|
|
@@ -0,0 +1,306 @@
|
|
|
+# Code Review Report
|
|
|
+
|
|
|
+**PR:** `trap-configmap-watcher`
|
|
|
+**Branch:** `jessegoodier:opencost:trap-configmap-watcher`
|
|
|
+**Comparison:** https://github.com/opencost/opencost/compare/develop...jessegoodier:opencost:trap-configmap-watcher
|
|
|
+**Reviewer:** Claude
|
|
|
+**Date:** 2026-01-21
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Executive Summary
|
|
|
+
|
|
|
+This PR adds proactive RBAC validation to the ConfigMap watcher component and includes comprehensive documentation on failure modes in OpenCost. The changes convert silent RBAC failures into explicit, actionable errors that help users diagnose permission issues.
|
|
|
+
|
|
|
+**Recommendation:** Approve with minor changes
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Files Changed
|
|
|
+
|
|
|
+| File | Change Type | Lines Added | Lines Removed |
|
|
|
+|------|-------------|-------------|---------------|
|
|
|
+| `pkg/util/watcher/configwatchers.go` | Modified | ~35 | ~2 |
|
|
|
+| `docs/AREAS_WE_SHOULD_FAIL_FAST.md` | Added | 567 | 0 |
|
|
|
+| `docs/RBAC_VALIDATION_ANALYSIS.md` | Added | 389 | 0 |
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Code Analysis
|
|
|
+
|
|
|
+### `pkg/util/watcher/configwatchers.go`
|
|
|
+
|
|
|
+#### Changes Overview
|
|
|
+
|
|
|
+1. **New imports:** `fmt`, `apierrors`
|
|
|
+2. **RBAC validation in `NewConfigMapWatchers()`:** Tests ConfigMap list permission at initialization
|
|
|
+3. **Enhanced error handling in `Watch()`:** Distinguishes between Forbidden, NotFound, and other errors
|
|
|
+
|
|
|
+#### Detailed Diff
|
|
|
+
|
|
|
+```go
|
|
|
+// In NewConfigMapWatchers() - NEW CODE
|
|
|
+if kubeClientset != nil {
|
|
|
+ // Validate RBAC permissions before starting the watcher
|
|
|
+ // This prevents silent failures and provides clear error messages
|
|
|
+ _, err := kubeClientset.CoreV1().ConfigMaps(namespace).List(
|
|
|
+ context.Background(),
|
|
|
+ metav1.ListOptions{Limit: 1})
|
|
|
+ if err != nil {
|
|
|
+ if apierrors.IsForbidden(err) {
|
|
|
+ panic(fmt.Sprintf(
|
|
|
+ "FATAL: Missing RBAC permissions to list ConfigMaps in namespace '%s'.\n"+
|
|
|
+ "The service account does not have the required permissions.\n"+
|
|
|
+ "Please ensure the service account has a Role/ClusterRole with "+
|
|
|
+ "'get', 'list', and 'watch' permissions for ConfigMaps.\n"+
|
|
|
+ "Error: %v",
|
|
|
+ namespace, err))
|
|
|
+ }
|
|
|
+ // For other errors (e.g., API server unreachable), log but don't panic
|
|
|
+ log.Warnf("Unable to verify ConfigMap access in namespace '%s': %v", namespace, err)
|
|
|
+ }
|
|
|
+ // ... rest of initialization
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+```go
|
|
|
+// In Watch() - MODIFIED CODE
|
|
|
+for cw := range cmw.watchers {
|
|
|
+ configs, err := cmw.kubeClientset.CoreV1().ConfigMaps(cmw.namespace).Get(
|
|
|
+ context.Background(), cw, metav1.GetOptions{})
|
|
|
+ if err != nil {
|
|
|
+ if apierrors.IsForbidden(err) {
|
|
|
+ panic(fmt.Sprintf(
|
|
|
+ "FATAL: Missing RBAC permissions to access ConfigMap '%s' in namespace '%s'.\n"+
|
|
|
+ "The service account does not have the required permissions.\n"+
|
|
|
+ "Please ensure the service account has a Role/ClusterRole with "+
|
|
|
+ "'get', 'list', and 'watch' permissions for ConfigMaps.\n"+
|
|
|
+ "Error: %v",
|
|
|
+ cw, cmw.namespace, err))
|
|
|
+ }
|
|
|
+ if apierrors.IsNotFound(err) {
|
|
|
+ log.Infof("ConfigMap %s not found in namespace %s at install time, "+
|
|
|
+ "using existing configs", cw, cmw.namespace)
|
|
|
+ } else {
|
|
|
+ log.Warnf("Error accessing ConfigMap %s in namespace %s: %v",
|
|
|
+ cw, cmw.namespace, err)
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ log.Infof("Found configmap %s, watching...", configs.Name)
|
|
|
+ watchConfigFunc(configs)
|
|
|
+ }
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Evaluation
|
|
|
+
|
|
|
+### Strengths
|
|
|
+
|
|
|
+| Aspect | Assessment |
|
|
|
+|--------|------------|
|
|
|
+| **Problem identification** | Correctly identifies that silent RBAC failures cause user confusion |
|
|
|
+| **Error classification** | Properly uses `apierrors.IsForbidden()` and `apierrors.IsNotFound()` |
|
|
|
+| **Error messages** | Clear, actionable messages with namespace context and remediation steps |
|
|
|
+| **Performance** | Uses `Limit: 1` to minimize permission check overhead |
|
|
|
+| **Graceful degradation** | Only panics on permission issues; logs warnings for transient errors |
|
|
|
+
|
|
|
+### Issues Identified
|
|
|
+
|
|
|
+#### Issue 1: Code Duplication (Medium)
|
|
|
+
|
|
|
+**Description:** The same Forbidden handling pattern is repeated in both `NewConfigMapWatchers()` and `Watch()`.
