New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PSP ephemeral volume validation #98918
PSP ephemeral volume validation #98918
Conversation
/sig security |
As explained in https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1698-generic-ephemeral-volumes, CSI inline volumes are not suitable for more "normal" kinds of storage systems. For those a new approach is needed: "generic ephemeral inline volumes".
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
0d20827
to
a8d29d6
Compare
/retest |
/label api-review |
When introducing the new "generic" volume type for generic ephemeral inline volumes, the storage policy for PodSecurityPolicy objects should have been extended so that this new type is valid only if the generic ephemeral volume feature is enabled or an existing object already has it. Adding the new type to the internal API was also missed.
When the PSP contains some other volume types, generic ephemeral inline volumes must be rejected.
It's not enough to silently drop the volume type if the feature is disabled. Instead, the policy should fail validation, just as it would have if the API server didn't know about the feature at all.
521258f
to
fb4b380
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, pohly The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
What this PR does / why we need it:
As pointed out in c05c8e9#r46791570 the introduction of the "generic" volume type did not consider that this is an implicit API change for PodSecurityPolicy which must take the feature gate into account.
This gets fixed and one more test case for applying the PSP gets added.
Special notes for your reviewer:
I think the validation itself (pkg/apis/policy/validation/validation.go) does not need to check the feature gate because the new type will already have been dropped depending on the feature gate and the old object (#80568 (comment)).
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: