Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dra api: fix status updates #123730

Merged
merged 1 commit into from Mar 6, 2024
Merged

dra api: fix status updates #123730

merged 1 commit into from Mar 6, 2024

Conversation

pohly
Copy link
Contributor

@pohly pohly commented Mar 5, 2024

What type of PR is this?

/kind bug

What this PR does / why we need it:

Changing object meta is not supposed to be possible via status updates. For example, it circumvents RBAC permission checks.

Which issue(s) this PR fixes:

Fixes #123727

Special notes for your reviewer:

Found during review of #123516 because it relied on the buggy behavior.

Does this PR introduce a user-facing change?

DRA: ResourceClaim and PodSchedulingContext status updates no longer allow changing object meta data.

@pohly
dra api: fix status updates
27df75c 
Changing object meta is not supposed to be possible via status updates. For
example, it circumvents RBAC permission checks.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 5, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 5, 2024
@pohly pohly mentioned this pull request Mar 5, 2024
Merged
@alculquicondor
Copy link
Member

/lgtm
/label api-review
/assign @liggitt

@k8s-ci-robot k8s-ci-robot added the api-review Categorizes an issue or PR as actively needing an API review. label Mar 5, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 5, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: a3ba056ee596f20b1daa513f464fbfd23924196e

@alculquicondor
Copy link
Member

should we have a test? I don't know if we are very diligent with existing APIs.

@liggitt
Copy link
Member

liggitt commented Mar 5, 2024

/lgtm
/approve

change is straightforward

can add a test if you want in response to #123730 (comment)

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, pohly

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 5, 2024
@jiahuif
Copy link
Member

jiahuif commented Mar 5, 2024

/sig node

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 5, 2024
@liggitt
Copy link
Member

liggitt commented Mar 5, 2024

/sig node

@liggitt
Copy link
Member

liggitt commented Mar 5, 2024

/milestone v1.30

@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Mar 5, 2024
@k8s-ci-robot k8s-ci-robot merged commit 6950720 into kubernetes:master Mar 6, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bart0sh bart0sh Awaiting requested review from bart0sh

@klueska klueska Awaiting requested review from klueska

Assignees

@liggitt liggitt

@alculquicondor alculquicondor

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
API Reviews
Status: API review completed, 1.30
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.

DRA API: don't allow changing object meta during status update
5 participants
@pohly @k8s-ci-robot @alculquicondor @liggitt @jiahuif