bug: permissionclaim label updates are delayed #3681
Description
Describe the bug
kcp version: 082970b (the current main branch as of encountering this a few days ago)
I have created an APIExport that looks like this:
apiVersion: apis.kcp.io/v1alpha2
kind: APIExport
metadata:
name: test.xrstf.de
spec:
resources:
- name: things
group: test.xrstf.de
schema: v2.things.test.xrstf.de
storage:
crd: {}
permissionClaims:
- group: ""
resource: "secrets"
verbs: ["*"]I now create a new workspace, root:consumer, and in there I bind to this APIExport, giving it matchAll permissions to Secrets, i.e. the APIExport virtual workspace should expose all Secrets in root:consumer.
apiVersion: apis.kcp.io/v1alpha2
kind: APIBinding
metadata:
name: test.xrstf.de
spec:
reference:
export:
name: test.xrstf.de
path: root
permissionClaims:
- group: ""
resource: "secrets"
verbs: ["*"]
selector:
matchAll: true
state: AcceptedNow I create a Secret in my workspace and I can observe that kcp adds a claimed... label to it, with a hash of the permission claim. I can then also observe that I can see the secret when when talking to https://192.168.178.62:6443/services/apiexport/root/test.xrstf.de/clusters/* and doing k get secrets -A.
Now I change my mind and change the claim in my Binding to require a label:
apiVersion: apis.kcp.io/v1alpha2
kind: APIBinding
metadata:
name: test.xrstf.de
spec:
reference:
export:
name: test.xrstf.de
path: root
permissionClaims:
- group: ""
resource: "secrets"
verbs: ["*"]
selector:
matchLabels:
foo: bar
state: AcceptedHowever, after saving this change, kcp does not immediately update my Secret's label, and so I am still able to see it. I waited what felt like maybe 2-3 minutes, but nothing happened. When I restarted kcp, the label was updated.
Steps To Reproduce
See above.
Expected Behaviour
The label should be updated in a reasonable timeframe, let's say under 15 seconds.
Additional Context
No response