@ -23,12 +23,26 @@ import (
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/cli-runtime/pkg/resource"
"helm.sh/helm/v3/pkg/kube"
)
var accessor = meta . NewAccessor ( )
var (
accessor = meta . NewAccessor ( )
provisioningClusterGVK = schema . GroupVersionKind {
Group : "provisioning.cattle.io" ,
Version : "v1" ,
Kind : "Cluster" ,
}
MachineConfigGV = schema . GroupVersion {
Group : "rke-machine-config.cattle.io" ,
Version : "v1" ,
}
)
const (
appManagedByLabel = "app.kubernetes.io/managed-by"
@ -73,7 +87,7 @@ func existingResourceConflict(resources kube.ResourceList, releaseName, releaseN
helper := resource . NewHelper ( info . Client , info . Mapping )
existing , err := helper . Get ( info . Namespace , info . Name )
if err != nil {
if apierrors . IsNotFound ( err ) {
if apierrors . IsNotFound ( err ) || shouldIgnore ( info , err ) {
return nil
}
return errors . Wrapf ( err , "could not get information about the resource %s" , resourceString ( info ) )
@ -93,6 +107,20 @@ func existingResourceConflict(resources kube.ResourceList, releaseName, releaseN
return requireUpdate , err
}
// If resource is cluster.provisioning.cattle.io or *.rke-machine-config.cattle.io, we should ignore permission error.
// This is because standard user in rancher won't have the permission to check it until they have created it. Issue: https://github.com/rancher/rancher/issues/34277#issuecomment-901308458
func shouldIgnore ( info * resource . Info , err error ) bool {
if info . Mapping != nil {
if info . Mapping . GroupVersionKind == provisioningClusterGVK || info . Mapping . GroupVersionKind . GroupVersion ( ) == MachineConfigGV {
if apierrors . IsForbidden ( err ) {
return true
}
}
}
return false
}
func checkOwnership ( obj runtime . Object , releaseName , releaseNamespace string ) error {
lbls , err := accessor . Labels ( obj )
if err != nil {
Daishan
4 years ago
committed by
Krunal Hingu