Add API to list resources under namespace tree

[cmurphy]

This change adds a new command and configuration to register an API endpoint which will allow users to query for resources belonging to descendants of any namespace. This means that finding all resources under a parent namespace can be done in one request, instead finding and iterating over all descendants. The new endpoints are:

• /apis/resources.hnc.x-k8s.io/v1alpha1

• discovery endpoint

• /apis/resources.hnc.x-k8s.io/v1alpha1/{resource}

• global resource query, equivalent to the same global request for the original resource

• /apis/resources.hnc.x-k8s.io/v1alpha1/namespaces/{namespace}/{resource}

• returns resources in all namespaces under {namespace}, including {namespace}.

Design: https://docs.google.com/document/d/1WpnAJ3442v93G4Wi7SnoEiLZVLJJO-AWCkl5GO4YLl4/edit?usp=sharing
Fixes: #235

This is based on the POC in https://github.com/cmurphy/hns-list.

To do:

• Add the CLI plugin
• make it work with not-cert-manager (default-cc.yaml)
• conform to kustomize patterns
• add support for Table formatted output https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables
• unit tests
• integration tests
• docs

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[adrianludwin]

Just some early comments. I understand and like the overall approach, thanks! I'm not sure what code is boilerplate and what's not, can you maybe add some comments to indicate?

The only thing I'm not seeing (at a quick review) are the RBAC checks - how do we know that the user is authorized to list resource X in namespace Y? (It is safe to assume that this also gives you access to all descendants of Y).

Thanks for this, looks good so far!

[adrianludwin]

Move this to https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/api/v1alpha2/groupversion_info.go, and use v1alpha2 instead for consistency?

[cmurphy]

Changed for now. This would be the first introduction of a new API that might iterate differently from the main hnc.x-k8s.io API. Are you sure you want it to start at 2? If we want to call it part of the original API then maybe we should move the whole thing to v1alpha3?

[cmurphy]

I'm not sure what code is boilerplate and what's not, can you maybe add some comments to indicate?

I've split the vendor code and the kustomize yaml into separate commits for easier reviewing. Let me know if you'd ultimately like to keep them split or squash them back into one once this is ready to merge.

The only thing I'm not seeing (at a quick review) are the RBAC checks - how do we know that the user is authorized to list resource X in namespace Y? (It is safe to assume that this also gives you access to all descendants of Y).

Good catch, this is intentional for the moment and an open question in the design doc. As it is right now, k8s blocks users from using the new resource endpoints unless they are explicitly granted permission with a role like kubectl -n parentns create role hnc-pods --verb list,watch --resource pods.resources.hnc.x-k8s.io. This is the least opinionated path and allows for the finest granularity of permission delegation. But it's obviously also a little user-hostile.

There's nothing that can be done from inside the handlers about this because kube-api won't even let the user touch the endpoint without this permission. So one option would to add a routine that auto-creates a catch-all role and rolebinding in each namespace that allows system:authenticated users to access all these *.resources.hnc.x-k8s.io endpoints, then have the handlers perform the real RBAC check for the target resource. This would make the new APIs "just work" but it's a little extra complexity and it moves the security boundary away from kube-api and into HNC, which might not be every user's preference.

[cmurphy]

Changed for now. This would be the first introduction of a new API that might iterate differently from the main hnc.x-k8s.io API. Are you sure you want it to start at 2? If we want to call it part of the original API then maybe we should move the whole thing to v1alpha3?

[adrianludwin]

LMK when you want me to review this again, thanks for your work on it!

[cmurphy]

@adrianludwin thanks for your patience! It's been a busy summer. I'm working on unit tests and then this should be ready for review.

[adrianludwin]

Lol I'm replying to some of these issues months late, no need to explain or apologize!

