-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add labels and annotations field to SubNamespace resource #19
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this feature should be used with caution, because tenant users may get privileges by setting labels or annotations.
For example, PodSecurity Admission will control policies using namespace labels.
So, please write a note in the documentation like the following:
If you are using something that controls permissions by labels or annotations, such as PodSecurity Admission, an administrator should set root namespaces appropriate labels and annotations.
@zoetrope |
I understand. I prefer a simple configuration. |
I agree with @zoetrope. |
By the way, should we prioritize SubNamespace labels/annotations over parental Namespace labels/annotations if there have the same labels/annotations key? |
OK, let's go with the current proposal. |
Definitely not. And even if they would conflict, the parent Namespace labels/annotations win because they are propagated later on. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a section for this feature to the user manual, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approving, but could you add a section to the user manual for this feature?
@bells17
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bells17
@zoetrope and I have concluded that the current implementation is vulnerable
for sensitive labels/annotations like one for MetaLB address pools or one for
pod-security-admission policy.
As mentioned in #19 (comment) ,
we should have a separate set of label/annotation keys that SubNamespace can specify to
protect from malicious use.
Please update the design and fix the implementation.
91aee10
to
8fac21a
Compare
controllers/namespace_controller.go
Outdated
subNSHandler(ev.ObjectOld, q) | ||
}, | ||
DeleteFunc: func(ev event.DeleteEvent, q workqueue.RateLimitingInterface) { | ||
subNSHandler(ev.Object, q) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not necessary, because when SubNamespace is deleted, the target Namespace will be also deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read the code.
I think the following spec is fine.
- SubNamespace spec.labels/spec.annotations is now propagated to descendants namespaces.
- SubNamespace spec.labels/spec.annotations values are preferred more than parent namespace labels/annotations values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -36,6 +38,8 @@ This effectively creates a namespace named NAME as a sub-namespace of NS.`, | |||
}, | |||
} | |||
|
|||
cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add an example of the usage to the description. e.g.,
cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace") | |
cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace. Example: a=b,c=d") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added.
@@ -36,6 +38,8 @@ This effectively creates a namespace named NAME as a sub-namespace of NS.`, | |||
}, | |||
} | |||
|
|||
cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace") | |||
cmd.Flags().StringToStringVar(&opts.annotations, "annotations", opts.annotations, "the annotations to be propagated to the sub-namespace") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likewise
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please validate the labels and annotations in SubNamespace spec field.
If a SubNamespace is created with an invalid key or value, the current implementation would fall into an infinite error loop.
Use v1validation.ValidateLabels to validate labels and validatoin.ValidateAnnotations to validate annotations.
ref. https://github.com/kubernetes/apimachinery/blob/v0.22.4/pkg/api/validation/objectmeta.go#L194-L195
Also, could you update this part of the user manual for this new feature?
https://cybozu-go.github.io/accurate/subnamespaces.html#creating-a-sub-namespace
controllers/namespace_controller.go
Outdated
@@ -92,6 +100,27 @@ func (r *NamespaceReconciler) propagateMeta(ctx context.Context, ns, parent *cor | |||
ns.Annotations[k] = v | |||
} | |||
} | |||
|
|||
subNS := &accuratev1.SubNamespace{} | |||
err := r.Get(ctx, types.NamespacedName{Name: ns.Name, Namespace: parent.Name}, subNS) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the line 347, this method is called for a template instance namespace, not a sub-namespace.
I think this should look up a SubNamespace only when ns
is a sub-namespace (i.e., it has accurate.cybozu.com/parent
label).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
Co-authored-by: Yamamoto, Hirotaka <ymmt2005@gmail.com>
I've already updated the user manual, but should I need to make additional updates? |
My bad. I overlooked that. It's enough, thank you. |
added. |
controllers/namespace_controller.go
Outdated
err := r.Get(ctx, types.NamespacedName{Name: ns.Name, Namespace: parent.Name}, subNS) | ||
if err != nil && !apierrors.IsNotFound(err) { | ||
return fmt.Errorf("failed to get sub namespace %s/%s: %w", ns.Name, parent.Name, err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if apierrors.IsNotFound(err)
is true
?
In that case, subNS is invalid. Although the following code would work for such invalid data,
I want to check them and skip code using subNS
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
#7