wip:feat(kubernetes)!: simplified Kubernetes client access for toolsets

Signed-off-by: Marc Nuri <[email protected]>

Author: manusa

pkg/kubernetes/accesscontrol.go

@@ -1,40 +1 @@
 package kubernetes
-
-import (
-	"fmt"
-
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
-	"github.com/containers/kubernetes-mcp-server/pkg/config"
-)
-
-// isAllowed checks the resource is in denied list or not.
-// If it is in denied list, this function returns false.
-func isAllowed(
-	staticConfig *config.StaticConfig, // TODO: maybe just use the denied resource slice
-	gvk *schema.GroupVersionKind,
-) bool {
-	if staticConfig == nil {
-		return true
-	}
-
-	for _, val := range staticConfig.DeniedResources {
-		// If kind is empty, that means Group/Version pair is denied entirely
-		if val.Kind == "" {
-			if gvk.Group == val.Group && gvk.Version == val.Version {
-				return false
-			}
-		}
-		if gvk.Group == val.Group &&
-			gvk.Version == val.Version &&
-			gvk.Kind == val.Kind {
-			return false
-		}
-	}
-
-	return true
-}
-
-func isNotAllowedError(gvk *schema.GroupVersionKind) error {
-	return fmt.Errorf("resource not allowed: %s", gvk.String())
-}

pkg/kubernetes/accesscontrol_clientset.go

@@ -3,71 +3,106 @@ package kubernetes
 import (
 	"context"
 	"fmt"
+	"net/http"
 
-	authenticationv1api "k8s.io/api/authentication/v1"
-	authorizationv1api "k8s.io/api/authorization/v1"
+	"github.com/containers/kubernetes-mcp-server/pkg/config"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/httpstream"
 	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/discovery/cached/memory"
+	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	authenticationv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
 	authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
 	"k8s.io/client-go/tools/remotecommand"
 	"k8s.io/metrics/pkg/apis/metrics"
 	metricsv1beta1api "k8s.io/metrics/pkg/apis/metrics/v1beta1"
 	metricsv1beta1 "k8s.io/metrics/pkg/client/clientset/versioned/typed/metrics/v1beta1"
-
-	"github.com/containers/kubernetes-mcp-server/pkg/config"
 )
 
 // AccessControlClientset is a limited clientset delegating interface to the standard kubernetes.Clientset
 // Only a limited set of functions are implemented with a single point of access to the kubernetes API where
 // apiVersion and kinds are checked for allowed access
 type AccessControlClientset struct {
-	cfg             *rest.Config
-	delegate        kubernetes.Interface
-	discoveryClient discovery.DiscoveryInterface
+	cfg *rest.Config
+	kubernetes.Interface
+	discoveryClient discovery.CachedDiscoveryInterface
+	dynamicClient   *dynamic.DynamicClient
+	restMapper      meta.ResettableRESTMapper
 	metricsV1beta1  *metricsv1beta1.MetricsV1beta1Client
-	staticConfig    *config.StaticConfig // TODO: maybe just store the denied resource slice
 }
 
-func (a *AccessControlClientset) DiscoveryClient() discovery.DiscoveryInterface {
+func NewAccessControlClientset(staticConfig *config.StaticConfig, restConfig *rest.Config) (*AccessControlClientset, error) {
+	rest.CopyConfig(restConfig)
+	acc := &AccessControlClientset{
+		cfg: rest.CopyConfig(restConfig),
+	}
+	if acc.cfg.UserAgent == "" {
+		acc.cfg.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+	acc.cfg.Wrap(func(original http.RoundTripper) http.RoundTripper {
+		return &AccessControlRoundTripper{
+			delegate:     original,
+			staticConfig: staticConfig,
+			restMapper:   acc.restMapper,
+		}
+	})
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(acc.cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create discovery client: %v", err)
+	}
+	acc.discoveryClient = memory.NewMemCacheClient(discoveryClient)
+	acc.restMapper = restmapper.NewDeferredDiscoveryRESTMapper(acc.discoveryClient)
+	acc.Interface, err = kubernetes.NewForConfig(acc.cfg)
+	if err != nil {
+		return nil, err
+	}
+	acc.dynamicClient, err = dynamic.NewForConfig(acc.cfg)
+	if err != nil {
+		return nil, err
+	}
+	acc.metricsV1beta1, err = metricsv1beta1.NewForConfig(acc.cfg)
+	if err != nil {
+		return nil, err
+	}
+	return acc, nil
+}
+
+func (a *AccessControlClientset) DiscoveryClient() discovery.CachedDiscoveryInterface {
 	return a.discoveryClient
 }
 