…

On Fri, Sept 15, 2023, 3:43 p.m. Colleen Murphy ***@***.***> wrote: @adrianludwin <https://github.com/adrianludwin> thanks for your patience! It's been a busy summer. I'm working on unit tests and then this should be ready for review. — Reply to this email directly, view it on GitHub <#281 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AE43PZFOJOUNSIMA22SVLNTX2SVXZANCNFSM6AAAAAAYMUNRZY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[cmurphy]

Marking this ready for review. It still needs integration tests, but enough of the core functionality is there to get feedback on. Happy to make any changes needed.

The commits are divided by components:

1. the main server functionality
2. go.mod and vendor updates
3. client
4. kustomize
5. cert setup

I know it's a massive code dump, let me know if there's any way I can organize it to make it easier to review. Happy to jump on a call to work through it as well.

Some open questions:

1. This is currently deployed in hnc-system, should it be in a separate namespace?
2. How and whether to handle RBAC - see the RBAC section of the design doc
3. Question on the API version Add API to list resources under namespace tree #281 (comment)

[cmurphy]

Just one question, I thought this endpoint worked with any HNC-controlled resource, e.g. you'd give permission to resources.hnc.x-k8s.io, not (say) pods.resources.hnc.x-k8s.io. Did I get that wrong?

You have this right, you could create a role with rules like

rules:
- apiGroups:
  - resources.hnc.x-k8s.io
  resources:
  - '*'
  verbs:
  - list
  - watch

or be more fine-grained as in my example

rules:
- apiGroups:
  - resources.hnc.x-k8s.io
  resources:
  - secrets
  - otherstuff
  verbs:
  - list
  - watch

depending on how selective the cluster admin wants to be.

How hard would it be at this point to change it to:
/apis/resources.hnc.x-k8s.io/v1alpha2/tree/{namespace}/{resource}

It's technically possible to change the endpoint path but there are a few reasons I don't think it would be a good idea:

1. Kubernetes is pretty strict about what it wants an API endpoint to look like, and it dictates that resources are either namespaced or global, there isn't any third option: https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-uris
2. As a follow-on to (1), clients also expect API paths to be in this format. This makes https://github.com/cmurphy/hierarchical-namespaces/blob/c3c3e5ce76f34c9acb105eec72578377f2bcfe3b/internal/kubectl/get.go#L75 work without customizing a non-standard HTTP client with a custom API path. External clients not part of HNC work the same way.
3. Standard k8s RBAC resources also expect namespaced paths. If I create a Role in namespace parent1, that means that clients can access resources in path /apis/<groupversion>/namespaces/<namespace>/<resource>. There is no way to create a Role to allow access to an endpoint with /tree/.
4. This really is about Kubernetes namespaces, you just have to think of it as "resources in descendants of <namespace>". Given Kubernetes' strictness about namespaced and non-namespaced things, I can't think of other query types that would fit here, but if we think of them we could put them in a new API group.

I've added a lot of nitpicky comments

I'm not seeing any inline comments, is it possible you didn't submit the review?

it would be really nice if you could generate some output and paste it into this PR so I can see what it looks like in practice

Will add in next comment

One other general comment I had was to clearly identify what was basically boilerplate (with sources/inspirations if possible)

I've updated it to add some comments on where I've pulled inspiration from in places where I didn't come up with it myself. I no longer have all my research for this in my browser history but I did my best to find sources again. The only parts that I think of as "boilerplate" are things like parsing flags where I've copied from other parts of HNC, and I didn't explicitly comment those parts. Let me know if you want more background on any other parts.

As for squashing, I usually prefer having a single commit per PR, or at least having each commit be independently buildable (which it's not if you update the dependencies in a separate commit)

I'll squash this into one commit once we think it's close to ready to merge.

