++ b/pkg/controller/tenant/deletion/tenanted_resources_deleter.go @@ -24,6 +24,7 @@ import ( "k8s.io/klog" "k8s.io/api/core/v1" + crdregistry "k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -151,6 +152,7 @@ func (d *tenantedResourcesDeleter) Delete(tenantName string) error { if finalized(tenant) { return d.deleteTenant(tenant) } + return nil } @@ -367,6 +369,15 @@ func (d *tenantedResourcesDeleter) listCollection(gvr schema.GroupVersionResourc unstructuredList, err := d.dynamicClient.Resource(gvr).NamespaceWithMultiTenancy("", tenant).List(metav1.ListOptions{}) if err == nil { + newItems := []unstructured.Unstructured{} + for _, item := range unstructuredList.Items { + if crdregistry.IsSystemForcedCrd(item) { + continue + } + + newItems = append(newItems, item) + } + unstructuredList.Items = newItems return unstructuredList, true, nil } diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go index f81641aea3b..7c20f31088d 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go +++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go @@ -350,6 +350,7 @@ const CustomResourceCleanupFinalizer = "customresourcecleanup.apiextensions.k8s. // +genclient // +genclient:nonNamespaced +// +genclient:skipVerbs=deleteCollection // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/customresourcedefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/customresourcedefinition.go index d5d12e88f8e..b009c12288c 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/customresourcedefinition.go +++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/customresourcedefinition.go @@ -46,7 +46,6 @@ type CustomResourceDefinitionInterface interface { Update(*v1beta1.CustomResourceDefinition) (*v1beta1.CustomResourceDefinition, error) UpdateStatus(*v1beta1.CustomResourceDefinition) (*v1beta1.CustomResourceDefinition, error) Delete(name string, options *v1.DeleteOptions) error - DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error Get(name string, options v1.GetOptions) (*v1beta1.CustomResourceDefinition, error) List(opts v1.ListOptions) (*v1beta1.CustomResourceDefinitionList, error) Watch(opts v1.ListOptions) watch.AggregatedWatchInterface @@ -237,22 +236,6 @@ func (c *customResourceDefinitions) Delete(name string, options *v1.DeleteOption Error() } -// DeleteCollection deletes a collection of objects. -func (c *customResourceDefinitions) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { - var timeout time.Duration - if listOptions.TimeoutSeconds != nil { - timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second - } - return c.client.Delete(). - Tenant(c.te). - Resource("customresourcedefinitions"). - VersionedParams(&listOptions, scheme.ParameterCodec). - Timeout(timeout). - Body(options). - Do(). - Error() -} - // Patch applies the patch and returns the patched customResourceDefinition. func (c *customResourceDefinitions) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.CustomResourceDefinition, err error) { result = &v1beta1.CustomResourceDefinition{} diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/fake/fake_customresourcedefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/fake/fake_customresourcedefinition.go index f92419d3e1e..a926203a947 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/fake/fake_customresourcedefinition.go +++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/fake/fake_customresourcedefinition.go @@ -127,15 +127,6 @@ func (c *FakeCustomResourceDefinitions) Delete(name string, options *v1.DeleteOp return err } -// DeleteCollection deletes a collection of objects. -func (c *FakeCustomResourceDefinitions) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { - - action := testing.NewTenantDeleteCollectionAction(customresourcedefinitionsResource, listOptions, c.te) - - _, err := c.Fake.Invokes(action, &v1beta1.CustomResourceDefinitionList{}) - return err -} - // Patch applies the patch and returns the patched customResourceDefinition. func (c *FakeCustomResourceDefinitions) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.CustomResourceDefinition, err error) { obj, err := c.Fake. diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/BUILD b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/BUILD index a32cadf8c8b..3973ac9127c 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/BUILD +++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/BUILD @@ -18,10 +18,12 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/fields:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library", "//staging/src/k8s.io/apiserver/pkg/registry/generic:go_default_library", "//staging/src/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library", diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/etcd.