Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

change: block devsessions if IAR is enabled (#2180) #2314

Merged
merged 1 commit into from
Nov 3, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions pkg/dev/dev.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"fmt"
"io"
"os"
"strings"
"sync"
"sync/atomic"
"time"
Expand All @@ -19,6 +20,7 @@ import (
"github.com/acorn-io/runtime/pkg/labels"
"github.com/acorn-io/runtime/pkg/log"
"github.com/acorn-io/runtime/pkg/rulerequest"
"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/devsessions"
"github.com/acorn-io/z"
"github.com/sirupsen/logrus"
"github.com/spf13/pflag"
Expand Down Expand Up @@ -277,6 +279,8 @@ func buildLoop(ctx context.Context, c client.Client, hash clientHash, opts *Opti
case <-time.After(time.Second):
continue
}
} else if apierror.IsForbidden(err) && strings.Contains(err.Error(), devsessions.ErrMsgDevSessionBlockedByIAR) {
return fmt.Errorf(devsessions.ErrMsgDevSessionBlockedByIAR)
} else if err != nil {
logger.Errorf("Failed to run/update app: %v", err)
failed.Store(true)
Expand Down
15 changes: 15 additions & 0 deletions pkg/server/registry/apigroups/acorn/devsessions/strategy.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,16 @@ import (

"github.com/acorn-io/baaah/pkg/router"
apiv1 "github.com/acorn-io/runtime/pkg/apis/api.acorn.io/v1"
"github.com/acorn-io/runtime/pkg/config"
"github.com/acorn-io/runtime/pkg/profiles"
"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/apps"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
)

const ErrMsgDevSessionBlockedByIAR = "ImageAllowRules active - DevSessions are being blocked"

type Validator struct {
client kclient.Client
appValidator *apps.Validator
Expand All @@ -32,6 +36,17 @@ func (v *Validator) Validate(ctx context.Context, obj runtime.Object) (result fi
return
}

iarEnabled, err := config.GetFeature(ctx, v.client, profiles.FeatureImageAllowRules)
if err != nil {
result = append(result, field.Invalid(field.NewPath("metadata", "name"), devSession.Name, err.Error()))
return
}

if iarEnabled {
result = append(result, field.Forbidden(field.NewPath("metadata", "name"), ErrMsgDevSessionBlockedByIAR))
return
}

if devSession.Spec.Region != app.GetRegion() {
if devSession.Spec.Region != "" {
result = append(result, field.Invalid(field.NewPath("spec", "region"), devSession.Spec.Region,
Expand Down
Loading