Skip to content
This repository was archived by the owner on Mar 16, 2024. It is now read-only.

Commit 39e8aed

Browse files
iwilltry42iwilltry42
authored
change: block devsessions if IAR is enabled (#2314)
Signed-off-by: Thorsten Klein <[email protected]>
1 parent 8070651 commit 39e8aed

File tree

2 files changed

+19
-0
lines changed

2 files changed

+19
-0
lines changed

pkg/dev/dev.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"fmt"
77
"io"
88
"os"
9+
"strings"
910
"sync"
1011
"sync/atomic"
1112
"time"
@@ -19,6 +20,7 @@ import (
1920
"github.com/acorn-io/runtime/pkg/labels"
2021
"github.com/acorn-io/runtime/pkg/log"
2122
"github.com/acorn-io/runtime/pkg/rulerequest"
23+
"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/devsessions"
2224
"github.com/acorn-io/z"
2325
"github.com/sirupsen/logrus"
2426
"github.com/spf13/pflag"
@@ -277,6 +279,8 @@ func buildLoop(ctx context.Context, c client.Client, hash clientHash, opts *Opti
277279
case <-time.After(time.Second):
278280
continue
279281
}
282+
} else if apierror.IsForbidden(err) && strings.Contains(err.Error(), devsessions.ErrMsgDevSessionBlockedByIAR) {
283+
return fmt.Errorf(devsessions.ErrMsgDevSessionBlockedByIAR)
280284
} else if err != nil {
281285
logger.Errorf("Failed to run/update app: %v", err)
282286
failed.Store(true)

pkg/server/registry/apigroups/acorn/devsessions/strategy.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,16 @@ import (
66

77
"github.com/acorn-io/baaah/pkg/router"
88
apiv1 "github.com/acorn-io/runtime/pkg/apis/api.acorn.io/v1"
9+
"github.com/acorn-io/runtime/pkg/config"
10+
"github.com/acorn-io/runtime/pkg/profiles"
911
"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/apps"
1012
"k8s.io/apimachinery/pkg/runtime"
1113
"k8s.io/apimachinery/pkg/util/validation/field"
1214
kclient "sigs.k8s.io/controller-runtime/pkg/client"
1315
)
1416

17+
const ErrMsgDevSessionBlockedByIAR = "ImageAllowRules active - DevSessions are being blocked"
18+
1519
type Validator struct {
1620
client kclient.Client
1721
appValidator *apps.Validator
@@ -32,6 +36,17 @@ func (v *Validator) Validate(ctx context.Context, obj runtime.Object) (result fi
3236
return
3337
}
3438

39+
iarEnabled, err := config.GetFeature(ctx, v.client, profiles.FeatureImageAllowRules)
40+
if err != nil {
41+
result = append(result, field.Invalid(field.NewPath("metadata", "name"), devSession.Name, err.Error()))
42+
return
43+
}
44+
45+
if iarEnabled {
46+
result = append(result, field.Forbidden(field.NewPath("metadata", "name"), ErrMsgDevSessionBlockedByIAR))
47+
return
48+
}
49+
3550
if devSession.Spec.Region != app.GetRegion() {
3651
if devSession.Spec.Region != "" {
3752
result = append(result, field.Invalid(field.NewPath("spec", "region"), devSession.Spec.Region,

0 commit comments

Comments
 (0)