Skip to content

Rename EditorTemplate to EditorModel; serve via impersonated client#431

Merged
tamalsaha merged 1 commit into
masterfrom
rename-editor-model
Jun 27, 2026
Merged

Rename EditorTemplate to EditorModel; serve via impersonated client#431
tamalsaha merged 1 commit into
masterfrom
rename-editor-model

Conversation

@tamalsaha

Copy link
Copy Markdown
Contributor

What

Two changes to the editor.ui.k8s.appscode.com editor storage:

  1. Rename EditorTemplateEditorModel (resource editormodels), matching editor: rename EditorTemplate to EditorModel kmodules/resource-metadata#656.
  2. Impersonated client: each request is served with a controller-runtime client built from the API caller's identity (apirequest.UserFromrest.ImpersonationConfig). The in-cluster reads done while reconstructing the editor model (kc.Get(AppRelease) + EditorChartValueManifest) now run as the caller, so they're authorized against the caller's own RBAC instead of the server SA.

The storage still only does fast in-cluster reads from the request's chart values; the slow parts (getChart, AppRelease creation) remain in the caller (b3).

The kube-ui-server SA already has impersonate on users/groups/userextras in the chart, so no installer change is needed for impersonation.

Depends on

Related: appscode-cloud/b3#1527, kubeops/installer#494.

Rename the editor storage to EditorModel and reconstruct the editor model from
the request's chart values via editor.EditorChartValueManifest. Each request is
served with a controller-runtime client that impersonates the API caller, so the
in-cluster reads are authorized against the caller's own RBAC. The slow parts
(getChart, AppRelease creation) stay in the caller (b3). Bumps resource-metadata
to the EditorModel rename.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit 967fb32 into master Jun 27, 2026
4 checks passed
@tamalsaha tamalsaha deleted the rename-editor-model branch June 27, 2026 06:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant