Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set/validate object namespace before admission #94637

Merged
merged 3 commits into from
Feb 23, 2022
Merged

set/validate object namespace before admission #94637

merged 3 commits into from
Feb 23, 2022

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Sep 9, 2020
edited

What type of PR is this?

/kind bug
/kind cleanup

What this PR does / why we need it:
Ensures the namespace population/check that occurs before an object is persisted is done before it is sent to admission. This ensures the namespace in the object matches the request namespace attribute.

Currently, namespaced objects can be sent to admission with empty namespaces during creation (and are defaulted to match the request namespace just before persisting) or a mismatched namespace (and are rejected just before persisting).

Added tests around the following scenarios:

  • cluster-scoped, no namespace in object
  • cluster-scoped, mismatched namespace in object
  • namespaced, no namespace in object
  • namespaced, matching namespace in object
  • namespaced, mismatched namespace in object

xref https://github.com/kubernetes/kubernetes/issues/88282

Does this PR introduce a user-facing change?:

kube-apiserver: ensures the namespace of objects sent to admission webhooks matches the request namespace. Previously, objects without a namespace set would have the request namespace populated after mutating admission, and objects with a namespace that did not match the request namespace would be rejected after admission.

/cc @deads2k

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 9, 2020
@lavalamp
Copy link
Member

/assign @deads2k
cc @MikeSpreitzer @yue9944882

@MikeSpreitzer
Copy link
Member

Do not forget that CRDs are still not fully up to the job of obviating the original way of defining new resources using aggregated custom apiservers. Some of us are doing that, with a distinct etcd cluster for the custom resources too. Now think about backup/restore of the etcd clusters. It would be best if there is a rigorous independence of their content. It might be best to not require one etcd cluster to contain a namespace object in order to persist an object in a different etcd cluster.

@liggitt
Copy link
Member Author

liggitt commented Sep 14, 2020

Do not forget that CRDs are still not fully up to the job of obviating the original way of defining new resources using aggregated custom apiservers. Some of us are doing that, with a distinct etcd cluster for the custom resources too. Now think about backup/restore of the etcd clusters. It would be best if there is a rigorous independence of their content. It might be best to not require one etcd cluster to contain a namespace object in order to persist an object in a different etcd cluster.

That is unrelated to this PR.

The API server currently ensures the namespace in the request path and the namespace in the object match prior to persisting in etcd, but that check is done post-admission. This PR ensures that check is done prior to admission to avoid sending namespaced objects to admission with their namespace field unset (to be filled in later prior to persistence) or mismatching the request (to be rejected later prior to persistence).

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 2, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 31, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 30, 2021
@liggitt liggitt removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Feb 4, 2021
@liggitt liggitt force-pushed the namespace-before-admission branch from c96b501 to 973cf38 Compare March 1, 2021 18:19
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 1, 2021
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 30, 2021
@fedebongio
Copy link
Contributor

/assign @jpbetz
Joe would you be able to take a look?
/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Feb 17, 2022
@jpbetz
Copy link
Contributor

jpbetz commented Feb 22, 2022

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 22, 2022
@deads2k
Copy link
Contributor

deads2k commented Feb 23, 2022

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Feb 23, 2022
@k8s-ci-robot k8s-ci-robot merged commit 77eb1a0 into kubernetes:master Feb 23, 2022
@liggitt liggitt deleted the namespace-before-admission branch May 5, 2022 15:00
nicksieger added a commit to tilt-dev/tilt-apiserver that referenced this pull request Aug 3, 2022
@nicksieger
storage: set request context namespace in tests
e6a85a9 
See kubernetes/kubernetes#94637 for details.
nicksieger added a commit to tilt-dev/tilt-apiserver that referenced this pull request Aug 3, 2022
@nicksieger
storage: set request context namespace in tests
84780ce 
See kubernetes/kubernetes#94637 for details.
nicksieger added a commit to tilt-dev/tilt-apiserver that referenced this pull request Aug 3, 2022
@nicksieger
storage: set request context namespace in tests
341c700 
See kubernetes/kubernetes#94637 for details.
nicksieger added a commit to tilt-dev/tilt-apiserver that referenced this pull request Aug 3, 2022
@nicksieger
storage: set request context namespace in tests
7a26333 
See kubernetes/kubernetes#94637 for details.
nicksieger added a commit to tilt-dev/tilt-apiserver that referenced this pull request Aug 3, 2022
@nicksieger
storage: set request context namespace in tests
d655d8a 
See kubernetes/kubernetes#94637 for details.

Signed-off-by: Nick Sieger <nick@nicksieger.com>
nicksieger added a commit to tilt-dev/tilt-apiserver that referenced this pull request Aug 8, 2022
@nicksieger
Go 1.18 and k8s v0.24.3 (#57)
8201831 
* chore: go 1.18 + fix test failure on 1.18 + macos

Signed-off-by: Nick Sieger <nick@nicksieger.com>

* vendor: update all: k8s 24.3 and associated updates

Signed-off-by: Nick Sieger <nick@nicksieger.com>

* codegen: update from new code-generation library

Signed-off-by: Nick Sieger <nick@nicksieger.com>

* server: propagate context from start through tls config

Signed-off-by: Nick Sieger <nick@nicksieger.com>

* storage: set request context namespace in tests

See kubernetes/kubernetes#94637 for details.

Signed-off-by: Nick Sieger <nick@nicksieger.com>

* ci: cimg working directory changes

Signed-off-by: Nick Sieger <nick@nicksieger.com>
@vpnachev vpnachev mentioned this pull request Aug 22, 2022
Closed
@timuthy timuthy mentioned this pull request Sep 16, 2022
Merged
@liggitt liggitt mentioned this pull request Nov 16, 2022
Closed
@carlory carlory mentioned this pull request Nov 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@MadhavJivrajani MadhavJivrajani MadhavJivrajani left review comments

@sftim sftim sftim left review comments

@yue9944882 yue9944882 yue9944882 approved these changes

Assignees

@dims dims

@jpbetz jpbetz

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

None yet