Skip to content

Fix preview tool connection error and enforce read-only mode#7592

Merged
cheftako merged 1 commit into
GoogleCloudPlatform:masterfrom
anhdle-sso:fix-7589
Apr 15, 2026
Merged

Fix preview tool connection error and enforce read-only mode#7592
cheftako merged 1 commit into
GoogleCloudPlatform:masterfrom
anhdle-sso:fix-7589

Conversation

@anhdle-sso

@anhdle-sso anhdle-sso commented Apr 14, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

This PR fixes a connection error in the KCC preview tool and enforces read-only access to the cluster for security.

Key Changes

  • Manager Config: Modified pkg/cli/preview/preview.go to pass i.hookKube.upstreamRestConfig to kccmanager.New. Previously, it was using an empty or invalid config in some code paths, which caused apiReader to default to localhost:80 and fail with connection refused when reading ConfigConnector resources.
  • Read-Only Transport: Implemented a custom readOnlyTransport that wraps the rest.Config transport. This ensures that any non-GET/HEAD/OPTIONS request made via this config is immediately rejected with a 403 Forbidden at the network level.
  • Isolation: Used rest.CopyConfig to create a dedicated read-only configuration, ensuring the original upstreamRESTConfig remains untouched for other components.
  • Debug Logging: Added a log line to print the host of the REST config before creating the manager to help diagnose any future connection issues.

Fixes #7589

justinsb
justinsb previously approved these changes Apr 14, 2026
View reviewed changes

@justinsb justinsb left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@anhdle-sso
Fix preview tool connection error and enforce read-only mode
42383cc 
This change ensures that the preview tool uses a valid REST config for the manager,
resolving the 'connection refused' error on localhost:80.
It also implements a read-only transport wrapper on a copy of the config to prevent accidental mutations.

Fixes GoogleCloudPlatform#7589
@google-oss-prow google-oss-prow Bot removed the lgtm label Apr 14, 2026
@anhdle-sso anhdle-sso mentioned this pull request Apr 14, 2026
Merged
@cheftako cheftako added this to the 1.150.0 milestone Apr 15, 2026
cheftako
cheftako approved these changes Apr 15, 2026
View reviewed changes

@cheftako cheftako left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@cheftako cheftako added this pull request to the merge queue Apr 15, 2026
@google-oss-prow google-oss-prow Bot added the lgtm label Apr 15, 2026
@google-oss-prow

google-oss-prow Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheftako, justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Merged via the queue into GoogleCloudPlatform:master with commit 1b086f7 Apr 15, 2026
169 checks passed
@anhdle-sso anhdle-sso mentioned this pull request Apr 16, 2026
Open
github-merge-queue Bot pushed a commit that referenced this pull request Apr 16, 2026
@anhdle-sso
Unskip TestPreview in unit tests (#7594)
099cf22 
### Description
This PR unskips `TestPreview` in `pkg/cli/preview/preview_test.go`.

### Key Changes
- Removed `t.Skip("Skipping flaky test")` from `TestPreview`.

### Dependencies
This PR depends on #7592 to fix the connection error in the preview
tool.
@codebot-robot codebot-robot mentioned this pull request Apr 21, 2026
Merged
anhdle-sso added a commit that referenced this pull request Apr 21, 2026
@anhdle-sso
[repo-agent] chore: cherry-pick safer upgrade fix to branch release-1…
e868d76 
….149 (#7642)

Cherry pick #7592 to branch release-1.149.

This PR fixes a connection error in the KCC preview tool and enforces
read-only access to the cluster for security.

### Key Changes
- **Manager Config**: Modified `pkg/cli/preview/preview.go` to pass
`i.hookKube.upstreamRestConfig` to `kccmanager.New`. Previously, it was
using an empty or invalid config in some code paths, which caused
`apiReader` to default to `localhost:80` and fail with connection
refused when reading `ConfigConnector` resources.
- **Read-Only Transport**: Implemented a custom `readOnlyTransport` that
wraps the `rest.Config` transport. This ensures that any
non-GET/HEAD/OPTIONS request made via this config is immediately
rejected with a 403 Forbidden at the network level.
- **Isolation**: Used `rest.CopyConfig` to create a dedicated read-only
configuration, ensuring the original `upstreamRESTConfig` remains
untouched for other components.
- **Debug Logging**: Added a log line to print the host of the REST
config before creating the manager to help diagnose any future
connection issues.

Fixes #7589
@codebot-robot codebot-robot mentioned this pull request May 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheftako cheftako cheftako approved these changes

@justinsb justinsb justinsb left review comments

Assignees

@justinsb justinsb

@cheftako cheftako

Labels

approved lgtm

Projects

None yet

Milestone

1.150.0

Development

Successfully merging this pull request may close these issues.

Preview tool fails to read ConfigConnector due to empty restConfig

3 participants

@anhdle-sso @justinsb @cheftako