fix inherited APIBinding not inheriting default permission claim selector

[olamilekan000]

Summary

change fixes how permission claim selectors are inherited from parent 
APIBindings instead of always defaulting to matchAll: true when creating inherited APIBindings
in child workspaces.

What Type of PR Is This?

/kind bug

Related Issue(s)

Fixes 3779

Release Notes

Fixed Inherited APIBindings now inherit permission claim selectors from parent workspaces instead of defaulting to matchAll: true.

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/test

[kcp-ci-bot]

@olamilekan000: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/build-image

/test pull-kcp-build-image

/test pull-kcp-lint

/test pull-kcp-test-e2e

/test pull-kcp-test-e2e-multiple-runs

/test pull-kcp-test-e2e-sharded

/test pull-kcp-test-e2e-shared

/test pull-kcp-test-integration

/test pull-kcp-test-unit

/test pull-kcp-validate-prow-yaml

/test pull-kcp-verify

/test pull-kcp-verify-codegen

Use /test all to run the following jobs that were automatically triggered:

pull-kcp-build-image

pull-kcp-lint

pull-kcp-test-e2e

pull-kcp-test-e2e-multiple-runs

pull-kcp-test-e2e-sharded

pull-kcp-test-e2e-shared

pull-kcp-test-integration

pull-kcp-test-unit

pull-kcp-validate-prow-yaml

pull-kcp-verify

pull-kcp-verify-codegen

Details

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[mjudeikis]

/retest

[mjudeikis]

I have feeling this might fail in sharded setup. Did you tested this with sharded api server?

[mjudeikis]

This will consult with local shard only. If logicalcluster lives on different shard, this should fail.

Is this not the case? We should be using fallback informers?

[olamilekan000]

I didn't test this with a shard setup but my intention here was to fetch a cluster using the path . By the way, the shard tests are passing, I guess everything's good.

[mjudeikis]

im not sure sharding tests are testing this. And if both workspaces land on the same shard, it would pass. So failure would be transiant

[mjudeikis]

I think this needs to be WithFallback to be able to resolve clusters frm other shards. If parent is located on other shard this will fail.

[olamilekan000]

What does WithFallback mean in this case?
ps: I am actually trying to carryout a manual test with a shard setup, but havn't really had time to

[mjudeikis]

Fallback takes 2 informers: the local shard and the cache server.
If the object is not found in the local shard informer, it goes to the cache server.
So cross-shard operation objects need to be replicated to the cache server so other shards can "consult" them.

[mjudeikis]

@olamilekan000 ping

[olamilekan000]

I didn't forget, but thanks for the Ping

[olamilekan000]

Can you kindly review once more @mjudeikis

[kcp-ci-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from mjudeikis. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[mjudeikis]

/test all

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[olamilekan000]

/retest

[mjudeikis]

just a question, but lgtm

[olamilekan000]

/retest