Skip to content

Propper check for unleash enabled configuration options #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Starefossen wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Propper check for unleash enabled configuration options #285

Starefossen wants to merge 4 commits into from

Conversation

@Starefossen
Copy link
Member

@Starefossen Starefossen commented Dec 22, 2025

Prevents errors like this:

{"error":"failed to list unleash.nais.io/v1, Resource=unleashes: unleashes.unleash.nais.io is forbidden: User \"system:serviceaccount:nais-system:nais-api\" cannot list resource \"unleashes\" in API group \"unleash.nais.io\" at the cluster scope","level":"error","logger":"UnhandledError","msg":"Failed to watch","reflector":"pkg/mod/k8s.io/client-go@v0.34.3/tools/cache/reflector.go:290","time":"2025-12-22T08:41:29Z","type":"unleash.nais.io/v1, Resource=unleashes"}

@Starefossen Starefossen requested a review from a team as a code owner December 22, 2025 14:02
@thokra-nav
Copy link
Contributor

thokra-nav commented Jan 5, 2026

Den feilen skjer ved oppstart, no? Vi byttet til å gjøre discovery av config basert på tilgjengelige ressurser, fremfor å vedlikeholde en liste av booleans. Men ble kanskje ikke helt ryddet opp. Men jeg har egentlig mer lyst å finne ut av den løsningen framfor å ha det som config

@Starefossen Starefossen force-pushed the unleash-disabled-fix branch from 442dd7b to 5ada747 Compare January 8, 2026 21:02
@Starefossen
Copy link
Member Author

Starefossen commented Jan 8, 2026

Enig, @thokra-nav!

thokra-nav
thokra-nav reviewed Jan 9, 2026
View reviewed changes
internal/kubernetes/watcher/object_manager.go
Comment on lines +82 to +91

// Also verify we have permission to list the resource by doing a test list with limit=1
// This prevents errors at runtime when the informer tries to watch resources we can't access
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
_, err = c.client.Resource(*gvr).List(ctx, v1.ListOptions{Limit: 1})
if err != nil {
c.log.WithError(err).WithField("resource", gvr.String()).Warn("no permission to list resource, skipping watcher")
return nil, *gvr, fmt.Errorf("no permission to list resource: %w", err)
}
Copy link
Contributor

@thokra-nav thokra-nav Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hvorfor trenger vi dette?
Hvis det er rettigheter som er problemet, så er det fint at vi rett og slett blir spamma imho. Vi kan også fikse rettighetene uten å måtte restarte api etterpå, no?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thokra-nav thokra-nav thokra-nav left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Starefossen @thokra-nav