review: Use controller-runtime client to create SAR objects

apo-ger · apo-ger · commit 4e83b28b19b5 · 2022-11-18T10:30:29.000+02:00
Signed-off-by: Apostolos Gerakaris &lt;apoger@arrikto.com&gt;
diff --git a/pkg/new-ui/v1beta1/authzn.go b/pkg/new-ui/v1beta1/authzn.go
@@ -10,8 +10,7 @@ import (
 
 	"github.com/kubeflow/katib/pkg/util/v1beta1/env"
 	v1 "k8s.io/api/authorization/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 // ENV variables
@@ -60,8 +59,39 @@ func CreateSAR(user, verb, namespace, group,
 	return sar
 }
 
+// func IsAuthorized(user, verb, namespace, group,
+// 	version, resource, subresource, name string, client *kubernetes.Clientset) error {
+
+// 	// Skip authz when in dev_mode
+// 	if BACKEND_MODE == "dev" || BACKEND_MODE == "development" {
+// 		log.Printf("Skipping authorization check in development mode")
+// 		return nil
+// 	}
+// 	// Skip authz when admin is explicity requested it
+// 	if DISABLE_AUTH {
+// 		log.Printf("APP_DISABLE_AUTH set to True. Skipping authorization check")
+// 		return nil
+// 	}
+
+// 	sar := CreateSAR(user, verb, namespace, group, version, resource, subresource, name)
+
+// 	res, err := client.AuthorizationV1().SubjectAccessReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
+// 	if err != nil {
+// 		log.Printf("Error submitting SubjectAccessReview: %v, %s", sar, err.Error())
+// 		return err
+// 	}
+
+// 	if res.Status.Allowed {
+// 		return nil
+// 	}
+
+// 	msg := generateUnauthorizedMessage(user, verb, namespace, group, version, resource, subresource, res)
+// 	err = errors.New(msg)
+// 	return err
+// }
+
 func IsAuthorized(user, verb, namespace, group,
-	version, resource, subresource, name string, client *kubernetes.Clientset) error {
+	version, resource, subresource, name string, client client.Client) error {
 
 	// Skip authz when in dev_mode
 	if BACKEND_MODE == "dev" || BACKEND_MODE == "development" {
@@ -76,17 +106,17 @@ func IsAuthorized(user, verb, namespace, group,
 
 	sar := CreateSAR(user, verb, namespace, group, version, resource, subresource, name)
 
-	res, err := client.AuthorizationV1().SubjectAccessReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
+	err := client.Create(context.TODO(), sar)
 	if err != nil {
 		log.Printf("Error submitting SubjectAccessReview: %v, %s", sar, err.Error())
 		return err
 	}
 
-	if res.Status.Allowed {
+	if sar.Status.Allowed {
 		return nil
 	}
 
-	msg := generateUnauthorizedMessage(user, verb, namespace, group, version, resource, subresource, res)
+	msg := generateUnauthorizedMessage(user, verb, namespace, group, version, resource, subresource, sar)
 	err = errors.New(msg)
 	return err
 }
diff --git a/pkg/new-ui/v1beta1/backend.go b/pkg/new-ui/v1beta1/backend.go
@@ -25,9 +25,7 @@ import (
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
-	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	experimentv1beta1 "github.com/kubeflow/katib/pkg/apis/controller/experiments/v1beta1"
 	api_pb_v1beta1 "github.com/kubeflow/katib/pkg/apis/manager/v1beta1"
@@ -40,20 +38,11 @@ func NewKatibUIHandler(dbManagerAddr string) *KatibUIHandler {
 		log.Printf("NewClient for Katib failed: %v", err)
 		panic(err)
 	}
-	// create a new client for manipulating SAR objects.
-	conf, err := config.GetConfig()
-	if err != nil {
-		log.Printf("Failed to create k8s rest config: %v", err)
-		panic(err)
-	}
-	sarclient, err := kubernetes.NewForConfig(conf)
-	if err != nil {
-		log.Printf("SarClient for Katib failes: %v", err)
-		panic(err)
-	}
+	sarclient := kclient.GetClient()
+
 	return &KatibUIHandler{
 		katibClient:   kclient,
-		sarClient:     *sarclient,
+		sarClient:     sarclient,
 		dbManagerAddr: dbManagerAddr,
 	}
 }
@@ -123,9 +112,9 @@ func (k *KatibUIHandler) CreateExperiment(w http.ResponseWriter, r *http.Request
 	namespace := job.ObjectMeta.Namespace
 	expName := job.ObjectMeta.Name
 
