Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report missing policy or params in status of ValidatingAdmissionPolicyBindings #117263

Open
jpbetz opened this issue Apr 13, 2023 · 5 comments
Open

Report missing policy or params in status of ValidatingAdmissionPolicyBindings #117263

jpbetz opened this issue Apr 13, 2023 · 5 comments
Labels
sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@jpbetz
Copy link
Contributor

jpbetz commented Apr 13, 2023
edited

If a ValidatingAdmissionPolicyBinding references a non-existent policy in the spec.policyName field the binding silently does nothing.

xref:

kubernetes/staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go

Line 363 in 5550bd5

// If the referenced resource does not exist, this binding is considered invalid and will be ignored

We have informally referred to a binding in this state as "mis-configured", but there is no way for a user to know that a binding is in this state short of attempting API requests that should be denied and noticing that they are allowed (which is clearly not a good way to check).

Part of the problem is that without a the matchConditions of the policy, the policy binding doesn't even know what API requests it should match.

We should report this state into the status of binding resources.

Also, when the policy has a paramKind and the spec.paramRef refers to a non-existent resource, or the wrong type of resource, there is also a problem. The behavior for this case is different-- the policy is configured mis-configured and the failurePolicy is triggered. We should still report status for this case though?

A last case: The policy does not have a paramKind but the binding has a spec.paramRef. In this case we ignore the paramRef (since it is not needed). I don't know if we need to report this to status. It is reasonable to add unused paramRefs to bindings in preparation for adding a paramKind to a policy, so maybe this is OK?
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 13, 2023
@jpbetz
Copy link
Contributor Author

jpbetz commented Apr 13, 2023

/assign @ritazh

@jpbetz
Copy link
Contributor Author

jpbetz commented Apr 13, 2023

/triage accepted
/sig api-machinery

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 13, 2023
@shubham-singh-748
Copy link

shubham-singh-748 commented Apr 16, 2023
edited

hey can you please specify the followings:-

  1. what type of resources need to create, user, group or any kind of resource
  2. Required attributes for the resources, like name, id, etc..
  3. Creating resource using appropriate APIs or console system.

@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Apr 15, 2024
@cici37
Copy link
Contributor

cici37 commented Apr 25, 2024

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jpbetz @ritazh @cici37 @k8s-ci-robot @k8s-triage-robot @shubham-singh-748