Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Validates partial path for flow-schema's non-resource-url rules #84706

Merged
merged 1 commit into from Nov 6, 2019
Merged

Feature: Validates partial path for flow-schema's non-resource-url rules #84706

merged 1 commit into from Nov 6, 2019

Conversation

yue9944882
Copy link
Member

/sig api-machinery
/kind feature

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 4, 2019
@yue9944882 yue9944882 force-pushed the feat/add-partial-non-resource-url-validation branch from fec7c90 to 5928ca8 Compare November 4, 2019 12:38
liggitt
liggitt reviewed Nov 4, 2019
View reviewed changes
pkg/apis/flowcontrol/validation/validation.go Outdated Show resolved Hide resolved
pkg/apis/flowcontrol/validation/validation.go Outdated
// 2. A non-resource-url path must not end up with slash
// 3. Continuous/double slash is forbidden in the path
// 4. White-space is forbidden in the path
// 5. Wildcard "*" should be only character in a segment if present
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the use-case for honoring embedded wildcards (as opposed to suffix-only wildcards)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that depends on whether wildcard can match slash or not. rbac matcher matches slash, should we align w/ rbac in the first place?

kubernetes/pkg/apis/rbac/v1/evaluation_helpers.go

Lines 107 to 109 in 1488460

if strings.HasSuffix(ruleURL, "*") && strings.HasPrefix(requestedURL, strings.TrimRight(ruleURL, "*")) {
return true
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RBAC only does suffix glob matching. I haven't seen compelling use cases around internal glob matching.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i updated to align w/ rbac. the wildcard in rbac matches slash, e.g. /healthz/* will match /healthz/poststarthook/start-kube-apiserver-informers. if wildcard doesnt match slash, we have to set /healthz/*/* otherwise. i just added a note to emphasis that..

@yue9944882
Copy link
Member Author

/cc @lavalamp @deads2k @MikeSpreitzer @aaron-prindle

@yue9944882 yue9944882 force-pushed the feat/add-partial-non-resource-url-validation branch 2 times, most recently from 0f7be1e to 829aea9 Compare November 5, 2019 16:17
@caesarxuchao
Copy link
Member

/assign @deads2k

@yue9944882 yue9944882 force-pushed the feat/add-partial-non-resource-url-validation branch from 829aea9 to da612a3 Compare November 6, 2019 13:58
@yue9944882
Copy link
Member Author

/test pull-kubernetes-integration

MikeSpreitzer
MikeSpreitzer approved these changes Nov 6, 2019
View reviewed changes
Copy link
Member

@MikeSpreitzer MikeSpreitzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 6, 2019
@deads2k
Copy link
Contributor

deads2k commented Nov 6, 2019

/lgtm
/approve

@liggitt
Copy link
Member

liggitt commented Nov 6, 2019

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, liggitt, yue9944882

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 6, 2019
@k8s-ci-robot k8s-ci-robot merged commit 9a85b01 into kubernetes:master Nov 6, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Nov 6, 2019
@MikeSpreitzer MikeSpreitzer mentioned this pull request Nov 7, 2019
Closed
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@deads2k deads2k deads2k left review comments

@MikeSpreitzer MikeSpreitzer MikeSpreitzer approved these changes

@ncdc ncdc Awaiting requested review from ncdc

@aaron-prindle aaron-prindle Awaiting requested review from aaron-prindle

@lavalamp lavalamp Awaiting requested review from lavalamp

Assignees

@deads2k deads2k

@MikeSpreitzer MikeSpreitzer

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@yue9944882 @caesarxuchao @deads2k @liggitt @k8s-ci-robot @MikeSpreitzer