Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

Commit

Permalink
change: block devsessions if IAR is enabled (#2314)
Browse files Browse the repository at this point in the history 
Signed-off-by: Thorsten Klein <[email protected]>
  • Loading branch information
@iwilltry42
iwilltry42 authored Nov 3, 2023
1 parent 8070651 commit 39e8aed
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 0 deletions.
4 changes: 4 additions & 0 deletions pkg/dev/dev.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"fmt"
"io"
"os"
"strings"
"sync"
"sync/atomic"
"time"
Expand All @@ -19,6 +20,7 @@ import (
"github.com/acorn-io/runtime/pkg/labels"
"github.com/acorn-io/runtime/pkg/log"
"github.com/acorn-io/runtime/pkg/rulerequest"
"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/devsessions"
"github.com/acorn-io/z"
"github.com/sirupsen/logrus"
"github.com/spf13/pflag"
Expand Down Expand Up @@ -277,6 +279,8 @@ func buildLoop(ctx context.Context, c client.Client, hash clientHash, opts *Opti
case <-time.After(time.Second):
continue
}
} else if apierror.IsForbidden(err) && strings.Contains(err.Error(), devsessions.ErrMsgDevSessionBlockedByIAR) {
return fmt.Errorf(devsessions.ErrMsgDevSessionBlockedByIAR)
} else if err != nil {
logger.Errorf("Failed to run/update app: %v", err)
failed.Store(true)
Expand Down
15 changes: 15 additions & 0 deletions pkg/server/registry/apigroups/acorn/devsessions/strategy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,16 @@ import (

"github.com/acorn-io/baaah/pkg/router"
apiv1 "github.com/acorn-io/runtime/pkg/apis/api.acorn.io/v1"
"github.com/acorn-io/runtime/pkg/config"
"github.com/acorn-io/runtime/pkg/profiles"
"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/apps"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
)

const ErrMsgDevSessionBlockedByIAR = "ImageAllowRules active - DevSessions are being blocked"

type Validator struct {
client kclient.Client
appValidator *apps.Validator
Expand All @@ -32,6 +36,17 @@ func (v *Validator) Validate(ctx context.Context, obj runtime.Object) (result fi
return
}

iarEnabled, err := config.GetFeature(ctx, v.client, profiles.FeatureImageAllowRules)
if err != nil {
result = append(result, field.Invalid(field.NewPath("metadata", "name"), devSession.Name, err.Error()))
return
}

if iarEnabled {
result = append(result, field.Forbidden(field.NewPath("metadata", "name"), ErrMsgDevSessionBlockedByIAR))
return
}

if devSession.Spec.Region != app.GetRegion() {
if devSession.Spec.Region != "" {
result = append(result, field.Invalid(field.NewPath("spec", "region"), devSession.Spec.Region,
Expand Down

0 comments on commit 39e8aed

Please sign in to comment.