-	err = IsAuthorized(user, "create", namespace, "kubeflow.org", "v1beta1", "experiments", "", "", &k.sarClient)
+	err = IsAuthorized(user, "create", namespace, "kubeflow.org", "v1beta1", "experiments", "", "", k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to create experiment: %s from namespace: %s \n", user, expName, namespace)
+		log.Printf("The user: %s is not authorized to create experiment: %s in namespace: %s \n", user, expName, namespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -158,9 +147,9 @@ func (k *KatibUIHandler) FetchNamespacedExperiments(w http.ResponseWriter, r *ht
 
 	namespace := namespaces[0]
 
-	err = IsAuthorized(user, "list", namespace, "kubeflow.org", "v1beta1", "experiments", "", "", &k.sarClient)
+	err = IsAuthorized(user, "list", namespace, "kubeflow.org", "v1beta1", "experiments", "", "", k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to list experiments from namespace: %s \n", user, namespace)
+		log.Printf("The user: %s is not authorized to list experiments in namespace: %s \n", user, namespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -236,9 +225,9 @@ func (k *KatibUIHandler) DeleteExperiment(w http.ResponseWriter, r *http.Request
 	experimentName := experimentNames[0]
 	namespace := namespaces[0]
 
-	err = IsAuthorized(user, "delete", namespace, "kubeflow.org", "v1beta1", "experiments", "", experimentName, &k.sarClient)
+	err = IsAuthorized(user, "delete", namespace, "kubeflow.org", "v1beta1", "experiments", "", "", k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to delete experiment: %s from namespace: %s \n", user, experimentName, namespace)
+		log.Printf("The user: %s is not authorized to delete experiment: %s in namespace: %s \n", user, experimentName, namespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -353,9 +342,9 @@ func (k *KatibUIHandler) AddTemplate(w http.ResponseWriter, r *http.Request) {
 	updatedConfigMapPath := data["updatedConfigMapPath"].(string)
 	updatedTemplateYaml := data["updatedTemplateYaml"].(string)
 
-	err = IsAuthorized(user, "create", updatedConfigMapNamespace, "", "v1", "configmaps", "", updatedConfigMapName, &k.sarClient)
+	err = IsAuthorized(user, "create", updatedConfigMapNamespace, "", "v1", "configmaps", "", updatedConfigMapName, k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to add configmap: %s from namespace: %s \n", user, updatedConfigMapName, updatedConfigMapNamespace)
+		log.Printf("The user: %s is not authorized to add configmap: %s in namespace: %s \n", user, updatedConfigMapName, updatedConfigMapNamespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -408,9 +397,9 @@ func (k *KatibUIHandler) EditTemplate(w http.ResponseWriter, r *http.Request) {
 	updatedConfigMapPath := data["updatedConfigMapPath"].(string)
 	updatedTemplateYaml := data["updatedTemplateYaml"].(string)
 
-	err = IsAuthorized(user, "update", updatedConfigMapNamespace, "", "v1", "configmaps", "", updatedConfigMapName, &k.sarClient)
+	err = IsAuthorized(user, "update", updatedConfigMapNamespace, "", "v1", "configmaps", "", updatedConfigMapName, k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to edit configmap: %s from namespace: %s \n", user, updatedConfigMapName, updatedConfigMapNamespace)
+		log.Printf("The user: %s is not authorized to edit configmap: %s in namespace: %s \n", user, updatedConfigMapName, updatedConfigMapNamespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -460,9 +449,9 @@ func (k *KatibUIHandler) DeleteTemplate(w http.ResponseWriter, r *http.Request)
 	updatedConfigMapName := data["updatedConfigMapName"].(string)
 	updatedConfigMapPath := data["updatedConfigMapPath"].(string)
 
