From 8cb411e9938017267ab5bfcee543a5ff83d99c91 Mon Sep 17 00:00:00 2001 From: Lukasz Szaszkiewicz Date: Wed, 25 Sep 2024 11:12:01 +0200 Subject: [PATCH] adds watchListEndpointRestrictions for watchlist requests (#126996) * endpoints/handlers/get: intro watchListEndpointRestrictions * consistencydetector/list_data_consistency_detector: expose IsDataConsistencyDetectionForListEnabled * e2e/watchlist: extract common function for adding unstructured secrets * e2e/watchlist: new e2e scenarios for convering watchListEndpointRestrict Kubernetes-commit: ae35048cb0b9b177891aab41346b6d6cc504582f --- go.mod | 4 ++-- go.sum | 8 ++++---- pkg/endpoints/handlers/get.go | 34 +++++++++++++++++++++++++++------- 3 files changed, 33 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index 290d4e481..dfa12d1cf 100644 --- a/go.mod +++ b/go.mod @@ -50,8 +50,8 @@ require ( gopkg.in/natefinch/lumberjack.v2 v2.2.1 gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/api v0.0.0-20240920202009-71385f038c10 - k8s.io/apimachinery v0.0.0-20240920201701-c98a9e22228d - k8s.io/client-go v0.0.0-20240922202559-fcb1b6051673 + k8s.io/apimachinery v0.0.0-20240925041717-7f7bf1108918 + k8s.io/client-go v0.0.0-20240925122622-5395fd1e2898 k8s.io/component-base v0.0.0-20240923042704-5e237c64b1be k8s.io/klog/v2 v2.130.1 k8s.io/kms v0.0.0-20240912041232-273c893e4e51 diff --git a/go.sum b/go.sum index 5ae408e4c..30e425dc0 100644 --- a/go.sum +++ b/go.sum @@ -373,10 +373,10 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.0.0-20240920202009-71385f038c10 h1:shjQe98Co9zBlDzQkxb5IJEWtReSl7qunr56C4Jgc70= k8s.io/api v0.0.0-20240920202009-71385f038c10/go.mod h1:KCEt6+W/Yn1Vc48pYXeLf0mGK52kJhvt+rcaUVsIaKQ= -k8s.io/apimachinery v0.0.0-20240920201701-c98a9e22228d h1:yDB+e3ReCJtthGtcZXMJAYPsekzI7oIS6U6hSDgFVRA= -k8s.io/apimachinery v0.0.0-20240920201701-c98a9e22228d/go.mod h1:5rKPDwwN9qm//xASFCZ83nyYEanHxxhc7pZ8AC4lukY= -k8s.io/client-go v0.0.0-20240922202559-fcb1b6051673 h1:HbmVM5qrkQFSb+Isx8xOECazw5L6VDenjnUAgMPSmNQ= -k8s.io/client-go v0.0.0-20240922202559-fcb1b6051673/go.mod h1:slPGP9kLjwKXgatD4iciMlNjnCmtXQ1ZHl7l/mS5Ux0= +k8s.io/apimachinery v0.0.0-20240925041717-7f7bf1108918 h1:ng/G1Cex08Vz3thCE0X7s2vn6eHduxFOG9khssm3dwM= +k8s.io/apimachinery v0.0.0-20240925041717-7f7bf1108918/go.mod h1:5rKPDwwN9qm//xASFCZ83nyYEanHxxhc7pZ8AC4lukY= +k8s.io/client-go v0.0.0-20240925122622-5395fd1e2898 h1:Uk1+fyRbV/VADU7XqHXgCflzpCqfOUM5hPG6YH+o3VQ= +k8s.io/client-go v0.0.0-20240925122622-5395fd1e2898/go.mod h1:qjnMyMNFlW8CcwF+7n30w5m+FEGnZ9XpcW9gNIifxP4= k8s.io/component-base v0.0.0-20240923042704-5e237c64b1be h1:FVbhqwC7jzmEJj2WO1uDz8p53hPawsv6qgCmraQA71Y= k8s.io/component-base v0.0.0-20240923042704-5e237c64b1be/go.mod h1:fkEjPUVhTSqc5k3wBHfdJuwzY+Z1OwFQpumwqYwc9Vw= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= diff --git a/pkg/endpoints/handlers/get.go b/pkg/endpoints/handlers/get.go index 3cc4a728a..5ac2ff644 100644 --- a/pkg/endpoints/handlers/get.go +++ b/pkg/endpoints/handlers/get.go @@ -45,6 +45,7 @@ import ( utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/component-base/tracing" "k8s.io/klog/v2" + "k8s.io/utils/ptr" ) // getterFunc performs a get request with the given context and object name. The request @@ -185,15 +186,8 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope *RequestScope, forceWatc if err != nil { hasName = false } - ctx = request.WithNamespace(ctx, namespace) - outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope) - if err != nil { - scope.err(err, w, req) - return - } - opts := metainternalversion.ListOptions{} if err := metainternalversionscheme.ParameterCodec.DecodeParameters(req.URL.Query(), scope.MetaGroupVersion, &opts); err != nil { err = errors.NewBadRequest(err.Error()) @@ -208,6 +202,17 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope *RequestScope, forceWatc return } + var restrictions negotiation.EndpointRestrictions + restrictions = scope + if isListWatchRequest(opts) { + restrictions = &watchListEndpointRestrictions{scope} + } + outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, restrictions) + if err != nil { + scope.err(err, w, req) + return + } + // transform fields // TODO: DecodeParametersInto should do this. if opts.FieldSelector != nil { @@ -307,3 +312,18 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope *RequestScope, forceWatc transformResponseObject(ctx, scope, req, w, http.StatusOK, outputMediaType, result) } } + +type watchListEndpointRestrictions struct { + negotiation.EndpointRestrictions +} + +func (e *watchListEndpointRestrictions) AllowsMediaTypeTransform(mimeType, mimeSubType string, target *schema.GroupVersionKind) bool { + if target != nil && target.Kind == "Table" { + return false + } + return e.EndpointRestrictions.AllowsMediaTypeTransform(mimeType, mimeSubType, target) +} + +func isListWatchRequest(opts metainternalversion.ListOptions) bool { + return utilfeature.DefaultFeatureGate.Enabled(features.WatchList) && ptr.Deref(opts.SendInitialEvents, false) && opts.AllowWatchBookmarks +}