fix(kubernetes): run group permission when endpoint is up [EE-5427] (#10121)

* update group access when env is down * fix tests
2025-07-25 08:19:40 +02:00 · 2023-09-05 11:03:43 +12:00 · 2023-09-05 11:03:43 +12:00 · a02f9f1f07
commit a02f9f1f07
parent d75a8027a5
7 changed files with 90 additions and 3 deletions
--- a/api/http/handler/endpointgroups/endpointgroup_update.go
+++ b/api/http/handler/endpointgroups/endpointgroup_update.go
@ -7,11 +7,13 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/utils"
 	"github.com/portainer/portainer/api/internal/tag"
 	"github.com/portainer/portainer/pkg/featureflags"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/rs/zerolog/log"
 )

 type endpointGroupUpdatePayload struct {
@ -187,7 +189,10 @@ func (handler *Handler) updateEndpointGroup(tx dataservices.DataStoreTx, endpoin
 				if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
 					err = handler.AuthorizationService.CleanNAPWithOverridePolicies(tx, &endpoint, endpointGroup)
 					if err != nil {
-						return nil, httperror.InternalServerError("Unable to update user authorizations", err)
+						// Update flag with endpoint and continue
+						endpoint.PendingActions = utils.GetUpdatedEndpointPendingActions(&endpoint, "CleanNAPWithOverridePolicies", endpointGroup.ID)
+						err = tx.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+						log.Warn().Err(err).Msgf("Unable to update user authorizations for endpoint (%d) and endpopint group (%d)", endpoint.ID, endpointGroup.ID)
 					}
 				}
 			}
--- a/api/http/handler/endpoints/endpoint_inspect.go
+++ b/api/http/handler/endpoints/endpoint_inspect.go
@ -4,6 +4,7 @@ import (
 	"net/http"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/utils"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@ -78,6 +79,9 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		}
 	}

+	// Run the pending actions
+	utils.RunPendingActions(endpoint, handler.DataStore, handler.AuthorizationService)
+
 	return response.JSON(w, endpoint)
 }

--- a/api/http/utils/pendingActions.go
+++ b/api/http/utils/pendingActions.go
@ -0,0 +1,61 @@
+package utils
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/rs/zerolog/log"
+)
+
+func EndpointPendingActions(endpoint *portainer.Endpoint) *portainer.EndpointPendingActions {
+	return endpoint.PendingActions
+}
+
+func GetUpdatedEndpointPendingActions(endpoint *portainer.Endpoint, action string, value interface{}) *portainer.EndpointPendingActions {
+	if endpoint.PendingActions == nil {
+		endpoint.PendingActions = &portainer.EndpointPendingActions{}
+	}
+
+	switch action {
+	case "CleanNAPWithOverridePolicies":
+		endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups = append(endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups, value.(portainer.EndpointGroupID))
+	}
+
+	return endpoint.PendingActions
+}
+
+func RunPendingActions(endpoint *portainer.Endpoint, dataStore dataservices.DataStoreTx, authorizationService *authorization.Service) error {
+
+	if endpoint.PendingActions == nil {
+		return nil
+	}
+
+	log.Info().Msgf("Running pending actions for endpoint %d", endpoint.ID)
+
+	if endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups != nil {
+		log.Info().Int("endpoint_id", int(endpoint.ID)).Msgf("Cleaning NAP with override policies for endpoint groups %v", endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups)
+		failedEndpointGroupIDs := make([]portainer.EndpointGroupID, 0)
+		for _, endpointGroupID := range endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups {
+			endpointGroup, err := dataStore.EndpointGroup().Read(portainer.EndpointGroupID(endpointGroupID))
+			if err != nil {
+				log.Error().Err(err).Msgf("Error reading endpoint group to clean NAP with override policies for endpoint %d and endpoint group %d", endpoint.ID, endpointGroup.ID)
+				failedEndpointGroupIDs = append(failedEndpointGroupIDs, endpointGroupID)
+				continue
+			}
+			err = authorizationService.CleanNAPWithOverridePolicies(dataStore, endpoint, endpointGroup)
+			if err != nil {
+				failedEndpointGroupIDs = append(failedEndpointGroupIDs, endpointGroupID)
+				log.Error().Err(err).Msgf("Error cleaning NAP with override policies for endpoint %d and endpoint group %d", endpoint.ID, endpointGroup.ID)
+			}
+		}
+
+		endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups = failedEndpointGroupIDs
+		err := dataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+		if err != nil {
+			log.Error().Err(err).Msgf("While running pending actions, error updating endpoint %d", endpoint.ID)
+			return err
+		}
+	}
+
+	return nil
+}