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/etcd.go index a45581b89cb..535b6b87168 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/etcd.go +++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/etcd.go @@ -26,6 +26,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" genericapirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/generic" genericregistry "k8s.io/apiserver/pkg/registry/generic/registry" @@ -35,12 +36,13 @@ import ( "k8s.io/apiserver/pkg/util/dryrun" metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/labels" ) // rest implements a RESTStorage for API services against etcd type REST struct { - *genericregistry.Store + store *genericregistry.Store } const ( @@ -77,6 +79,22 @@ func (r *REST) ShortNames() []string { return []string{"crd", "crds"} } +func (r *REST) NamespaceScoped() bool { + return false +} + +func (r *REST) TenantScoped() bool { + return true +} + +func (r *REST) New() runtime.Object { + return r.store.New() +} + +func (r *REST) NewList() runtime.Object { + return r.store.NewList() +} + // try to retrieve the forced version of CRD under the system tenant first. // If not found, try the search under the tenant. func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions) (runtime.Object, error) { @@ -86,7 +104,7 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions) } systemContext := genericapirequest.WithTenant(ctx, metav1.TenantSystem) - obj, err := r.Store.Get(systemContext, name, options) + obj, err := r.store.Get(systemContext, name, options) if tenant == metav1.TenantSystem { return obj, err } @@ -95,7 +113,7 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions) return obj, nil } - return r.Store.Get(ctx, name, options) + return r.store.Get(ctx, name, options) } func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc, forceAllowCreate bool, options *metav1.UpdateOptions) (runtime.Object, bool, error) { @@ -105,16 +123,16 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje } if tenant == metav1.TenantSystem { - return r.Store.Update(ctx, name, objInfo, createValidation, updateValidation, forceAllowCreate, options) + return r.store.Update(ctx, name, objInfo, createValidation, updateValidation, forceAllowCreate, options) } systemContext := genericapirequest.WithTenant(ctx, metav1.TenantSystem) - sysObj, err := r.Store.Get(systemContext, name, &metav1.GetOptions{}) + sysObj, err := r.store.Get(systemContext, name, &metav1.GetOptions{}) if err == nil && IsCrdSystemForced(sysObj.(*apiextensions.CustomResourceDefinition)) { return nil, false, fmt.Errorf("%v is a system CRD, you cannot overwrite it.", name) } - return r.Store.Update(ctx, name, objInfo, createValidation, updateValidation, forceAllowCreate, options) + return r.store.Update(ctx, name, objInfo, createValidation, updateValidation, forceAllowCreate, options) } // Return the forced CRD under the system tenant and the CRDs under the tenant. @@ -125,7 +143,7 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption } if tenant == metav1.TenantSystem { - return r.Store.List(ctx, options) + return r.store.List(ctx, options) } resultItems := []apiextensions.CustomResourceDefinition{} @@ -133,7 +151,7 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption systemContext := genericapirequest.WithTenant(ctx, metav1.TenantSystem) sysSharingOptions := &metainternalversion.ListOptions{LabelSelector: labels.Set{crdSharingPolicyAnnotation: forcedSharing}.AsSelector()} - sysList, err := r.Store.List(systemContext, sysSharingOptions) + sysList, err := r.store.List(systemContext, sysSharingOptions) if err == nil { sysCrdList, ok := sysList.