adds watchListEndpointRestrictions for watchlist requests (#126996)

* endpoints/handlers/get: intro watchListEndpointRestrictions * consistencydetector/list_data_consistency_detector: expose IsDataConsistencyDetectionForListEnabled * e2e/watchlist: extract common function for adding unstructured secrets * e2e/watchlist: new e2e scenarios for convering watchListEndpointRestrict Kubernetes-commit: ae35048cb0b9b177891aab41346b6d6cc504582f
2025-08-31 06:34:50 +00:00 · 2024-09-25 11:12:01 +02:00
parent def003bc95
commit 5395fd1e28
3 changed files with 10 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@@ -28,7 +28,7 @@ require (
 	google.golang.org/protobuf v1.34.2
 	gopkg.in/evanphx/json-patch.v4 v4.12.0
 	k8s.io/api v0.0.0-20240920202009-71385f038c10
-	k8s.io/apimachinery v0.0.0-20240920201701-c98a9e22228d
+	k8s.io/apimachinery v0.0.0-20240925041717-7f7bf1108918
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
--- a/go.sum
+++ b/go.sum
@@ -159,8 +159,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.0.0-20240920202009-71385f038c10 h1:shjQe98Co9zBlDzQkxb5IJEWtReSl7qunr56C4Jgc70=
 k8s.io/api v0.0.0-20240920202009-71385f038c10/go.mod h1:KCEt6+W/Yn1Vc48pYXeLf0mGK52kJhvt+rcaUVsIaKQ=
-k8s.io/apimachinery v0.0.0-20240920201701-c98a9e22228d h1:yDB+e3ReCJtthGtcZXMJAYPsekzI7oIS6U6hSDgFVRA=
-k8s.io/apimachinery v0.0.0-20240920201701-c98a9e22228d/go.mod h1:5rKPDwwN9qm//xASFCZ83nyYEanHxxhc7pZ8AC4lukY=
+k8s.io/apimachinery v0.0.0-20240925041717-7f7bf1108918 h1:ng/G1Cex08Vz3thCE0X7s2vn6eHduxFOG9khssm3dwM=
+k8s.io/apimachinery v0.0.0-20240925041717-7f7bf1108918/go.mod h1:5rKPDwwN9qm//xASFCZ83nyYEanHxxhc7pZ8AC4lukY=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2 h1:GKE9U8BH16uynoxQii0auTjmmmuZ3O0LFMN6S0lPPhI=
--- a/util/consistencydetector/list_data_consistency_detector.go
+++ b/util/consistencydetector/list_data_consistency_detector.go
@@ -32,6 +32,12 @@ func init() {
 	dataConsistencyDetectionForListFromCacheEnabled, _ = strconv.ParseBool(os.Getenv("KUBE_LIST_FROM_CACHE_INCONSISTENCY_DETECTOR"))
 }

+// IsDataConsistencyDetectionForListEnabled returns true when
+// the KUBE_LIST_FROM_CACHE_INCONSISTENCY_DETECTOR environment variable was set during a binary startup.
+func IsDataConsistencyDetectionForListEnabled() bool {
+	return dataConsistencyDetectionForListFromCacheEnabled
+}
+
 // CheckListFromCacheDataConsistencyIfRequested performs a data consistency check only when
 // the KUBE_LIST_FROM_CACHE_INCONSISTENCY_DETECTOR environment variable was set during a binary startup
 // for requests that have a high chance of being served from the watch-cache.
@@ -50,7 +56,7 @@ func init() {
 // the cache (even though this might not be true for some requests)
 // and issue the second call to get data from etcd for comparison.
 func CheckListFromCacheDataConsistencyIfRequested[T runtime.Object](ctx context.Context, identity string, listItemsFn ListFunc[T], optionsUsedToReceiveList metav1.ListOptions, receivedList runtime.Object) {
-	if !dataConsistencyDetectionForListFromCacheEnabled {
+	if !IsDataConsistencyDetectionForListEnabled() {
 		return
 	}
 	checkListFromCacheDataConsistencyIfRequestedInternal(ctx, identity, listItemsFn, optionsUsedToReceiveList, receivedList)