Add labels and annotations field to SubNamespace resource #19
Conversation
There was a problem hiding this comment.
I think this feature should be used with caution, because tenant users may get privileges by setting labels or annotations.
For example, PodSecurity Admission will control policies using namespace labels.
So, please write a note in the documentation like the following:
If you are using something that controls permissions by labels or annotations, such as PodSecurity Admission, an administrator should set root namespaces appropriate labels and annotations.
|
@zoetrope |
|
I understand. I prefer a simple configuration. |
|
I agree with @zoetrope. |
|
By the way, should we prioritize SubNamespace labels/annotations over parental Namespace labels/annotations if there have the same labels/annotations key? |
|
OK, let's go with the current proposal. |
Definitely not. And even if they would conflict, the parent Namespace labels/annotations win because they are propagated later on. |
There was a problem hiding this comment.
@bells17
@zoetrope and I have concluded that the current implementation is vulnerable
for sensitive labels/annotations like one for MetaLB address pools or one for
pod-security-admission policy.
As mentioned in #19 (comment) ,
we should have a separate set of label/annotation keys that SubNamespace can specify to
protect from malicious use.
Please update the design and fix the implementation.
bells17
force-pushed
the
add-labels-and-annotations-field2
branch
from
91aee10
to
8fac21a
Compare
controllers/namespace_controller.go
Outdated
| subNSHandler(ev.ObjectOld, q) | ||
| }, | ||
| DeleteFunc: func(ev event.DeleteEvent, q workqueue.RateLimitingInterface) { | ||
| subNSHandler(ev.Object, q) |
There was a problem hiding this comment.
This is not necessary, because when SubNamespace is deleted, the target Namespace will be also deleted.
| @@ -36,6 +38,8 @@ This effectively creates a namespace named NAME as a sub-namespace of NS.`, | |||
| }, | |||
| } | |||
|
|
|||
| cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace") | |||
There was a problem hiding this comment.
Please add an example of the usage to the description. e.g.,
| cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace") | |
| cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace. Example: a=b,c=d") |
| @@ -36,6 +38,8 @@ This effectively creates a namespace named NAME as a sub-namespace of NS.`, | |||
| }, | |||
| } | |||
|
|
|||
| cmd.Flags().StringToStringVar(&opts.labels, "labels", opts.labels, "the labels to be propagated to the sub-namespace") | |||
| cmd.Flags().StringToStringVar(&opts.annotations, "annotations", opts.annotations, "the annotations to be propagated to the sub-namespace") | |||
There was a problem hiding this comment.
Please validate the labels and annotations in SubNamespace spec field.
If a SubNamespace is created with an invalid key or value, the current implementation would fall into an infinite error loop.
Use v1validation.ValidateLabels to validate labels and validatoin.ValidateAnnotations to validate annotations.
ref. https://github.com/kubernetes/apimachinery/blob/v0.22.4/pkg/api/validation/objectmeta.go#L194-L195
Also, could you update this part of the user manual for this new feature?
https://cybozu-go.github.io/accurate/subnamespaces.html#creating-a-sub-namespace
controllers/namespace_controller.go
Outdated
| @@ -92,6 +100,27 @@ func (r *NamespaceReconciler) propagateMeta(ctx context.Context, ns, parent *cor | |||
| ns.Annotations[k] = v | |||
| } | |||
| } | |||
|
|
|||
| subNS := &accuratev1.SubNamespace{} | |||
| err := r.Get(ctx, types.NamespacedName{Name: ns.Name, Namespace: parent.Name}, subNS) | |||
There was a problem hiding this comment.
At the line 347, this method is called for a template instance namespace, not a sub-namespace.
I think this should look up a SubNamespace only when ns is a sub-namespace (i.e., it has accurate.cybozu.com/parent label).
Co-authored-by: Yamamoto, Hirotaka <ymmt2005@gmail.com>
I've already updated the user manual, but should I need to make additional updates? |
My bad. I overlooked that. It's enough, thank you. |
added. |
controllers/namespace_controller.go
Outdated
| err := r.Get(ctx, types.NamespacedName{Name: ns.Name, Namespace: parent.Name}, subNS) | ||
| if err != nil && !apierrors.IsNotFound(err) { | ||
| return fmt.Errorf("failed to get sub namespace %s/%s: %w", ns.Name, parent.Name, err) | ||
| } |
There was a problem hiding this comment.
What happens if apierrors.IsNotFound(err) is true?
In that case, subNS is invalid. Although the following code would work for such invalid data,
I want to check them and skip code using subNS.
#7