Update apiVersions of webhook rule #11149
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mikutas
force-pushed
the
validate-httproute-v1beta2v1beta3
branch
2 times, most recently
from
2f4b477
to
19bba53
Compare
Signed-off-by: Takumi Sue <u630868b@alumni.osaka-u.ac.jp>
mikutas
force-pushed
the
validate-httproute-v1beta2v1beta3
branch
from
19bba53
to
68a40e5
Compare
alpeb
reviewed
Jul 27, 2023
There was a problem hiding this comment.
Good find 👍
It's important to note that even before this change, v1beta2 and v1beta3 were getting sent to the validator regardless, because it uses the default matchPolicy: Equivalent, which means the resource will get sent for any of the versions for that API group that are getting served (currently all are getting served, and v1beta3 is the one marked for storage).
I think it's still good practice to consider all the versions here, but to avoid updating every time, perhaps a wildcard '*' would do? @adleong wdyt?
mikutas
changed the title
mikutas
changed the title
so that we don't worry about updating the field Signed-off-by: Takumi Sue <u630868b@alumni.osaka-u.ac.jp>
mateiidavid
approved these changes
Sep 7, 2023
mateiidavid
added a commit
that referenced
this pull request
Sep 7, 2023
This edge release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP for the discovery request which could break connectivity on pod restart. To fix this, direct pod communication for a pod bound on a hostPort will always return the hostIP. In addition, this change fixes a security vulnerability (CVE-2023-2603) detected in the CNI plugin and proxy-init images and includes a number of other fixes and small improvements. * Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin ([11296]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([11301]) * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([11265]) * Improved help messaging for `linkerd multicluster link` ([11265]) * Changed hostPort lookup behaviour in the destination service; previously, endpoint lookups for pods bound on a hostPort would return the Pod IP which would result in loss of connectivity on pod restart, hostIPs are now always returned when a pod uses a hostPort ([11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([11149]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([10231]) [11309]: #11309 [11296]: #11296 [11328]: #11328 [11301]: #11301 [11265]: #11265 [11149]: #11149 [10231]: #10231 Signed-off-by: Matei David <matei@buoyant.io>
Merged
mateiidavid
added a commit
that referenced
this pull request
Sep 11, 2023
This edge release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP for the discovery request which could break connectivity on pod restart. To fix this, direct pod communication for a pod bound on a hostPort will always return the hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603) detected in the CNI plugin and proxy-init images, and includes a number of other fixes and small improvements. * Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin ([#11296]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([#11301]) * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([#11265]) * Improved help messaging for `linkerd multicluster link` ([#11265]) * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([#11149]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([#10231]) [#11309]: #11309 [#11296]: #11296 [#11328]: #11328 [#11301]: #11301 [#11265]: #11265 [#11149]: #11149 [#10231]: #10231 --------- Signed-off-by: Matei David <matei@buoyant.io> Co-authored-by: Eliza Weisman <eliza@buoyant.io>
adamshawvipps
pushed a commit
to adamshawvipps/linkerd2
that referenced
this pull request
Sep 18, 2023
HTTPRoute resources are sent to the validator regardless of their version (v1beta2, v1beta3) due to the match policy of the resource (resource is sent for any version of the API being served). However, it is good practice to consider all versions explicitly in the webhook rule. This change adds a wildcard operator to consider any HTTPRoute version for admission. Signed-off-by: Takumi Sue <u630868b@alumni.osaka-u.ac.jp>
adamshawvipps
pushed a commit
to adamshawvipps/linkerd2
that referenced
this pull request
Sep 18, 2023
This edge release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP for the discovery request which could break connectivity on pod restart. To fix this, direct pod communication for a pod bound on a hostPort will always return the hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603) detected in the CNI plugin and proxy-init images, and includes a number of other fixes and small improvements. * Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin ([linkerd#11296]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([linkerd#11301]) * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([linkerd#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([linkerd#11265]) * Improved help messaging for `linkerd multicluster link` ([linkerd#11265]) * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([linkerd#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([linkerd#11149]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([linkerd#10231]) [linkerd#11309]: linkerd#11309 [linkerd#11296]: linkerd#11296 [linkerd#11328]: linkerd#11328 [linkerd#11301]: linkerd#11301 [linkerd#11265]: linkerd#11265 [linkerd#11149]: linkerd#11149 [linkerd#10231]: linkerd#10231 --------- Signed-off-by: Matei David <matei@buoyant.io> Co-authored-by: Eliza Weisman <eliza@buoyant.io>