+func (a *AccessControlClientset) DynamicClient() dynamic.Interface {
+	return a.dynamicClient
+}
+
+func (a *AccessControlClientset) RESTMapper() meta.ResettableRESTMapper {
+	return a.restMapper
+}
+
+// Nodes returns NodeInterface
+// Deprecated: use CoreV1().Nodes() directly
 func (a *AccessControlClientset) Nodes() (corev1.NodeInterface, error) {
-	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Node"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
-	return a.delegate.CoreV1().Nodes(), nil
+	return a.CoreV1().Nodes(), nil
 }
 
 func (a *AccessControlClientset) NodesLogs(ctx context.Context, name string) (*rest.Request, error) {
-	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Node"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
-
-	if _, err := a.delegate.CoreV1().Nodes().Get(ctx, name, metav1.GetOptions{}); err != nil {
+	if _, err := a.CoreV1().Nodes().Get(ctx, name, metav1.GetOptions{}); err != nil {
 		return nil, fmt.Errorf("failed to get node %s: %w", name, err)
 	}
 
 	url := []string{"api", "v1", "nodes", name, "proxy", "logs"}
-	return a.delegate.CoreV1().RESTClient().
+	return a.CoreV1().RESTClient().
 		Get().
 		AbsPath(url...), nil
 }
 
 func (a *AccessControlClientset) NodesMetricses(ctx context.Context, name string, listOptions metav1.ListOptions) (*metrics.NodeMetricsList, error) {
-	gvk := &schema.GroupVersionKind{Group: metrics.GroupName, Version: metricsv1beta1api.SchemeGroupVersion.Version, Kind: "NodeMetrics"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
 	versionedMetrics := &metricsv1beta1api.NodeMetricsList{}
 	var err error
 	if name != "" {
@@ -87,37 +122,26 @@ func (a *AccessControlClientset) NodesMetricses(ctx context.Context, name string
 }
 
 func (a *AccessControlClientset) NodesStatsSummary(ctx context.Context, name string) (*rest.Request, error) {
-	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Node"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
-
-	if _, err := a.delegate.CoreV1().Nodes().Get(ctx, name, metav1.GetOptions{}); err != nil {
+	if _, err := a.CoreV1().Nodes().Get(ctx, name, metav1.GetOptions{}); err != nil {
 		return nil, fmt.Errorf("failed to get node %s: %w", name, err)
 	}
 
 	url := []string{"api", "v1", "nodes", name, "proxy", "stats", "summary"}
-	return a.delegate.CoreV1().RESTClient().
+	return a.CoreV1().RESTClient().
 		Get().
 		AbsPath(url...), nil
 }
 
+// Pods returns PodInterface
+// Deprecated: use CoreV1().Pods(namespace) directly
 func (a *AccessControlClientset) Pods(namespace string) (corev1.PodInterface, error) {
-	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
-	return a.delegate.CoreV1().Pods(namespace), nil
+	return a.CoreV1().Pods(namespace), nil
 }
 
 func (a *AccessControlClientset) PodsExec(namespace, name string, podExecOptions *v1.PodExecOptions) (remotecommand.Executor, error) {
-	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
 	// Compute URL
 	// https://github.com/kubernetes/kubectl/blob/5366de04e168bcbc11f5e340d131a9ca8b7d0df4/pkg/cmd/exec/exec.go#L382-L397
-	execRequest := a.delegate.CoreV1().RESTClient().
+	execRequest := a.CoreV1().RESTClient().
 		Post().
 		Resource("pods").
 		Namespace(namespace).
@@ -138,10 +162,6 @@ func (a *AccessControlClientset) PodsExec(namespace, name string, podExecOptions
 }
 
