Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mismatch between OpenShift API spec and client APIs breaks SecurityContextConstraints #170

Closed
ceridwen opened this issue May 10, 2018 · 2 comments
Closed

Mismatch between OpenShift API spec and client APIs breaks SecurityContextConstraints #170

ceridwen opened this issue May 10, 2018 · 2 comments
Labels
triage/unresolved Indicates an issue that can not or will not be resolved.

Comments

@ceridwen
Copy link
Contributor

When you query the OpenShift API server, it claims that the SecurityContextConstraints resource is available on the CoreV1Api object.

>>> {r.kind for r in kubernetes.client.apis.core_v1_api.CoreV1Api().get_api_resources().resources}
{'Event', 'Scale', 'Service', 'ConfigMap', 'Eviction', 'SecurityContextConstraints', 'Namespace', 'Node', 'PodTemplate', 'Binding', 'ComponentStatus', 'PersistentVolume', 'LimitRange', 'PersistentVolumeClaim', 'ResourceQuota', 'Secret', 'Endpoints', 'ServiceAccount', 'ReplicationController', 'Pod'}

This is true for the OpenShift API server itself, since you can post a REST request against /api/v1/securitycontextconstraints and get something back. It is not true, of course, for this client, because CoreV1API is a Kubernetes client class that doesn't know about OpenShift resources. I've been discovering APIs by looking at the return values of get_api_resources() and other methods that ultimately depend on the API server but don't reflect what methods are available on the clients or where they're available.

Similarly, the documentation shows the security_context_constraints methods on the CoreV1Api object, but the links are dead.
@ceridwen ceridwen changed the title Mismatch between OpenShift API spec and client APIs Mismatch between OpenShift API spec and client APIs breaks SecurityContextConstraints May 11, 2018
@ceridwen
Copy link
Contributor Author

I thought that it would be possible to avoid the problems with the CoreV1Api and SecurityContextConstraints by using the security.openshift.io/v1 group, but I was wrong:

 Traceback (most recent call last):
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/api_client.py", line 16, in _ApiClient__deserialize
    return super(ApiClient, self).__deserialize(data, klass)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 265, in __deserialize
    klass = getattr(models, klass)
AttributeError: module 'kubernetes.client.models' has no attribute 'V1SecurityContextConstraintsList'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/api_client.py", line 16, in _ApiClient__deserialize
    return super(ApiClient, self).__deserialize(data, klass)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 265, in __deserialize
    klass = getattr(models, klass)
AttributeError: module 'kubernetes.client.models' has no attribute 'V1SecurityContextConstraints'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "~/test_automation/test_automation/resources.py", line 170, in list
    cls.__name__, 'list', **kws).items
  File "~/test_automation/test_automation/kubernetes_.py", line 429, in api_call
    for k, v in kws.items() if v is not None})
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/apis/security_openshift_io_v1_api.py", line 1117, in list_security_context_constraints
    (data) = self.list_security_context_constraints_with_http_info(**kwargs)
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/apis/security_openshift_io_v1_api.py", line 1214, in list_security_context_constraints_with_http_info
    collection_formats=collection_formats)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 321, in call_api
    _return_http_data_only, collection_formats, _preload_content, _request_timeout)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 163, in __call_api
    return_data = self.deserialize(response_data, response_type)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 236, in deserialize
    return self.__deserialize(data, response_type)
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/api_client.py", line 22, in _ApiClient__deserialize
    return super(ApiClient, self).__deserialize_model(data, klass)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 620, in __deserialize_model
    kwargs[attr] = self.__deserialize(value, attr_type)
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/api_client.py", line 16, in _ApiClient__deserialize
    return super(ApiClient, self).__deserialize(data, klass)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 254, in __deserialize
    for sub_data in data]
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 254, in <listcomp>
    for sub_data in data]
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/api_client.py", line 22, in _ApiClient__deserialize
    return super(ApiClient, self).__deserialize_model(data, klass)
  File "~/Library/Python/3.6/lib/python/site-packages/kubernetes/client/api_client.py", line 622, in __deserialize_model
    instance = klass(**kwargs)
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/models/v1_security_context_constraints.py", line 122, in __init__
    self.allowed_flex_volumes = allowed_flex_volumes
  File "~/Library/Python/3.6/lib/python/site-packages/openshift/client/models/v1_security_context_constraints.py", line 345, in allowed_flex_volumes
    raise ValueError("Invalid value for `allowed_flex_volumes`, must not be `None`")
ValueError: Invalid value for `allowed_flex_volumes`, must not be `None`

The last part is one of the deserialization problems from #52, but this one is at least in the OpenShift client so theoretically you can fix it. It's unclear to me if the failed lookups on kubernetes.client.models are part of the problem or not.

@djzager
Copy link
Member

djzager commented Jun 11, 2018

Yeah. This, unfortunately, is not unique. If you have a look at the script we use to generate the openshift client (https://github.com/openshift/openshift-restclient-python/blob/master/scripts/update-client.sh#L97) you'll see a couple of the others that we have come across. This is a class of issue where the generated client is actually too strict when compared to the k8s/openshift api server.

I would encourage you to use the dynamic client, mentioned here (https://github.com/openshift/openshift-restclient-python/#dynamic-client-usage) and see if that solves your problem. Since the dynamic client talks directly to the api server, I expect it will.

@djzager djzager added the triage/unresolved Indicates an issue that can not or will not be resolved. label Jun 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/unresolved Indicates an issue that can not or will not be resolved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djzager @fabianvf @ceridwen