forwardport fix for globalrolebinding deletion

rancher · Jul 7, 2021 · ee884c4 · ee884c4
1 parent c268c9d
commit ee884c4
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -36,7 +36,7 @@ require (
 	github.com/rancher/lasso v0.0.0-20210616224652-fc3ebd901c08
 	github.com/rancher/lasso/controller-runtime v0.0.0-20210616224652-fc3ebd901c08
 	github.com/rancher/rancher/pkg/apis v0.0.0-20210628154046-7a2fc74f9598
-	github.com/rancher/wrangler v0.8.1-0.20210623142126-9fabb3073c5e
+	github.com/rancher/wrangler v0.8.3
 	github.com/sirupsen/logrus v1.8.1
 	k8s.io/api v0.21.0
 	k8s.io/apiextensions-apiserver v0.21.0

diff --git a/go.sum b/go.sum
@@ -732,8 +732,8 @@ github.com/rancher/wrangler v0.6.2-0.20200820173016-2068de651106/go.mod h1:iKqQc
 github.com/rancher/wrangler v0.6.2-0.20200829053106-7e1dd4260224/go.mod h1:I7qe4DZNMOLKVa9ax7DJdBZ0XtKOppLF/dalhPX3vaE=
 github.com/rancher/wrangler v0.7.3-0.20201020003736-e86bc912dfac/go.mod h1:goezjesEKwMxHLfltdjg9DW0xWV7txQee6vOuSDqXAI=
 github.com/rancher/wrangler v0.8.1-0.20210618171953-ab479ee75244/go.mod h1:aj/stIidTzU6UEKKRB8JyrrqNMJAfDMziL1+zhG8lc0=
-github.com/rancher/wrangler v0.8.1-0.20210623142126-9fabb3073c5e h1:+3rNo6iAHXtwx6MG4Z4VmEi/+Q20AL45zoIKZV3f0lk=
-github.com/rancher/wrangler v0.8.1-0.20210623142126-9fabb3073c5e/go.mod h1:aj/stIidTzU6UEKKRB8JyrrqNMJAfDMziL1+zhG8lc0=
+github.com/rancher/wrangler v0.8.3 h1:m3d5ChOQj2Pdozy6nkGiSzAgQxlQlXRis2zSRwaO83k=
+github.com/rancher/wrangler v0.8.3/go.mod h1:dKEaHNB4izxmPUtpq1Hvr3z3Oh+9k5pCZyFO9sUhlaY=
 github.com/rancher/wrangler-api v0.6.1-0.20200427172631-a7c2f09b783e/go.mod h1:2lcWR98q8HU3U4mVETnXc8quNG0uXxrt8vKd6cAa/30=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=

diff --git a/main.go b/main.go
@@ -28,6 +28,10 @@ func main() {
 }
 
 func run() error {
+	if os.Getenv("CATTLE_DEBUG") == "true" || os.Getenv("RANCHER_DEBUG") == "true" {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+
 	logrus.Infof("Rancher-webhook version %s is starting", fmt.Sprintf("%s (%s)", Version, GitCommit))
 
 	cfg, err := kubeconfig.GetNonInteractiveClientConfig(os.Getenv("KUBECONFIG")).ClientConfig()

diff --git a/pkg/resources/validation/globalrolebinding/globarolebinding.go b/pkg/resources/validation/globalrolebinding/globarolebinding.go
@@ -1,8 +1,13 @@
 package globalrolebinding
 
 import (
+	"fmt"
+	"net/http"
 	"time"
 
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	rancherv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	"github.com/rancher/webhook/pkg/auth"
 	v3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
@@ -36,7 +41,27 @@ func (grbv *globalRoleBindingValidator) Admit(response *webhook.Response, reques
 	// Pull the global role to get the rules
 	globalRole, err := grbv.globalRoles.Get(newGRB.GlobalRoleName)
 	if err != nil {
-		return err
+		if !errors.IsNotFound(err) {
+			return err
+		}
+		switch request.Operation {
+		case admissionv1.Delete: // allow delete operations if the GR is not found
+			response.Allowed = true
+			return nil
+		case admissionv1.Update: // only allow updates to the finalizers if the GR is not found
+			if newGRB.DeletionTimestamp != nil {
+				response.Allowed = true
+				return nil
+			}
+		}
+		// other operations not allowed
+		response.Result = &metav1.Status{
+			Status:  "Failure",
+			Message: fmt.Sprintf("referenced globalRole %s not found, only deletions allowed", newGRB.Name),
+			Reason:  metav1.StatusReasonUnauthorized,
+			Code:    http.StatusUnauthorized,
+		}
+		return nil
 	}
 
 	return grbv.escalationChecker.ConfirmNoEscalation(response, request, globalRole.Rules, "")