|
|
|
+
|
|
|
+**Current Code:**
|
|
|
+```go
|
|
|
+// Appears twice with slight variations
|
|
|
+if apierrors.IsForbidden(err) {
|
|
|
+ panic(fmt.Sprintf(
|
|
|
+ "FATAL: Missing RBAC permissions to list ConfigMaps in namespace '%s'.\n"+
|
|
|
+ // ...
|
|
|
+ ))
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+**Recommendation:** Extract into a helper function:
|
|
|
+```go
|
|
|
+func panicOnForbidden(err error, resource, namespace string) {
|
|
|
+ if apierrors.IsForbidden(err) {
|
|
|
+ log.Fatalf(
|
|
|
+ "FATAL: Missing RBAC permissions to access %s in namespace '%s'.\n"+
|
|
|
+ "The service account does not have the required permissions.\n"+
|
|
|
+ "Please ensure the service account has a Role/ClusterRole with "+
|
|
|
+ "'get', 'list', and 'watch' permissions for %s.\n"+
|
|
|
+ "Error: %v",
|
|
|
+ resource, namespace, resource, err)
|
|
|
+ }
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+#### Issue 2: Inconsistent Error Handling Pattern (Medium)
|
|
|
+
|
|
|
+**Description:** The PR uses `panic()` for fatal errors, but the existing codebase uses `log.Fatalf()` for similar situations.
|
|
|
+
|
|
|
+**Existing pattern in codebase (`pkg/costmodel/router.go`):**
|
|
|
+```go
|
|
|
+kubeClientset, err := kubeconfig.LoadKubeClient("")
|
|
|
+if err != nil {
|
|
|
+ log.Fatalf("Failed to build Kubernetes client: %s", err.Error())
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+**New pattern in this PR:**
|
|
|
+```go
|
|
|
+panic(fmt.Sprintf("FATAL: Missing RBAC permissions..."))
|
|
|
+```
|
|
|
+
|
|
|
+**Recommendation:** Use `log.Fatalf()` for consistency:
|
|
|
+```go
|
|
|
+if apierrors.IsForbidden(err) {
|
|
|
+ log.Fatalf(
|
|
|
+ "FATAL: Missing RBAC permissions to list ConfigMaps in namespace '%s'.\n"+
|
|
|
+ "The service account does not have the required permissions.\n"+
|
|
|
+ "Please ensure the service account has a Role/ClusterRole with "+
|
|
|
+ "'get', 'list', and 'watch' permissions for ConfigMaps.\n"+
|
|
|
+ "Error: %v",
|
|
|
+ namespace, err)
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+**Benefits:**
|
|
|
+- Consistent with existing fatal error handling
|
|
|
+- Proper log formatting and timestamps
|
|
|
+- Cleaner stack traces
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+#### Issue 3: Potential Double-Check Gap (Low)
|
|
|
+
|
|
|
+**Description:** The RBAC check in `NewConfigMapWatchers()` uses `List`, but `Watch()` uses `Get`. If RBAC is configured to allow `list` but not `get` (unusual but possible), the startup check would pass but `Watch()` would fail.
|
|
|
+
|
|
|
+**Recommendation:** Document that both `get` and `list` permissions are required, or add a note in the error message.
