-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admission: don't update psp annotation on update #55486
admission: don't update psp annotation on update #55486
Conversation
264ef95
to
65ce2e0
Compare
// if failOnNoPolicies is false. | ||
// TODO: if failOnNoPolicies is toggled from false to true, we will never update the annotation anymore. Is this desired? | ||
pod.ObjectMeta.Annotations[psputil.ValidatedPSPAnnotation] = pspName | ||
pod.ObjectMeta.Annotations[psputil.InitiallyValidatedPSPAnnotation] = pspName |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note that before this PR we did not allow mutation in updates either (i.e. no serious mutation), but we were updating the annotation. Now we completely skip the mutating admission phase for update requests.
We need the annotation in tests. An alternative would be to define a secret annotation on a pod: if that is found during admission, we update it to the chosen PSP. This secret annotation can be |
@@ -26,7 +26,7 @@ import ( | |||
) | |||
|
|||
const ( | |||
ValidatedPSPAnnotation = "kubernetes.io/psp" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't change the existing annotation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
nit on not changing the annotation name, LGTM otherwise |
3b5fb6f
to
8a3a102
Compare
@liggitt addressed the annotation comment. Will give the west-coast reviewers some time to review. |
/lgtm |
This feels to me like the tests are testing the internal implementation, not the public interface. Maybe the solution is to rewrite those tests to not depend on this annotation? As a longer term solution, this feels like something that might be useful in audit logs, along with things like which RBAC role authorized a user. I'm not sure exactly how that should be incorporated, but it seems like a more appropriate place for this sort of information. /cc @crassirostris |
@@ -395,7 +400,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { | |||
pod: unprivilegedRunAsAnyPod.DeepCopy(), | |||
oldPod: changedPod.DeepCopy(), | |||
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1}, | |||
shouldPassAdmit: false, | |||
shouldPassAdmit: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"pod should not allow mutation on update"
Change the description of this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
pod: unprivilegedRunAsAnyPod.DeepCopy(), | ||
oldPod: changedPod.DeepCopy(), | ||
pod: podWithSC.DeepCopy(), | ||
oldPod: changedPodWithSC.DeepCopy(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I think these names are backwards... changedPod*
sohuld be the new one, not the "oldPod". Same for other test cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tried to follow the existing pattern there, but it confused me as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Our API is implicit, i.e. not introspectable. Our tests want to verify that the right PSP was chosen. If we don't want such an annotation, we have to find another way to detect that. Might be tricky. |
I like that idea. @crassirostris can you create an issue of audit+admission? With webhooks this will get even more important. |
8a3a102
to
b21b23b
Compare
@tallclair updated. ptal |
@@ -119,11 +119,15 @@ func (c *PodSecurityPolicyPlugin) Admit(a admission.Attributes) error { | |||
return nil | |||
} | |||
|
|||
// TODO(liggitt): allow spec mutation during initializing updates? | |||
if a.GetOperation() != admission.Create { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not move this check into the shouldIgnore()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not the same for Admit and Validate. We only skip the mutation on non-Create requests in mutating admission (= Admit).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, thanks!
The logic become more and more sophisticated... If you will add a comment here, it would be good addition IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
/retest |
b21b23b
to
3d5849f
Compare
@tallclair @liggitt this is waiting for approval. |
/approve |
/retest |
/approve no-issue |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt, sttts Associated issue: 55435 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions here. |
@sttts @tallclair Sorry I'm little bit late to the party. Could you please clarify what you're suggesting here:
I'm not sure I understand the context |
The PSP admission plugin matches a pod with a PodSecurityPolicy. If no policy matches, the pod is rejected. It would be helpful to know which policy made the pod pass the admission step. |
Follow-up of #54689.
Related to #55435 as istio-like initializer-based container injection cannot contribute to SC mutations.