Add detector and fix write access on read-only structures #11020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aanm
added
kind/bug
|
Please set the appropriate release note label. |
3 similar comments
|
Please set the appropriate release note label. |
|
Please set the appropriate release note label. |
|
Please set the appropriate release note label. |
aanm
added
the
release-note/misc
aanm
force-pushed
the
pr/fix-concurrent-access-of-structures
branch
from
8391280
to
87c2016
Compare
|
test-me-please |
Objects should never be modified if they are stored in the internal k8s store since it's a read-only and local cache. Since we are using CNP and CCNP fields to store aggregatedSelectors we should perform a DeepCopy of CNP and CCNP before handling policies. Fixes: d84edc8 ("Remove function queues for CNP and CCNP") Signed-off-by: André Martins <andre@cilium.io>
k8s libraries provide a mechanism to detect if object handlers are modifying objects that are read only. We will enable this functionality by default in our CI to avoid these accidental writes. Signed-off-by: André Martins <andre@cilium.io>
aanm
force-pushed
the
pr/fix-concurrent-access-of-structures
branch
from
87c2016
to
406eaba
Compare
|
test-me-please |
raybejjani
approved these changes
Apr 16, 2020
There was a problem hiding this comment.
@nebril Do you know if we have another way to set the env variables? It might be nice not to mix the CI options with the "official" way to generate config but I can't think of anything better.
| @@ -89,6 +89,8 @@ func enableCNPWatcher() error { | |||
| AddFunc: func(obj interface{}) { | |||
| metrics.EventTSK8s.SetToCurrentTime() | |||
| if cnp := k8s.ObjToSlimCNP(obj); cnp != nil { | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Was this on purpose? I'm fine with it but it might not pass gofmt? (mine usually collapses multiple newlines)
There was a problem hiding this comment.
I missed this, it is fixed now.
pchaigno
approved these changes
Apr 16, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With the removal of the function queues in #10914 we no longer perform deep copies for all objects. Unfortunately we still need to perform DeepCopies for CCNP and CNP as they cause #11013 and similar issues to happen.
To avoid future issues like this we will enable a detection mechanism for such writes in all k8s objects received in our CI tests.
Fixes #11013