Added docs on why we already check user access to the service/workloa…

…d pods
Razz4780 · Jan 21, 2025 · d0e4758 · d0e4758
1 parent 9f72d00
commit d0e4758
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/mirrord/kube/src/api/runtime.rs b/mirrord/kube/src/api/runtime.rs
@@ -281,6 +281,12 @@ pub trait RuntimeDataProvider {
     ) -> impl Future<Output = Result<RuntimeData>>;
 }
 
+/// Trait for resources that abstract a set of pods
+/// defined by a label selector.
+///
+/// Implementors are provided with an implementation of [`RuntimeDataProvider`].
+/// When resolving [`RuntimeData`], the set of pods is fetched and [`RuntimeData`] is extracted from
+/// the first pod on the list. If the set is empty, resolution fails.
 pub trait RuntimeDataFromLabels {
     type Resource: Resource<DynamicType = (), Scope = NamespaceResourceScope>
         + Clone

diff --git a/mirrord/operator/src/client.rs b/mirrord/operator/src/client.rs
@@ -615,6 +615,8 @@ impl OperatorApi<PreparedClientCert> {
 
             // `targetless` has no `RuntimeData`!
             if matches!(target, ResolvedTarget::Targetless(_)).not() {
+                // Extracting runtime data asserts that the user can see at least one pod from the
+                // workload/service targets.
                 let runtime_data = target
                     .runtime_data(self.client(), target.namespace())
                     .await?;