WIP: debug

haircommander · haircommander · commit 48ecf3ca3836 · 2025-03-06T13:13:43.000-05:00
Signed-off-by: Peter Hunt &lt;pehunt@redhat.com&gt;
diff --git a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go
@@ -47,6 +47,7 @@ func NewMinimumKubeletVersion(minVersion *semver.Version,
 
 func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
 	if m.minVersion == nil {
+		klog.Infof("XXXXXXXX not enabled %v", attrs.GetUser())
 		return authorizer.DecisionNoOpinion, "", nil
 	}
 
@@ -57,34 +58,42 @@ func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authori
 		switch requestResource {
 		case api.Resource("nodes"):
 			if v := attrs.GetVerb(); v == "get" || v == "update" {
+				klog.Infof("XXXXXXXX nodes %v", attrs.GetUser())
 				return authorizer.DecisionNoOpinion, "", nil
 			}
 		case authorizationv1.Resource("subjectaccessreviews"):
+			klog.Infof("XXXXXXXX SAR %v", attrs.GetUser())
 			return authorizer.DecisionNoOpinion, "", nil
 		}
 	}
 
 	nodeName, isNode := m.nodeIdentifier.NodeIdentity(attrs.GetUser())
 	if !isNode {
+		klog.Infof("XXXXXXXX not a node %v", attrs.GetUser())
 		// ignore requests from non-nodes
 		return authorizer.DecisionNoOpinion, "", nil
 	}
 
 	if !m.hasNodeInformerSyncedFn() {
+		klog.Infof("XXXXXXXX not synced %v", attrs.GetUser())
 		return authorizer.DecisionDeny, "", fmt.Errorf("node informer not synced, cannot check if node %s is new enough", nodeName)
 	}
 
 	node, err := m.nodeLister.Get(nodeName)
 	if err != nil {
+		klog.Infof("XXXXXXXX failed to get %v", attrs.GetUser())
 		return authorizer.DecisionDeny, "", err
 	}
 
 	if err := nodelib.IsNodeTooOld(node, m.minVersion); err != nil {
 		if errors.Is(err, nodelib.ErrKubeletOutdated) {
+			klog.Infof("XXXXXXXX outdated %v", attrs.GetUser())
 			return authorizer.DecisionDeny, err.Error(), nil
 		}
+		klog.Infof("XXXXXXXX other err %v", attrs.GetUser())
 		return authorizer.DecisionDeny, "", err
 	}
 
+	klog.Infof("XXXXXXXX success %v", attrs.GetUser())
 	return authorizer.DecisionNoOpinion, "", nil
 }

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ func NewMinimumKubeletVersion(minVersion *semver.Version,`
`47`	`47`
`48`	`48`	`func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {`
`49`	`49`	`if m.minVersion == nil {`
	`50`	`+ klog.Infof("XXXXXXXX not enabled %v", attrs.GetUser())`
`50`	`51`	`return authorizer.DecisionNoOpinion, "", nil`
`51`	`52`	`}`
`52`	`53`
`@@ -57,34 +58,42 @@ func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authori`
`57`	`58`	`switch requestResource {`
`58`	`59`	`case api.Resource("nodes"):`
`59`	`60`	`if v := attrs.GetVerb(); v == "get" \|\| v == "update" {`
	`61`	`+ klog.Infof("XXXXXXXX nodes %v", attrs.GetUser())`
`60`	`62`	`return authorizer.DecisionNoOpinion, "", nil`
`61`	`63`	`}`
`62`	`64`	`case authorizationv1.Resource("subjectaccessreviews"):`
	`65`	`+ klog.Infof("XXXXXXXX SAR %v", attrs.GetUser())`
`63`	`66`	`return authorizer.DecisionNoOpinion, "", nil`
`64`	`67`	`}`
`65`	`68`	`}`
`66`	`69`
`67`	`70`	`nodeName, isNode := m.nodeIdentifier.NodeIdentity(attrs.GetUser())`
`68`	`71`	`if !isNode {`
	`72`	`+ klog.Infof("XXXXXXXX not a node %v", attrs.GetUser())`
`69`	`73`	`// ignore requests from non-nodes`
`70`	`74`	`return authorizer.DecisionNoOpinion, "", nil`
`71`	`75`	`}`
`72`	`76`
`73`	`77`	`if !m.hasNodeInformerSyncedFn() {`
	`78`	`+ klog.Infof("XXXXXXXX not synced %v", attrs.GetUser())`
`74`	`79`	`return authorizer.DecisionDeny, "", fmt.Errorf("node informer not synced, cannot check if node %s is new enough", nodeName)`
`75`	`80`	`}`
`76`	`81`
`77`	`82`	`node, err := m.nodeLister.Get(nodeName)`
`78`	`83`	`if err != nil {`
	`84`	`+ klog.Infof("XXXXXXXX failed to get %v", attrs.GetUser())`
`79`	`85`	`return authorizer.DecisionDeny, "", err`
`80`	`86`	`}`
`81`	`87`
`82`	`88`	`if err := nodelib.IsNodeTooOld(node, m.minVersion); err != nil {`
`83`	`89`	`if errors.Is(err, nodelib.ErrKubeletOutdated) {`
	`90`	`+ klog.Infof("XXXXXXXX outdated %v", attrs.GetUser())`
`84`	`91`	`return authorizer.DecisionDeny, err.Error(), nil`
`85`	`92`	`}`
	`93`	`+ klog.Infof("XXXXXXXX other err %v", attrs.GetUser())`
`86`	`94`	`return authorizer.DecisionDeny, "", err`
`87`	`95`	`}`
`88`	`96`
	`97`	`+ klog.Infof("XXXXXXXX success %v", attrs.GetUser())`
`89`	`98`	`return authorizer.DecisionNoOpinion, "", nil`
`90`	`99`	`}`