admission: don't update psp annotation on update #55486
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
sttts
force-pushed
the
sttts-psp-admission-annotation
branch
from
264ef95
to
65ce2e0
Compare
| // if failOnNoPolicies is false. | ||
| // TODO: if failOnNoPolicies is toggled from false to true, we will never update the annotation anymore. Is this desired? | ||
| pod.ObjectMeta.Annotations[psputil.ValidatedPSPAnnotation] = pspName | ||
| pod.ObjectMeta.Annotations[psputil.InitiallyValidatedPSPAnnotation] = pspName |
There was a problem hiding this comment.
note that before this PR we did not allow mutation in updates either (i.e. no serious mutation), but we were updating the annotation. Now we completely skip the mutating admission phase for update requests.
k8s-ci-robot
added
release-note
|
We need the annotation in tests. An alternative would be to define a secret annotation on a pod: if that is found during admission, we update it to the chosen PSP. This secret annotation can be |
| @@ -26,7 +26,7 @@ import ( | |||
| ) | |||
|
|
|||
| const ( | |||
| ValidatedPSPAnnotation = "kubernetes.io/psp" | |||
There was a problem hiding this comment.
I wouldn't change the existing annotation
|
nit on not changing the annotation name, LGTM otherwise |
sttts
force-pushed
the
sttts-psp-admission-annotation
branch
3 times, most recently
from
3b5fb6f
to
8a3a102
Compare
k8s-ci-robot
added
size/S
|
@liggitt addressed the annotation comment. Will give the west-coast reviewers some time to review. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
This feels to me like the tests are testing the internal implementation, not the public interface. Maybe the solution is to rewrite those tests to not depend on this annotation? As a longer term solution, this feels like something that might be useful in audit logs, along with things like which RBAC role authorized a user. I'm not sure exactly how that should be incorporated, but it seems like a more appropriate place for this sort of information. /cc @crassirostris |
| @@ -395,7 +400,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { | |||
| pod: unprivilegedRunAsAnyPod.DeepCopy(), | |||
| oldPod: changedPod.DeepCopy(), | |||
| psps: []*extensions.PodSecurityPolicy{mutating2, mutating1}, | |||
| shouldPassAdmit: false, | |||
| shouldPassAdmit: true, | |||
There was a problem hiding this comment.
"pod should not allow mutation on update"
Change the description of this case.
| pod: unprivilegedRunAsAnyPod.DeepCopy(), | ||
| oldPod: changedPod.DeepCopy(), | ||
| pod: podWithSC.DeepCopy(), | ||
| oldPod: changedPodWithSC.DeepCopy(), |
There was a problem hiding this comment.
nit: I think these names are backwards... changedPod* sohuld be the new one, not the "oldPod". Same for other test cases.
There was a problem hiding this comment.
Tried to follow the existing pattern there, but it confused me as well.
Our API is implicit, i.e. not introspectable. Our tests want to verify that the right PSP was chosen. If we don't want such an annotation, we have to find another way to detect that. Might be tricky. |
I like that idea. @crassirostris can you create an issue of audit+admission? With webhooks this will get even more important. |
sttts
force-pushed
the
sttts-psp-admission-annotation
branch
from
8a3a102
to
b21b23b
Compare
k8s-ci-robot
removed
the
size/S
k8s-ci-robot
added
the
size/M
k8s-github-robot
removed
the
lgtm
|
@tallclair updated. ptal |
sttts
added
the
lgtm
| @@ -119,11 +119,15 @@ func (c *PodSecurityPolicyPlugin) Admit(a admission.Attributes) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // TODO(liggitt): allow spec mutation during initializing updates? | |||
| if a.GetOperation() != admission.Create { | |||
There was a problem hiding this comment.
Why not move this check into the shouldIgnore()?
There was a problem hiding this comment.
It's not the same for Admit and Validate. We only skip the mutation on non-Create requests in mutating admission (= Admit).
There was a problem hiding this comment.
Ok, thanks!
The logic become more and more sophisticated... If you will add a comment here, it would be good addition IMHO.
|
/retest |
sttts
force-pushed
the
sttts-psp-admission-annotation
branch
from
b21b23b
to
3d5849f
Compare
k8s-github-robot
removed
the
lgtm
sttts
added
the
lgtm
|
@tallclair @liggitt this is waiting for approval. |
|
/approve |
|
/retest |
|
/approve no-issue |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt, sttts Associated issue: 55435 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
@sttts @tallclair Sorry I'm little bit late to the party. Could you please clarify what you're suggesting here:
I'm not sure I understand the context |
The PSP admission plugin matches a pod with a PodSecurityPolicy. If no policy matches, the pod is rejected. It would be helpful to know which policy made the pod pass the admission step. |
Follow-up of #54689.
Related to #55435 as istio-like initializer-based container injection cannot contribute to SC mutations.