-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set/validate object namespace before admission #94637
set/validate object namespace before admission #94637
Conversation
Skipping CI for Draft Pull Request. |
/assign @deads2k |
Do not forget that CRDs are still not fully up to the job of obviating the original way of defining new resources using aggregated custom apiservers. Some of us are doing that, with a distinct etcd cluster for the custom resources too. Now think about backup/restore of the etcd clusters. It would be best if there is a rigorous independence of their content. It might be best to not require one etcd cluster to contain a namespace object in order to persist an object in a different etcd cluster. |
That is unrelated to this PR. The API server currently ensures the namespace in the request path and the namespace in the object match prior to persisting in etcd, but that check is done post-admission. This PR ensures that check is done prior to admission to avoid sending namespaced objects to admission with their namespace field unset (to be filled in later prior to persistence) or mismatching the request (to be rejected later prior to persistence). |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
c96b501
to
973cf38
Compare
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
/assign @jpbetz |
/triage accepted |
f3e9087
to
e731ccd
Compare
/lgtm |
See kubernetes/kubernetes#94637 for details. Signed-off-by: Nick Sieger <nick@nicksieger.com>
* chore: go 1.18 + fix test failure on 1.18 + macos Signed-off-by: Nick Sieger <nick@nicksieger.com> * vendor: update all: k8s 24.3 and associated updates Signed-off-by: Nick Sieger <nick@nicksieger.com> * codegen: update from new code-generation library Signed-off-by: Nick Sieger <nick@nicksieger.com> * server: propagate context from start through tls config Signed-off-by: Nick Sieger <nick@nicksieger.com> * storage: set request context namespace in tests See kubernetes/kubernetes#94637 for details. Signed-off-by: Nick Sieger <nick@nicksieger.com> * ci: cimg working directory changes Signed-off-by: Nick Sieger <nick@nicksieger.com>
What type of PR is this?
/kind bug
/kind cleanup
What this PR does / why we need it:
Ensures the namespace population/check that occurs before an object is persisted is done before it is sent to admission. This ensures the namespace in the object matches the request namespace attribute.
Currently, namespaced objects can be sent to admission with empty namespaces during creation (and are defaulted to match the request namespace just before persisting) or a mismatched namespace (and are rejected just before persisting).
Added tests around the following scenarios:
xref https://github.com/kubernetes/kubernetes/issues/88282
Does this PR introduce a user-facing change?:
/cc @deads2k