Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure 4xx+ response codes from webhook rejections #77022

Merged
merged 1 commit into from May 4, 2019

Conversation

@liggitt
Copy link
Member

commented Apr 24, 2019

What type of PR is this?
/kind bug

What this PR does / why we need it:
Admission webhooks can unintentionally reject requests while still returning a 200 status to the user.

This causes things like kubectl create to return a 0 status when their request was actually rejected.

Webhook dispatch should force rejections to have >= 400 http status codes.

Special notes for your reviewer:
xref #76984

Does this PR introduce a user-facing change?:

API requests rejected by admission webhooks which specify an http status code < 400 are now assigned a 400 status code.
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Apr 24, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt

This comment has been minimized.

Copy link
Member Author

commented Apr 24, 2019

@liggitt

This comment has been minimized.

Copy link
Member Author

commented Apr 25, 2019

@k8s-ci-robot k8s-ci-robot requested a review from caesarxuchao Apr 25, 2019

@liggitt liggitt force-pushed the liggitt:webhook-error-success branch from 9978a34 to 5007643 Apr 25, 2019

@@ -32,6 +33,15 @@ func ToStatusErr(webhookName string, result *metav1.Status) *apierrors.StatusErr
result = &metav1.Status{Status: metav1.StatusFailure}
}

// Make sure we don't return < 400 status codes along with a rejection
if result.Code < http.StatusBadRequest {
result.Code = http.StatusBadRequest

This comment has been minimized.

Copy link
@liggitt

liggitt Apr 26, 2019

Author Member

We talked about switching this to a 500 in the api-machinery call today, but the more I consider this, I think that would be misleading to the end user. The reason their request was rejected was because their request was judged to be bad, not because the server had some error.

I see this as akin to what we do here:

_, serializer, err := negotiation.NegotiateOutputMediaType(req, s, restrictions)
if err != nil {
// if original statusCode was not successful we need to return the original error
// we cannot hide it behind negotiation problems
if statusCode < http.StatusOK || statusCode >= http.StatusBadRequest {
WriteRawJSON(int(statusCode), object, w)
return
}

if we encounter a negotiation error in the process of trying to write an error response, we don't switch to a 500, we preserve the original error code

This comment has been minimized.

Copy link
@logicalhan

logicalhan Apr 26, 2019

Contributor

I personally find that argument compelling.

@caesarxuchao

This comment has been minimized.

Copy link
Member

commented May 3, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label May 3, 2019

@k8s-ci-robot k8s-ci-robot merged commit aefa6d4 into kubernetes:master May 4, 2019

20 checks passed

cla/linuxfoundation liggitt authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details

@liggitt liggitt deleted the liggitt:webhook-error-success branch May 6, 2019

@liggitt liggitt added this to Complete in Admission Webhooks Sep 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.