adamshawvipps
pushed a commit
to adamshawvipps/linkerd2
that referenced
this pull request
Sep 18, 2023
HTTPRoute resources are sent to the validator regardless of their version (v1beta2, v1beta3) due to the match policy of the resource (resource is sent for any version of the API being served). However, it is good practice to consider all versions explicitly in the webhook rule. This change adds a wildcard operator to consider any HTTPRoute version for admission. Signed-off-by: Takumi Sue <u630868b@alumni.osaka-u.ac.jp> Signed-off-by: Adam Shaw <adam.shaw@vipps.no>
adamshawvipps
pushed a commit
to adamshawvipps/linkerd2
that referenced
this pull request
Sep 18, 2023
This edge release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP for the discovery request which could break connectivity on pod restart. To fix this, direct pod communication for a pod bound on a hostPort will always return the hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603) detected in the CNI plugin and proxy-init images, and includes a number of other fixes and small improvements. * Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin ([linkerd#11296]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([linkerd#11301]) * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([linkerd#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([linkerd#11265]) * Improved help messaging for `linkerd multicluster link` ([linkerd#11265]) * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([linkerd#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([linkerd#11149]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([linkerd#10231]) [linkerd#11309]: linkerd#11309 [linkerd#11296]: linkerd#11296 [linkerd#11328]: linkerd#11328 [linkerd#11301]: linkerd#11301 [linkerd#11265]: linkerd#11265 [linkerd#11149]: linkerd#11149 [linkerd#10231]: linkerd#10231 --------- Signed-off-by: Matei David <matei@buoyant.io> Co-authored-by: Eliza Weisman <eliza@buoyant.io> Signed-off-by: Adam Shaw <adam.shaw@vipps.no>
mateiidavid
added a commit
that referenced
this pull request
Sep 21, 2023
This stable release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP associated with the endpoint which could break connectivity on pod restarts. Discovery responses have been changed to instead return the host IP. This release also fixes an issue in the multicluster extension where an empty `remoteDiscoverySelector` field in the `Link` resource would cause all services to be exported. Finally, this release addresses two security vulnerabilities, [CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous other fixes and enhancements. * CLI * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([#10231]) * CNI * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI plugin ([#11296]) * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([#11149]) * Helm * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes [#10778]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([#11301]) * Multicluster * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([#11265]) * Improved help messaging for `linkerd multicluster link` ([#11265]) * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361]) [CVE-2023-2603]: GHSA-wp54-pwvg-rqq5 [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [#11295]: #11295 [#11280]: #11280 [#11361]: #11361 [#11329]: #11329 [#10778]: #10778 [#11309]: #11309 [#11296]: #11296 [#11328]: #11328 [#11301]: #11301 [#11265]: #11265 [#11149]: #11149 [#10231]: #10231 Signed-off-by: Matei David <matei@buoyant.io>
Merged
mateiidavid
added a commit
that referenced
this pull request
Sep 25, 2023
* stable-2.14.1 This stable release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP associated with the endpoint which could break connectivity on pod restarts. Discovery responses have been changed to instead return the host IP. This release also fixes an issue in the multicluster extension where an empty `remoteDiscoverySelector` field in the `Link` resource would cause all services to be exported. Finally, this release addresses two security vulnerabilities, [CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous other fixes and enhancements. * CLI * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([#10231]) * CNI * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI plugin ([#11296]) * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([#11149]) * Helm * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes [#10778]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([#11301]) * Multicluster * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([#11265]) * Improved help messaging for `linkerd multicluster link` ([#11265]) * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361]) [CVE-2023-2603]: GHSA-wp54-pwvg-rqq5 [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [#11295]: #11295 [#11280]: #11280 [#11361]: #11361 [#11329]: #11329 [#10778]: #10778 [#11309]: #11309 [#11296]: #11296 [#11328]: #11328 [#11301]: #11301 [#11265]: #11265 [#11149]: #11149 [#10231]: #10231 Signed-off-by: Matei David <matei@buoyant.io> Signed-off-by: Eliza Weisman <eliza@buoyant.io> Co-authored-by: Eliza Weisman <eliza@buoyant.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
HttpRoute v1beta2/v1beta3 seems not to be validated via webhook