[cmurphy]

Output Examples

Discovery

API

$ kubectl get --raw /apis/resources.hnc.x-k8s.io/v1alpha2 | jq .
{
  "apiVersion": "v1",
  "groupVersion": "resources.hnc.x-k8s.io/v1alpha2",
  "kind": "APIResourceList",
  "resources": [
    {
      "name": "events",
      "singularName": "",
      "namespaced": true,
      "version": "v1",
      "kind": "Event",
      "verbs": [
        "list",
        "watch"
      ],
      "shortNames": [
        "ev"
      ],
      "storageVersionHash": "r2yiGXH7wu8="
    },
    {
      "name": "serviceaccounts",
      "singularName": "",
      "namespaced": true,
      "version": "v1",
      "kind": "ServiceAccount",
      "verbs": [
        "list",
        "watch"
      ],
      "shortNames": [
        "sa"
      ],
      "storageVersionHash": "pbx9ZvyFpBE="
    },
    {
      "name": "secrets",
      "singularName": "",
      "namespaced": true,
      "version": "v1",
      "kind": "Secret",
      "verbs": [
        "list",
        "watch"
      ],
      "storageVersionHash": "S6u1pOWzb84="
    },
    ...

Kubectl

$ kubectl api-resources | grep resources.hnc
apps.controllerrevisions                                      resources.hnc.x-k8s.io/v1alpha2        true         ControllerRevision
apps.daemonsets                                  ds           resources.hnc.x-k8s.io/v1alpha2        true         DaemonSet
apps.deployments                                 deploy       resources.hnc.x-k8s.io/v1alpha2        true         Deployment
apps.replicasets                                 rs           resources.hnc.x-k8s.io/v1alpha2        true         ReplicaSet
apps.statefulsets                                sts          resources.hnc.x-k8s.io/v1alpha2        true         StatefulSet
authorization.k8s.io.localsubjectaccessreviews                resources.hnc.x-k8s.io/v1alpha2        true         LocalSubjectAccessReview
autoscaling.horizontalpodautoscalers             hpa          resources.hnc.x-k8s.io/v1alpha2        true         HorizontalPodAutoscaler
batch.cronjobs                                   cj           resources.hnc.x-k8s.io/v1alpha2        true         CronJob
batch.jobs                                                    resources.hnc.x-k8s.io/v1alpha2        true         Job
bindings                                                      resources.hnc.x-k8s.io/v1alpha2        true         Binding
configmaps                                       cm           resources.hnc.x-k8s.io/v1alpha2        true         ConfigMap
coordination.k8s.io.leases                                    resources.hnc.x-k8s.io/v1alpha2        true         Lease
discovery.k8s.io.endpointslices                               resources.hnc.x-k8s.io/v1alpha2        true         EndpointSlice
endpoints                                        ep           resources.hnc.x-k8s.io/v1alpha2        true         Endpoints
events                                           ev           resources.hnc.x-k8s.io/v1alpha2        true         Event
events.k8s.io.events                             ev           resources.hnc.x-k8s.io/v1alpha2        true         Event
hnc.x-k8s.io.hierarchicalresourcequotas          hrq          resources.hnc.x-k8s.io/v1alpha2        true         HierarchicalResourceQuota
hnc.x-k8s.io.hierarchyconfigurations                          resources.hnc.x-k8s.io/v1alpha2        true         HierarchyConfiguration
hnc.x-k8s.io.subnamespaceanchors                 subns        resources.hnc.x-k8s.io/v1alpha2        true         SubnamespaceAnchor
limitranges                                      limits       resources.hnc.x-k8s.io/v1alpha2        true         LimitRange
networking.k8s.io.ingresses                      ing          resources.hnc.x-k8s.io/v1alpha2        true         Ingress
networking.k8s.io.networkpolicies                netpol       resources.hnc.x-k8s.io/v1alpha2        true         NetworkPolicy
persistentvolumeclaims                           pvc          resources.hnc.x-k8s.io/v1alpha2        true         PersistentVolumeClaim
pods                                             po           resources.hnc.x-k8s.io/v1alpha2        true         Pod
podtemplates                                                  resources.hnc.x-k8s.io/v1alpha2        true         PodTemplate
policy.poddisruptionbudgets                      pdb          resources.hnc.x-k8s.io/v1alpha2        true         PodDisruptionBudget
rbac.authorization.k8s.io.rolebindings                        resources.hnc.x-k8s.io/v1alpha2        true         RoleBinding
rbac.authorization.k8s.io.roles                               resources.hnc.x-k8s.io/v1alpha2        true         Role
replicationcontrollers                           rc           resources.hnc.x-k8s.io/v1alpha2        true         ReplicationController
resourcequotas                                   quota        resources.hnc.x-k8s.io/v1alpha2        true         ResourceQuota
secrets                                                       resources.hnc.x-k8s.io/v1alpha2        true         Secret
serviceaccounts                                  sa           resources.hnc.x-k8s.io/v1alpha2        true         ServiceAccount
services                                         svc          resources.hnc.x-k8s.io/v1alpha2        true         Service
storage.k8s.io.csistoragecapacities                           resources.hnc.x-k8s.io/v1alpha2        true         CSIStorageCapacity

