New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add detector and fix write access on read-only structures #11020
Conversation
Please set the appropriate release note label. |
3 similar comments
Please set the appropriate release note label. |
Please set the appropriate release note label. |
Please set the appropriate release note label. |
8391280
to
87c2016
Compare
test-me-please |
Objects should never be modified if they are stored in the internal k8s store since it's a read-only and local cache. Since we are using CNP and CCNP fields to store aggregatedSelectors we should perform a DeepCopy of CNP and CCNP before handling policies. Fixes: d84edc8 ("Remove function queues for CNP and CCNP") Signed-off-by: André Martins <andre@cilium.io>
k8s libraries provide a mechanism to detect if object handlers are modifying objects that are read only. We will enable this functionality by default in our CI to avoid these accidental writes. Signed-off-by: André Martins <andre@cilium.io>
87c2016
to
406eaba
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nebril Do you know if we have another way to set the env variables? It might be nice not to mix the CI options with the "official" way to generate config but I can't think of anything better.
@@ -89,6 +89,8 @@ func enableCNPWatcher() error { | |||
AddFunc: func(obj interface{}) { | |||
metrics.EventTSK8s.SetToCurrentTime() | |||
if cnp := k8s.ObjToSlimCNP(obj); cnp != nil { | |||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this on purpose? I'm fine with it but it might not pass gofmt? (mine usually collapses multiple newlines)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed this, it is fixed now.
With the removal of the function queues in #10914 we no longer perform deep copies for all objects. Unfortunately we still need to perform DeepCopies for CCNP and CNP as they cause #11013 and similar issues to happen.
To avoid future issues like this we will enable a detection mechanism for such writes in all k8s objects received in our CI tests.
Fixes #11013