remove the other checkselfaccess

katieperry4 · katieperry4 · commit 4c00da22b2b5 · 2026-03-25T13:17:44.000-04:00
diff --git a/packages/maas/bff/internal/integrations/kubernetes/client.go b/packages/maas/bff/internal/integrations/kubernetes/client.go
@@ -17,5 +17,4 @@ type KubernetesClientInterface interface {
 	GetNamespaces(ctx context.Context, identity *RequestIdentity) ([]corev1.Namespace, error)
 	IsClusterAdmin(identity *RequestIdentity) (bool, error)
 	GetUser(identity *RequestIdentity) (string, error)
-	CheckSelfAccess(ctx context.Context, group, resource, verb, namespace string) (bool, error)
 }
diff --git a/packages/maas/bff/internal/integrations/kubernetes/internal_k8s_client.go b/packages/maas/bff/internal/integrations/kubernetes/internal_k8s_client.go
@@ -218,30 +218,6 @@ func (kc *InternalKubernetesClient) IsClusterAdmin(identity *RequestIdentity) (b
 	return false, nil
 }
 
-func (kc *InternalKubernetesClient) CheckSelfAccess(ctx context.Context, group, resource, verb, namespace string) (bool, error) {
-	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-
-	sar := &authv1.SelfSubjectAccessReview{
-		Spec: authv1.SelfSubjectAccessReviewSpec{
-			ResourceAttributes: &authv1.ResourceAttributes{
-				Group:     group,
-				Resource:  resource,
-				Verb:      verb,
-				Namespace: namespace,
-			},
-		},
-	}
-
-	resp, err := kc.Client.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
-	if err != nil {
-		kc.Logger.Error("failed to perform access review", "error", err)
-		return false, fmt.Errorf("failed to perform access review: %w", err)
-	}
-
-	return resp.Status.Allowed, nil
-}
-
 func (kc *InternalKubernetesClient) GetUser(identity *RequestIdentity) (string, error) {
 	// On internal client, we can use the identity from request directly
 	return identity.UserID, nil
diff --git a/packages/maas/bff/internal/integrations/kubernetes/token_k8s_client.go b/packages/maas/bff/internal/integrations/kubernetes/token_k8s_client.go
@@ -55,7 +55,7 @@ func (kc *TokenKubernetesClient) IsClusterAdmin(_ *RequestIdentity) (bool, error
 }
 
 // NewTokenKubernetesClient creates a Kubernetes client using a user bearer token.
-func NewTokenKubernetesClient(token string, logger *slog.Logger) (KubernetesClientInterface, error) {
+func NewTokenKubernetesClient(token string, logger *slog.Logger) (*TokenKubernetesClient, error) {
 	baseConfig, err := helper.GetKubeconfig()
 	if err != nil {
 		logger.Error("failed to get kubeconfig", "error", err)

Original file line number	Diff line number	Diff line change
`@@ -17,5 +17,4 @@ type KubernetesClientInterface interface {`
`17`	`17`	`GetNamespaces(ctx context.Context, identity *RequestIdentity) ([]corev1.Namespace, error)`
`18`	`18`	`IsClusterAdmin(identity *RequestIdentity) (bool, error)`
`19`	`19`	`GetUser(identity *RequestIdentity) (string, error)`
`20`		`- CheckSelfAccess(ctx context.Context, group, resource, verb, namespace string) (bool, error)`
`21`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ func (kc TokenKubernetesClient) IsClusterAdmin(_ RequestIdentity) (bool, error`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`// NewTokenKubernetesClient creates a Kubernetes client using a user bearer token.`
`58`		`-func NewTokenKubernetesClient(token string, logger *slog.Logger) (KubernetesClientInterface, error) {`
	`58`	`+func NewTokenKubernetesClient(token string, logger slog.Logger) (TokenKubernetesClient, error) {`
`59`	`59`	`baseConfig, err := helper.GetKubeconfig()`
`60`	`60`	`if err != nil {`
`61`	`61`	`logger.Error("failed to get kubeconfig", "error", err)`