🐛 Further deduplication of RBAC rules #620
Conversation
Don't fail 5 times when failing, and don't chdir.
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @Porges. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Porges The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
| } | ||
|
|
||
| func Test_SubsumesIsReflexive(t *testing.T) { | ||
| g := gomega.NewWithT(t) |
There was a problem hiding this comment.
use some kind of property testing for this and following test?
There was a problem hiding this comment.
What do you mean with property testing?
There was a problem hiding this comment.
See updated tests; in this case using the testing/quick package. We generate arbitrary Rules and then make assertions about them.
| // +kubebuilder:rbac:groups=batch,resources=jobs/status,verbs=watch;watch | ||
| // +kubebuilder:rbac:groups=art,resources=jobs,verbs=get,namespace=park | ||
| // +kubebuilder:rbac:groups=batch.io,resources=cronjobs,resourceNames=foo;bar;baz,verbs=get;watch | ||
| // +kubebuilder:rbac:groups=batch.io,resources=cronjobs2,resourceNames=foo;bar;baz,verbs=get;watch |
There was a problem hiding this comment.
renamed to cronjobs2 or else it is subsumed by the kubebuilder:rbac:groups=batch.io,resources=cronjobs,verbs=get;watch;create line.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten it's not rotten, it's floundering |
k8s-ci-robot
removed
the
lifecycle/rotten
| result := []*NormalizedRule{it} | ||
| for _, d := range dest { | ||
| result = insertRule(result, d) | ||
| } |
There was a problem hiding this comment.
Shouldn't this omit "other"?
There was a problem hiding this comment.
It could, but since it.Subsumes(other) and we start the new list with it being contained, then other will be omitted by the previous check above. Explicitly skipping it makes the code a bit messier.
There was a problem hiding this comment.
What you are doing here is both harder to read and less eficient than:
func remove(s []int, i int) []int {
s[i] = s[len(s)-1]
return s[:len(s)-1]
}
return append(remove(dest, idx), it)
There was a problem hiding this comment.
@alvaroaleman that doesn’t result in the quite same outcome; if Rule X is superset of Rule Y in the list, it could also be a superset of Rule Z (and others), so we still need to go through and check the remainder of the list.
| } | ||
|
|
||
| func Test_SubsumesIsReflexive(t *testing.T) { | ||
| g := gomega.NewWithT(t) |
There was a problem hiding this comment.
What do you mean with property testing?
k8s-ci-robot
removed
the
size/XL
k8s-ci-robot
added
the
size/L
k8s-ci-robot
added
size/XL
alvaroaleman
left a comment
alvaroaleman
left a comment
There was a problem hiding this comment.
Hi @Porges
Thanks for submitting this change. There are a couple of issues with it IMHO, most notably that is too invasive and not properly tested, with the result that it is incorrect.
From what I can tell by looking at #612, all of it can be solved by by removing rules that have a supset. As a result, I would expect the change to the existing code to look something like this:
--- a/pkg/rbac/parser.go
+++ b/pkg/rbac/parser.go
@@ -194,6 +194,8 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{
ruleMap[key].addVerbs(rule.Verbs)
}
+ ruleMap = removeRulesThatHaveSuperset(ruleMap)
+
// sort the Rules in rules according to their ruleKeys
keys := make([]ruleKey, 0, len(ruleMap))
for key := range ruleMap {As a general rule of thumb for making any changes:
- Keep the change as small as possible
- Do not make any unrelated stylistic changes
- Keep the change scoped, do not mix refactorings (change of existing code that does not intend to change behavior) with behavioural changes
| // meaning that the other is unnecessary. | ||
| // Remember that Kubernetes RBAC rules are purely additive, there | ||
| // are no deny rules. | ||
| func (nr *NormalizedRule) Subsumes(other *NormalizedRule) bool { |
There was a problem hiding this comment.
I can directly tell you that this is wrong:
- Empty groups does not mean all groups, it means no group
- Same for Resources
- Resources support the
*operator to indicateallresources
Also, if we introduce something like that it needs thorough unit testing. This is not an area where we can introduce correctness issues.
There was a problem hiding this comment.
Have updated this versus the documentation on the PolicyRule struct. Thanks, this is the kind of feedback I wanted on the correctness. 👍
There was a problem hiding this comment.
I have been building out the unit tests (given that there were none to start with) but definitely could do with more.
| result := []*NormalizedRule{it} | ||
| for _, d := range dest { | ||
| result = insertRule(result, d) | ||
| } |
There was a problem hiding this comment.
What you are doing here is both harder to read and less eficient than:
func remove(s []int, i int) []int {
s[i] = s[len(s)-1]
return s[:len(s)-1]
}
return append(remove(dest, idx), it)
| // if two different rules have the same comparison key then they can have their verbs merged | ||
| // this key should comprise all the fields below except Verbs and Namespace (since rules | ||
| // are partitioned by namespace before merging) | ||
| ComparisonKey string |
There was a problem hiding this comment.
Sorry, I don't understand why this is needed. If one rule is a superset of another rule, the subet rule can be removed. Why is any additional merging needed?
There was a problem hiding this comment.
This is to handle verb list merging (a part of the existing codebase as well); if two rules match exactly the same things then they can be unified and their verb lists merged.
| return result | ||
| } | ||
|
|
||
| // Subsumes indicates if one rule entirely determines another, |
There was a problem hiding this comment.
This might be due to the fact that I am not a native English speaker, but I find a name like IsSuperset way more obvious.
|
Ideally we'd also rely on the k8s code to help enforce requirements on the |
Unfortunately not, because that will break In general, k8s itself states you must never import k8s/kubernetes (I can't find the reference for that off-hand, but it exists). The only way to get us to use upstream code would be to talk to upstream sig-apimachinery if they are open to move this to staging (i.E. below the |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
Closes #612.
Check if rules are rendered irrelevant by other rules and remove them if so.