From 39e8aed0f7000488fd63bb7f80bd1482dcc0665e Mon Sep 17 00:00:00 2001 From: Thorsten Klein Date: Fri, 3 Nov 2023 05:57:29 +0100 Subject: [PATCH] change: block devsessions if IAR is enabled (#2314) Signed-off-by: Thorsten Klein --- pkg/dev/dev.go | 4 ++++ .../apigroups/acorn/devsessions/strategy.go | 15 +++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/pkg/dev/dev.go b/pkg/dev/dev.go index a4d58a9bd..45d947586 100644 --- a/pkg/dev/dev.go +++ b/pkg/dev/dev.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "os" + "strings" "sync" "sync/atomic" "time" @@ -19,6 +20,7 @@ import ( "github.com/acorn-io/runtime/pkg/labels" "github.com/acorn-io/runtime/pkg/log" "github.com/acorn-io/runtime/pkg/rulerequest" + "github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/devsessions" "github.com/acorn-io/z" "github.com/sirupsen/logrus" "github.com/spf13/pflag" @@ -277,6 +279,8 @@ func buildLoop(ctx context.Context, c client.Client, hash clientHash, opts *Opti case <-time.After(time.Second): continue } + } else if apierror.IsForbidden(err) && strings.Contains(err.Error(), devsessions.ErrMsgDevSessionBlockedByIAR) { + return fmt.Errorf(devsessions.ErrMsgDevSessionBlockedByIAR) } else if err != nil { logger.Errorf("Failed to run/update app: %v", err) failed.Store(true) diff --git a/pkg/server/registry/apigroups/acorn/devsessions/strategy.go b/pkg/server/registry/apigroups/acorn/devsessions/strategy.go index 46ef59b25..f8ffccd30 100644 --- a/pkg/server/registry/apigroups/acorn/devsessions/strategy.go +++ b/pkg/server/registry/apigroups/acorn/devsessions/strategy.go @@ -6,12 +6,16 @@ import ( "github.com/acorn-io/baaah/pkg/router" apiv1 "github.com/acorn-io/runtime/pkg/apis/api.acorn.io/v1" + "github.com/acorn-io/runtime/pkg/config" + "github.com/acorn-io/runtime/pkg/profiles" "github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/apps" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" kclient "sigs.k8s.io/controller-runtime/pkg/client" ) +const ErrMsgDevSessionBlockedByIAR = "ImageAllowRules active - DevSessions are being blocked" + type Validator struct { client kclient.Client appValidator *apps.Validator @@ -32,6 +36,17 @@ func (v *Validator) Validate(ctx context.Context, obj runtime.Object) (result fi return } + iarEnabled, err := config.GetFeature(ctx, v.client, profiles.FeatureImageAllowRules) + if err != nil { + result = append(result, field.Invalid(field.NewPath("metadata", "name"), devSession.Name, err.Error())) + return + } + + if iarEnabled { + result = append(result, field.Forbidden(field.NewPath("metadata", "name"), ErrMsgDevSessionBlockedByIAR)) + return + } + if devSession.Spec.Region != app.GetRegion() { if devSession.Spec.Region != "" { result = append(result, field.Invalid(field.NewPath("spec", "region"), devSession.Spec.Region,