Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add v1.Secret to go-flow-levee analysis targets #107810

Merged
merged 1 commit into from
Feb 15, 2022
Merged

Add v1.Secret to go-flow-levee analysis targets #107810

merged 1 commit into from
Feb 15, 2022

Conversation

tksm
Copy link
Contributor

@tksm tksm commented Jan 27, 2022
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds v1.Secret to the list of go-flow-levee analysis targets.

The internal version of Secret (k8s.io/kubernetes/pkg/apis/core) was added datapolicy tag in #95992 , but v1.Secret (k8s.io/api/core/v1) is not tagged. v1.Secret is more widely used than the internal one, so it should be checked.

Which issue(s) this PR fixes:

Special notes for your reviewer:

I know KEP-1753 deprecation does not deprecate datapolicy tag, but the related PRs such as #95998, #95994, and #96008 were not merged, so I only added it to levee-config.yaml for now.

I confirmed that a log line intentionally added a v1.Secret object was detected with this config.

$ hack/verify-govet-levee.sh
# ...

# k8s.io/kubernetes/pkg/volume/secret
pkg/volume/secret/secret.go:193:12: a source has reached a sink
 source: pkg/volume/secret/secret.go:192:28
make: *** [vet] Error 1

diff --git a/pkg/volume/secret/secret.go b/pkg/volume/secret/secret.go
index 8226b2209ee..6fd5cd279e8 100644
--- a/pkg/volume/secret/secret.go
+++ b/pkg/volume/secret/secret.go
@@ -190,6 +190,7 @@ func (b *secretVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs

        optional := b.source.Optional != nil && *b.source.Optional
        secret, err := b.getSecret(b.pod.Namespace, b.source.SecretName)
+       klog.Infof("This line should be detected %v", secret)
        if err != nil {
                if !(errors.IsNotFound(err) && optional) {
                        klog.Errorf("Couldn't get secret %v/%v: %v", b.pod.Namespace, b.source.SecretName, err)

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 27, 2022
@k8s-ci-robot
Copy link
Contributor

@tksm: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 27, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @tksm. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added sig/security Categorizes an issue or PR as relevant to SIG Security. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 27, 2022
@tksm
Copy link
Contributor Author

tksm commented Jan 27, 2022

/assign PurelyApplied
as the author of KEP-1933

@PurelyApplied
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 1, 2022
@tksm
Copy link
Contributor Author

tksm commented Feb 1, 2022

/retest

@k8s-ci-robot
Copy link
Contributor

@tksm: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@PurelyApplied
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 1, 2022
@tksm
Copy link
Contributor Author

tksm commented Feb 1, 2022

/assign @IanColdwater

@tksm
Copy link
Contributor Author

tksm commented Feb 7, 2022

/assign @tabbysable

@tabbysable
Copy link
Member

/approve
/honk

@k8s-ci-robot
Copy link
Contributor

@tabbysable:
goose image

In response to this:

/approve
/honk

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tabbysable, tksm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 15, 2022
@k8s-ci-robot k8s-ci-robot merged commit a47c659 into kubernetes:master Feb 15, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Feb 15, 2022
@tksm tksm deleted the levee-v1-secret branch February 15, 2022 23:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IanColdwater IanColdwater Awaiting requested review from IanColdwater

@tabbysable tabbysable Awaiting requested review from tabbysable

Assignees

@PurelyApplied PurelyApplied

@IanColdwater IanColdwater

@tabbysable tabbysable

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. sig/security Categorizes an issue or PR as relevant to SIG Security. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@tksm @k8s-ci-robot @PurelyApplied @tabbysable @IanColdwater