pkg
pkg copied to clipboard
knative
`duck.TypedInformerFactory` does not honor namespace scope
/kind bug (I'm fine if we want to consider this a feature request, but to me it rather seems like this was overlooked in https://github.com/knative/pkg/pull/626)
Expected Behavior
duck.TypedInformerFactory honors the namespace scope set via injection.WithNamespaceScope(), like injected informer factories do.
Actual Behavior
It doesn't, which results in permission errors when a namespace-scoped controller makes use of a duck informer factory, either directly or indirectly.
A common example is the resolver.URIResolver, which is backed by a duck.TypedInformerFactory for the duckv1.Addressable duck type.
Could not resolve sink URI: failed to get lister for serving.knative.dev/v1, Resource=services: services.serving.knative.dev is forbidden: User "system:serviceaccount:my-namespace:my-controller" cannot list resource "services" in API group "serving.knative.dev" at the cluster scope
Steps to Reproduce the Problem
-
Shared main:
// import "knative.dev/pkg/signals" // import "knative.dev/pkg/injection" // import "myrepo/pkg/reconciler/sample" ctx := signals.NewContext() ctx = injection.WithNamespaceScope(ctx, "my-namespace") sharedmain.MainWithContext(ctx, "my-controller", sample.NewController, ) -
Controller constructor:
// import context // import corev1 "k8s.io/api/core/v1" // import "knative.dev/pkg/configmap" // import "knative.dev/pkg/controller" // import "knative.dev/pkg/resolver" // import reconcilerv1 "myrepo/pkg/client/generated/injection/reconciler/mygroup/v1/mykind" func NewController(ctx context.Context, _ configmap.Watcher) *controller.Impl { r := &Reconciler{ uriResolver *resolver.URIResolver } // just to reproduce the issue dst := duckv1.Destination{/* omitted fields */} parent := &corev1.Pod{/* omitted fields */} _, err := r.uriResolver.URIFromDestinationV1(ctx, dst, parent) if err != nil { panic(err) } return reconcilerv1.NewImpl(ctx, r) }
Additional Info
Relevant code locations:
https://github.com/knative/pkg/blob/f907b31046d3c69a29b13d6d6ad2907767faac1e/apis/duck/typed.go#L61-L63
vs.
https://github.com/knative/pkg/blob/6484377731032712280dd71d88eae5287f33aa54/client/injection/kube/informers/factory/fake/fake.go#L39-L44