Global Resource List

API

List

$ kubectl get --raw /apis/resources.hnc.x-k8s.io/v1alpha2/secrets | jq '.items[] | "\(.metadata.namespace)/\(.metadata.name)"'
"child1/child1-s1"
"grandchild1/grandchild1-s1"
"hnc-system/hnc-resourcelist"
"hnc-system/hnc-webhook-server-cert"
"parent1/parent1-s1"

Watch

(Secret child1-s2 is created in another session after watch is started)

$ kubectl get --raw '/apis/resources.hnc.x-k8s.io/v1alpha2/secrets?watch=1&resourceVersion=129224'
{"type":"ADDED","object":{"apiVersion":"v1","kind":"Secret","metadata":{"creationTimestamp":"2023-11-10T01:54:46Z","managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:type":{}},"manager":"kubectl-create","operation":"Update","time":"2023-11-10T01:54:46Z"}],"name":"child1-s2","namespace":"child1","resourceVersion":"129265","uid":"73b8b2b6-a6f5-4995-aaa8-8b3fad771974"},"type":"Opaque"}}
^C

Kubectl

List

$ kubectl hns get secrets --all-namespaces
NAMESPACE     NAME                      AGE
child1        child1-s1                 2m6s
child1        child1-s2                 25s
grandchild1   grandchild1-s1            112s
hnc-system    hnc-resourcelist          25h
hnc-system    hnc-webhook-server-cert   25h
parent1       parent1-s1                2m14s

Watch

(Secret child1-s3 is created in another session after watch is started)

$ kubectl hns get secrets --all-namespaces --watch
NAMESPACE     NAME                      AGE
child1        child1-s1                 2m41s
child1        child1-s2                 60s
grandchild1   grandchild1-s1            2m27s
hnc-system    hnc-resourcelist          25h
hnc-system    hnc-webhook-server-cert   25h
parent1       parent1-s1                2m49s
child1   child1-s3   0s
^C

Namespaced (Tree) Resource List

API

List

$ kubectl get --raw /apis/resources.hnc.x-k8s.io/v1alpha2/namespaces/parent1/secrets | jq '.items[] | "\(.metadata.namespace)/\(.metadata.name)"'
"child1/child1-s1"
"child1/child1-s2"
"child1/child1-s3"
"grandchild1/grandchild1-s1"
"parent1/parent1-s1

Watch

(Secret grandchild1-s2 is created in another session after watch is started)

$ kubectl get --raw '/apis/resources.hnc.x-k8s.io/v1alpha2/namespaces/parent1/secrets?watch=1&resourceVersion=129444'
{"type":"ADDED","object":{"apiVersion":"v1","kind":"Secret","metadata":{"creationTimestamp":"2023-11-10T01:57:34Z","managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:type":{}},"manager":"kubectl-create","operation":"Update","time":"2023-11-10T01:57:34Z"}],"name":"grandchild1-s2","namespace":"grandchild1","resourceVersion":"129482","uid":"4956b13d-c838-4575-8318-4a96e3dedfd6"},"type":"Opaque"}}
^C