-	err = IsAuthorized(user, "delete", updatedConfigMapNamespace, "", "v1", "configmaps", "", updatedConfigMapName, &k.sarClient)
+	err = IsAuthorized(user, "delete", updatedConfigMapNamespace, "", "v1", "configmaps", "", updatedConfigMapName, k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to delete configmap: %s from namespace: %s \n", user, updatedConfigMapName, updatedConfigMapNamespace)
+		log.Printf("The user: %s is not authorized to delete configmap: %s in namespace: %s \n", user, updatedConfigMapName, updatedConfigMapNamespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -541,9 +530,9 @@ func (k *KatibUIHandler) FetchExperiment(w http.ResponseWriter, r *http.Request)
 	experimentName := experimentNames[0]
 	namespace := namespaces[0]
 
-	err = IsAuthorized(user, "get", namespace, "kubeflow.org", "v1beta1", "experiments", "", experimentName, &k.sarClient)
+	err = IsAuthorized(user, "get", namespace, "kubeflow.org", "v1beta1", "experiments", "", experimentName, k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to get experiment: %s from namespace: %s \n", user, experimentName, namespace)
+		log.Printf("The user: %s is not authorized to get experiment: %s in namespace: %s \n", user, experimentName, namespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@@ -594,9 +583,9 @@ func (k *KatibUIHandler) FetchSuggestion(w http.ResponseWriter, r *http.Request)
 	suggestionName := suggestionNames[0]
 	namespace := namespaces[0]
 
-	err = IsAuthorized(user, "get", namespace, "kubeflow.org", "v1beta1", "suggestions", "", suggestionName, &k.sarClient)
+	err = IsAuthorized(user, "get", namespace, "kubeflow.org", "v1beta1", "suggestions", "", suggestionName, k.sarClient)
 	if err != nil {
-		log.Printf("The user: %s is not authorized to get suggestion: %s from namespace: %s \n", user, suggestionName, namespace)
+		log.Printf("The user: %s is not authorized to get suggestion: %s in namespace: %s \n", user, suggestionName, namespace)
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
diff --git a/pkg/new-ui/v1beta1/types.go b/pkg/new-ui/v1beta1/types.go
@@ -20,7 +20,7 @@ import (
 	v1beta1experiment "github.com/kubeflow/katib/pkg/apis/controller/experiments/v1beta1"
 	"github.com/kubeflow/katib/pkg/controller.v1beta1/consts"
 	"github.com/kubeflow/katib/pkg/util/v1beta1/katibclient"
-	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 var (
@@ -76,7 +76,7 @@ type Template struct {
 
 type KatibUIHandler struct {
 	katibClient   katibclient.Client
-	sarClient     kubernetes.Clientset
+	sarClient     client.Client
 	dbManagerAddr string
 }
 
diff --git a/pkg/new-ui/v1beta1/util.go b/pkg/new-ui/v1beta1/util.go
@@ -104,7 +104,7 @@ func (k *KatibUIHandler) getTrialTemplatesViewList(user string) ([]TrialTemplate
 			} else {
 				// for all other namespaces check authorization rbac
 				configmapName := cmap.ObjectMeta.Name
-				err = IsAuthorized(user, "get", ns, "", "v1", "configmaps", "", configmapName, &k.sarClient)
+				err = IsAuthorized(user, "get", ns, "", "v1", "configmaps", "", configmapName, k.sarClient)
 				if err != nil {
 					log.Printf("The user: %s is not authorized to view configmap: %s from namespace: %s \n", user, configmapName, ns)
 					return nil, err

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ import (`
`20`	`20`	`v1beta1experiment "github.com/kubeflow/katib/pkg/apis/controller/experiments/v1beta1"`
`21`	`21`	`"github.com/kubeflow/katib/pkg/controller.v1beta1/consts"`
`22`	`22`	`"github.com/kubeflow/katib/pkg/util/v1beta1/katibclient"`
`23`		`- "k8s.io/client-go/kubernetes"`
	`23`	`+ "sigs.k8s.io/controller-runtime/pkg/client"`
`24`	`24`	`)`
`25`	`25`
`26`	`26`	`var (`
`@@ -76,7 +76,7 @@ type Template struct {`
`76`	`76`
`77`	`77`	`type KatibUIHandler struct {`
`78`	`78`	`katibClient katibclient.Client`
`79`		`- sarClient kubernetes.Clientset`
	`79`	`+ sarClient client.Client`
`80`	`80`	`dbManagerAddr string`
`81`	`81`	`}`
`82`	`82`