 func (a *AccessControlClientset) PodsMetricses(ctx context.Context, namespace, name string, listOptions metav1.ListOptions) (*metrics.PodMetricsList, error) {
-	gvk := &schema.GroupVersionKind{Group: metrics.GroupName, Version: metricsv1beta1api.SchemeGroupVersion.Version, Kind: "PodMetrics"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
 	versionedMetrics := &metricsv1beta1api.PodMetricsList{}
 	var err error
 	if name != "" {
@@ -160,45 +180,20 @@ func (a *AccessControlClientset) PodsMetricses(ctx context.Context, namespace, n
 	return convertedMetrics, metricsv1beta1api.Convert_v1beta1_PodMetricsList_To_metrics_PodMetricsList(versionedMetrics, convertedMetrics, nil)
 }
 
+// Services returns ServiceInterface
+// Deprecated: use CoreV1().Services(namespace) directly
 func (a *AccessControlClientset) Services(namespace string) (corev1.ServiceInterface, error) {
-	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Service"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
-	return a.delegate.CoreV1().Services(namespace), nil
+	return a.CoreV1().Services(namespace), nil
 }
 
+// SelfSubjectAccessReviews returns SelfSubjectAccessReviewInterface
+// Deprecated: use AuthorizationV1().SelfSubjectAccessReviews() directly
 func (a *AccessControlClientset) SelfSubjectAccessReviews() (authorizationv1.SelfSubjectAccessReviewInterface, error) {
-	gvk := &schema.GroupVersionKind{Group: authorizationv1api.GroupName, Version: authorizationv1api.SchemeGroupVersion.Version, Kind: "SelfSubjectAccessReview"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
-	return a.delegate.AuthorizationV1().SelfSubjectAccessReviews(), nil
+	return a.AuthorizationV1().SelfSubjectAccessReviews(), nil
 }
 
 // TokenReview returns TokenReviewInterface
+// Deprecated: use AuthenticationV1().TokenReviews() directly
 func (a *AccessControlClientset) TokenReview() (authenticationv1.TokenReviewInterface, error) {
-	gvk := &schema.GroupVersionKind{Group: authenticationv1api.GroupName, Version: authorizationv1api.SchemeGroupVersion.Version, Kind: "TokenReview"}
-	if !isAllowed(a.staticConfig, gvk) {
-		return nil, isNotAllowedError(gvk)
-	}
-	return a.delegate.AuthenticationV1().TokenReviews(), nil
-}
-
-func NewAccessControlClientset(cfg *rest.Config, staticConfig *config.StaticConfig) (*AccessControlClientset, error) {
-	clientSet, err := kubernetes.NewForConfig(cfg)
-	if err != nil {
-		return nil, err
-	}
-	metricsClient, err := metricsv1beta1.NewForConfig(cfg)
-	if err != nil {
-		return nil, err
-	}
-	return &AccessControlClientset{
-		cfg:             cfg,
-		delegate:        clientSet,
-		discoveryClient: clientSet.DiscoveryClient,
-		metricsV1beta1:  metricsClient,
-		staticConfig:    staticConfig,
-	}, nil
+	return a.AuthenticationV1().TokenReviews(), nil
 }

pkg/kubernetes/accesscontrol_round_tripper.go

@@ -27,13 +27,39 @@ func (rt *AccessControlRoundTripper) RoundTrip(req *http.Request) (*http.Respons
 	if err != nil {
 		return nil, fmt.Errorf("failed to make request: AccessControlRoundTripper failed to get kind for gvr %v: %w", gvr, err)
 	}
-	if !isAllowed(rt.staticConfig, &gvk) {
-		return nil, isNotAllowedError(&gvk)
+	if !rt.isAllowed(gvk) {
+		return nil, fmt.Errorf("resource not allowed: %s", gvk.String())
 	}
 