Kubectl

List

$ kubectl hns get secrets --namespace parent1
NAMESPACE     NAME             AGE
child1        child1-s1        4m49s
child1        child1-s2        3m8s
child1        child1-s3        2m4s
grandchild1   grandchild1-s1   4m35s
grandchild1   grandchild1-s2   20s
parent1       parent1-s1       4m57s

Watch

(Secret grandchild1-s3 is created in another session after watch is started)

$ kubectl hns get secrets --namespace parent1 --watch
NAMESPACE     NAME             AGE
child1        child1-s1        5m39s
child1        child1-s2        3m58s
child1        child1-s3        2m54s
grandchild1   grandchild1-s1   5m25s
grandchild1   grandchild1-s2   70s
parent1       parent1-s1       5m47s
grandchild1   grandchild1-s3   0s
^C

[adrianludwin]

Uuuuuuuggggh, sorry, forgot to hit submit! I'll reply to your latest comments soon

[adrianludwin]

Newline between the external imports and the HNC-internal stuff (here and elsewhere)

[cmurphy]

done

[adrianludwin]

This all looks very boilerplatey - if it is, do you mind adding a comment that says where this comes from or some kind of resource for it all?

[cmurphy]

done

[adrianludwin]

Ditto for my last comment, this is largely boilerplate, right?

[cmurphy]

Added some comments explaining inspiration/sources

[adrianludwin]

Why not leave this untyped?

[cmurphy]

done

[adrianludwin]

Dumb question: can we redirect back to the equivalent apiserver endpoint? Or, what would be the consequence of not implementing this? Just wondering if we can cut down on a bit of implementation (though tbh it wouldn't really save us a ton).

[cmurphy]

I tried to implement this, and when running it got the error message

Error: an error on the server ("the backend attempted to redirect this request, which is not permitted") has prevented the request from succeeding

It looks like kube-aggregator blocks this by default as of kubernetes/apimachinery@1c318b6 due to https://discuss.kubernetes.io/t/security-advisory-cve-2022-3172-aggregated-api-server-can-cause-clients-to-be-redirected-ssrf/21322

[adrianludwin]

Nit: maybe get the term "api extension" in there so it's more obvious what this is?

Also, I think you need name namespace system in here (Kustomize will add the hnc- prefix).

[cmurphy]

Fixed

[adrianludwin]

Should be system, kustomize should add hnc- I think?

[cmurphy]

This doesn't work, I'm not sure why. Maybe kustomize doesn't know about APIService?

[adrianludwin]

Add some comments about what all these RBAC roles are for

[cmurphy]

Done

[adrianludwin]

Add to help text: equivalent to kubectl get <resource> -A

[cmurphy]

done

[cmurphy]

done

[cmurphy]

done

[cmurphy]

Added some comments explaining inspiration/sources

[cmurphy]

done

[cmurphy]

fixed

[cmurphy]

done

[cmurphy]

Fixed

[cmurphy]

This doesn't work, I'm not sure why. Maybe kustomize doesn't know about APIService?

[cmurphy]

Done

[cmurphy]

FYI this allows both the new deployment and the existing HNC manager deployment to read resources, even though the latter doesn't need it. Would there be a preference to use a separate service account or separate namespace for the API extension deployment?

[rjbez17]

@adrianludwin will you be able to take another look here? If not I'll dig in this week.

[rjbez17]

/lgtm

[cmurphy]

I'll rebase this and take a look at the most recent comment this week. Thanks @rjbez17 for your attention on this.

[cmurphy]

Rebased

[rjbez17]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cmurphy, rjbez17

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rjbez17]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[utam0k]

@cmurphy Hi, it seems this secret doesn't exist in the manifest. Where is it?