Do not fail instantly on CRD resolution error when handling a manifest #1506
Conversation
|
|
CRD resolution failure can happen e.g. when the service account does not have list access to the crd API. However, this should not prevent from trying to resolve the resource type using the cluster OpenAPI. This is fixed by moving the error check after the attempt with OpenAPI.
booti386
changed the title
|
Hi, Thanks for raising this issue. I can see how permissions to list CRDs should not be required as long as one doesn't actually want to manage CRDs. Unfortunately, even if we were to distinguish on error type returned on CRD lookup (to handle the missing permissions error specifically), we would still be missing the information whether the resource is a CRD or not. We cannot just continue and extract the OpenAPI entry for it if we don't know for certain it's not a CRD (for reasons mentioned above). At this time, I don't really see a way forward without those permissions being available. Let me know if you have some other options in mind. |
|
Then the only thing I can think of is to add a flag to explicitly define if the manifest refers to a CRD or not. |
|
The documentation for the With regards to the flag you mentioned, I'm afraid that would degrade the user experience more than it would help. For example, we expect users to use automation tools like https://github.com/jrhouston/tfk8s to convert batches of vanilla Kubernetes manifests to Terraform and adding such a flag would complicate this process unnecessarily. While I'm thinking of alternatives, would you mind explaining in a bit more detail while you're unable to set permissions to list the CRDs in the cluster? They're schema definitions and do not carry sensitive information usually. I'm trying to understand the concerns behind not allowing permissions to list them (read-only). |
After prrofreading the doc I think it is actually ok, it was more the unexpected error message that caused confusion (it puzzled me for a while that I got an error message about CRD endpoint while I was not using it at all, until I read the source code).
What I wanted to suggest was to add a tristate e.g.
This way it shouldn't break any existing code.
Some kubernetes clusters have very strict permissions set, and don't always expose CRDs for various reasons (mostly because the API endpoint is not exposed by default rbac configuration iirc). |
|
So, what are most people doing here? I gave in and gave the serviceaccount access to the CRD API, read-only, with a ClusterRole and a ClusterRoleBinding. apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crd-readonly
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: whatever-crd-readonly
subjects:
- kind: ServiceAccount
name: whatever
namespace: whatever
roleRef:
kind: ClusterRole
name: crd-readonly
apiGroup: rbac.authorization.k8s.ioIt does seem like it shouldn't be required (in this case, my manifest is for a PersistentVolumeClaim), but it also doesn't seem to be a huge problem unless you had some serious custom resources going on, on a cluster where this user cannot be trusted to read those definitions. Someone facing that would have to design around the restriction with separated clusters for their concerns. |
Description
CRD resolution failure can happen e.g. when the service account does not have list access to the crd API.
However, this should not prevent from trying to resolve the resource type using the cluster OpenAPI.
This is fixed by moving the error check after the attempt with OpenAPI.
Acceptance tests
Output from acceptance testing:
Release Note
Release note for CHANGELOG:
References
Community Note