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+#### Issue 4: Missing Test Coverage (Medium)
|
|
|
+
|
|
|
+**Description:** No unit tests are visible in the diff for the new error handling paths.
|
|
|
+
|
|
|
+**Recommendation:** Add tests covering:
|
|
|
+- Forbidden error on List (should panic/fatal)
|
|
|
+- Forbidden error on Get (should panic/fatal)
|
|
|
+- NotFound error on Get (should log info, continue)
|
|
|
+- Other errors (should log warning, continue)
|
|
|
+
|
|
|
+**Example test structure:**
|
|
|
+```go
|
|
|
+func TestNewConfigMapWatchers_ForbiddenError(t *testing.T) {
|
|
|
+ // Mock client that returns Forbidden on List
|
|
|
+ // Assert that panic/fatal occurs with expected message
|
|
|
+}
|
|
|
+
|
|
|
+func TestWatch_NotFoundError(t *testing.T) {
|
|
|
+ // Mock client that returns NotFound on Get
|
|
|
+ // Assert that no panic occurs and info is logged
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+#### Issue 5: Runtime Permission Revocation Not Addressed (Low)
|
|
|
+
|
|
|
+**Description:** The initial check validates permissions at startup, but if permissions are revoked while OpenCost is running, the underlying `watchController` will still fail silently via the Kubernetes reflector.
|
|
|
+
|
|
|
+**Note:** This is acknowledged in the documentation but not addressed in the code. This is acceptable for the scope of this PR but should be tracked for future work.
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Documentation Analysis
|
|
|
+
|
|
|
+### `docs/AREAS_WE_SHOULD_FAIL_FAST.md` (567 lines)
|
|
|
+
|
|
|
+**Content:** Comprehensive analysis of areas where OpenCost should fail fast rather than continue with degraded functionality.
|
|
|
+
|
|
|
+**Strengths:**
|
|
|
+- Thorough cataloging of current behavior vs. recommended behavior
|
|
|
+- Clear priority matrix (Critical, High, Medium)
|
|
|
+- Code examples for each recommendation
|
|
|
+- Well-structured with executive summary
|
|
|
+
|
|
|
+**Concerns:**
|
|
|
+- Contains time estimates ("Week 1-2", "Week 3-4") which should be removed per project guidelines
|
|
|
+- Large scope relative to actual code changes in this PR
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+### `docs/RBAC_VALIDATION_ANALYSIS.md` (389 lines)
|
|
|
+
|
|
|
+**Content:** Detailed analysis of RBAC permission validation gaps with implementation recommendations.
|
|
|
+
|
|
|
+**Strengths:**
|
|
|
+- Identifies all 15 resource types watched by cluster cache
|
|
|
+- Proposes centralized validation helper
|
|
|
+- Includes testing strategy
|
|
|
+
|
|
|
+**Concerns:**
|
|
|
+- Describes multi-phase roadmap that extends well beyond this PR
|
|
|
+- May set unrealistic expectations for what this PR delivers
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+### Documentation Recommendations
|
|
|
+
|
|
|
+1. **Remove time estimates** from implementation roadmap sections
|
|
|
+2. **Consider moving to separate issue/design doc** - 956 lines of documentation for ~30 lines of code change may be better suited as:
|
|
|
+ - A GitHub issue tracking future work
|
|
|
+ - A design proposal document
|
|
|
+ - Content for the OpenCost website
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Summary Matrix
|
|
|
+
|
|
|
+| Category | Rating | Notes |
|
|
|
+|----------|--------|-------|
|
|
|
+| **Correctness** | ✅ Good | Properly detects and handles RBAC errors |
|
|
|
+| **Error Messages** | ✅ Good | Clear, actionable, includes context |
|
|
|
+| **Code Quality** | ⚠️ Fair | Some duplication; inconsistent error pattern |
|
|
|
+| **Consistency** | ⚠️ Fair | Uses `panic` instead of `log.Fatalf` |
|
|
|
+| **Test Coverage** | ❌ Missing | No tests for new error paths |
|
|
|
+| **Documentation** | ⚠️ Mixed | Thorough but possibly over-scoped |
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Recommended Actions
|
|
|
+
|
|
|
+### Required Before Merge
|
|
|
+
|
|
|
+1. **Replace `panic()` with `log.Fatalf()`** for consistency with existing codebase patterns
|
|
|
+
|
|
|
+### Strongly Recommended
|
|
|
+
|
|
|
+2. **Add unit tests** for the new error handling paths
|
|
|
+3. **Extract duplicate error handling** into a helper function
|
|
|
+4. **Remove time estimates** from documentation
|
|
|
+
|
|
|
+### Optional Improvements
|
|
|
+
|
|
|
+5. Consider moving large documentation files to a separate tracking issue
|
|
|
+6. Add note about `get` + `list` + `watch` all being required
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+## Conclusion
|
|
|
+
|
|
|
+This PR addresses a real user pain point: silent RBAC failures that make troubleshooting difficult. The core approach of validating permissions at startup and failing fast with clear error messages is sound.
|
|
|
+
|
|
|
+The implementation is functional but would benefit from minor refinements for consistency with the existing codebase. The documentation is comprehensive but may be better suited for a separate tracking mechanism given its scope.
|
|
|
+
|
|
|
+**Final Recommendation:** Approve with the changes noted above.
|
|
|
+
|
|
|
+---
|
|
|
+
|
|
|
+*Report generated by Claude Code Review*
|
Claude