(*apiextensions.CustomResourceDefinitionList) if ok { @@ -146,7 +164,7 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption } } - tenantList, err := r.Store.List(ctx, options) + tenantList, err := r.store.List(ctx, options) if err != nil { return nil, err } @@ -178,18 +196,18 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation } if tenant == metav1.TenantSystem { - return r.Store.Create(ctx, obj, createValidation, options) + return r.store.Create(ctx, obj, createValidation, options) } crd, _ := obj.(*apiextensions.CustomResourceDefinition) crdName := crd.Name systemContext := genericapirequest.WithTenant(ctx, metav1.TenantSystem) - sysObj, err := r.Store.Get(systemContext, crdName, &metav1.GetOptions{}) + sysObj, err := r.store.Get(systemContext, crdName, &metav1.GetOptions{}) if err == nil && IsCrdSystemForced(sysObj.(*apiextensions.CustomResourceDefinition)) { return nil, fmt.Errorf("There is already a system forced CRD with the name %v ", crdName) } - return r.Store.Create(ctx, obj, createValidation, options) + return r.store.Create(ctx, obj, createValidation, options) } // Delete adds the CRD finalizer to the list @@ -199,7 +217,15 @@ func (r *REST) Delete(ctx context.Context, name string, deleteValidation rest.Va return nil, false, err } + tenant, ok := genericapirequest.TenantFrom(ctx) + if !ok { + return nil, false, fmt.Errorf("cannot decide the tenant") + } + crd := obj.(*apiextensions.CustomResourceDefinition) + if IsCrdSystemForced(crd) && tenant != metav1.TenantSystem { + return nil, false, nil + } // Ensure we have a UID precondition if options == nil { @@ -229,15 +255,15 @@ func (r *REST) Delete(ctx context.Context, name string, deleteValidation rest.Va // upon first request to delete, add our finalizer and then delegate if crd.DeletionTimestamp.IsZero() { - key, err := r.Store.KeyFunc(ctx, name) + key, err := r.store.KeyFunc(ctx, name) if err != nil { return nil, false, err } preconditions := storage.Preconditions{UID: options.Preconditions.UID, ResourceVersion: options.Preconditions.ResourceVersion} - out := r.Store.NewFunc() - err = r.Store.Storage.GuaranteedUpdate( + out := r.store.NewFunc() + err = r.store.Storage.GuaranteedUpdate( ctx, key, out, false, &preconditions, storage.SimpleUpdate(func(existing runtime.Object) (runtime.Object, error) { existingCRD, ok := existing.(*apiextensions.CustomResourceDefinition) @@ -282,13 +308,21 @@ func (r *REST) Delete(ctx context.Context, name string, deleteValidation rest.Va return out, false, nil } - return r.Store.Delete(ctx, name, deleteValidation, options) + return r.store.Delete(ctx, name, deleteValidation, options) +} + +func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptions) (watch.Interface, error) { + return r.store.Watch(ctx, options) +} + +func (r *REST) Export(ctx context.Context, name string, opts metav1.ExportOptions) (runtime.Object, error) { + return r.store.Export(ctx, name, opts) } // NewStatusREST makes a RESTStorage for status that has more limited options. // It is based on the original REST so that we can share the same underlying store func NewStatusREST(scheme *runtime.Scheme, rest *REST) *StatusREST { - statusStore := *rest.Store + statusStore := *rest.store statusStore.CreateStrategy = nil statusStore.DeleteStrategy = nil statusStore.UpdateStrategy = NewStatusStrategy(scheme) @@ -317,8 +351,20 @@ func (r *StatusREST) Update(ctx context.Context, name string, objInfo rest.Updat return r.store.Update(ctx, name, objInfo, createValidation, updateValidation, false, options) } +// Checks whether the CRD is system-forced-sharing func IsCrdSystemForced(crd *apiextensions.CustomResourceDefinition) bool { sharingPolicy, _ := crd.GetLabels()[crdSharingPolicyAnnotation] result := strings.ToLower(sharingPolicy) == forcedSharing && crd.GetTenant() == metav1.TenantSystem return result } + +// Checks whether the unstructured object is a system-forced-sharing CRD +func IsSystemForcedCrd(item unstructured.Unstructured) bool { + if item.GetObjectKind().GroupVersionKind().Kind != "CustomResourceDefinition" { + return false + } + + sharingPolicy, _ := item.GetLabels()[crdSharingPolicyAnnotation] + result := strings.ToLower(sharingPolicy) == forcedSharing && item.GetTenant() == metav1.TenantSystem + return result +}