 	return rt.delegate.RoundTrip(req)
 }
 
+// isAllowed checks the resource is in denied list or not.
+// If it is in denied list, this function returns false.
+func (rt *AccessControlRoundTripper) isAllowed(
+	gvk schema.GroupVersionKind,
+) bool {
+	if rt.staticConfig == nil {
+		return true
+	}
+
+	for _, val := range rt.staticConfig.DeniedResources {
+		// If kind is empty, that means Group/Version pair is denied entirely
+		if val.Kind == "" {
+			if gvk.Group == val.Group && gvk.Version == val.Version {
+				return false
+			}
+		}
+		if gvk.Group == val.Group &&
+			gvk.Version == val.Version &&
+			gvk.Kind == val.Kind {
+			return false
+		}
+	}
+
+	return true
+}
+
 func parseURLToGVR(path string) (gvr schema.GroupVersionResource, ok bool) {
 	parts := strings.Split(strings.Trim(path, "/"), "/")
 

pkg/kubernetes/kubernetes.go

@@ -41,5 +41,5 @@ func (k *Kubernetes) NewHelm() *helm.Helm {
 // NewKiali returns a Kiali client initialized with the same StaticConfig and bearer token
 // as the underlying derived Kubernetes manager.
 func (k *Kubernetes) NewKiali() *kiali.Kiali {
-	return kiali.NewKiali(k.manager.staticConfig, k.manager.cfg)
+	return kiali.NewKiali(k.manager.staticConfig, k.AccessControlClientset().cfg)
 }

pkg/kubernetes/kubernetes_derived_test.go

@@ -82,10 +82,10 @@ users:
 			s.Equal(derived.manager.staticConfig, testStaticConfig, "staticConfig not properly wired to derived manager")
 
 			s.Run("RestConfig is correctly copied and sensitive fields are omitted", func() {
-				derivedCfg := derived.manager.cfg
+				derivedCfg := derived.manager.accessControlClientSet.cfg
 				s.Require().NotNil(derivedCfg, "derived config is nil")
 
-				originalCfg := testManager.cfg
+				originalCfg := testManager.accessControlClientSet.cfg
 				s.Equalf(originalCfg.Host, derivedCfg.Host, "expected Host %s, got %s", originalCfg.Host, derivedCfg.Host)
 				s.Equalf(originalCfg.APIPath, derivedCfg.APIPath, "expected APIPath %s, got %s", originalCfg.APIPath, derivedCfg.APIPath)
 				s.Equalf(originalCfg.QPS, derivedCfg.QPS, "expected QPS %f, got %f", originalCfg.QPS, derivedCfg.QPS)
@@ -122,11 +122,7 @@ users:
 			s.Run("derived manager has initialized clients", func() {
 				// Verify that the derived manager has proper clients initialized
 				s.NotNilf(derived.manager.accessControlClientSet, "expected accessControlClientSet to be initialized")
-				s.Equalf(testStaticConfig, derived.manager.accessControlClientSet.staticConfig, "staticConfig not properly wired to derived manager")
-				s.NotNilf(derived.manager.discoveryClient, "expected discoveryClient to be initialized")
-				s.NotNilf(derived.manager.restMapper, "expected accessControlRESTMapper to be initialized")
 				//s.Equalf(testStaticConfig, derived.manager.re.staticConfig, "staticConfig not properly wired to derived manager")
-				s.NotNilf(derived.manager.dynamicClient, "expected dynamicClient to be initialized")
 			})
 		})
 	})
@@ -172,7 +168,7 @@ users:
 			s.NotEqual(derived.manager, testManager, "expected new derived manager, got original manager")
 			s.Equal(derived.manager.staticConfig, testStaticConfig, "staticConfig not properly wired to derived manager")
 
-			derivedCfg := derived.manager.cfg
+			derivedCfg := derived.manager.accessControlClientSet.cfg
 			s.Require().NotNil(derivedCfg, "derived config is nil")
 
 			s.Equalf("aiTana-julIA", derivedCfg.BearerToken, "expected BearerToken %s, got %s", "aiTana-julIA", derivedCfg.BearerToken)