Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set Forbidden as the response status reason #1692

Merged
merged 3 commits into from Dec 1, 2021
Merged

Set Forbidden as the response status reason #1692

merged 3 commits into from Dec 1, 2021

Conversation

regadas
Copy link
Contributor

@regadas regadas commented Nov 25, 2021
edited

What this PR does / why we need it:
Recently while integrating gatekeeper I noticed that a denied admission webook response will look somewhat like this:

Message and Reason kinda have the same info.

errors.StatusError{
    ErrStatus:v1.Status{
        TypeMeta:v1.TypeMeta{Kind:\"\", APIVersion:\"\"},
        ListMeta:v1.ListMeta{
            SelfLink:\"\",
            ResourceVersion:\"\",
            Continue:\"\",
            RemainingItemCount:(*int64)(nil)},
        Status:\"Failure\",
        Message:\"admission webhook \\\"validation.gatekeeper.sh\\\" denied the request: [enforce-resource-quota] resource exceeded cpu quota\",
        Reason:\"[enforce-resource-quota] resource exceeded cpu quota\",
        Details:(*v1.StatusDetails)(nil),
        Code:403}
}

I guess this is generally ok! However, if one is using "k8s.io/apimachinery/pkg/api/errors" to determine the type of error we are out of luck since it relies on the Reason property.

Given the above example:

errors.IsForbidden(err) // False

I suggest a small change in the StatusError and give Reason the proper description keeping Message as the human-readable description of this operation.

errors.StatusError{
    ErrStatus:v1.Status{
        TypeMeta:v1.TypeMeta{Kind:\"\", APIVersion:\"\"},
        ListMeta:v1.ListMeta{
            SelfLink:\"\",
            ResourceVersion:\"\",
            Continue:\"\",
            RemainingItemCount:(*int64)(nil)},
        Status:\"Failure\",
        Message:\"admission webhook \\\"validation.gatekeeper.sh\\\" denied the request: [enforce-resource-quota] resource exceeded cpu quota\",
        Reason:\"Forbidden\",
        Details:(*v1.StatusDetails)(nil),
        Code:403}
}

Fixes #1693

@regadas regadas mentioned this pull request Nov 25, 2021
Closed
@maxsmythe
Copy link
Contributor

Thanks for the PR! I think this makes sense, but if raises a few questions:

Why does controller-runtime not currently work this way? Do we run the risk of breaking something else by changing this? Is it possible that this should be fixed at the controller-runtime level?

For this PR, I'm mainly concerned about the second question.

@liggitt
Copy link

liggitt commented Nov 30, 2021

Why does controller-runtime not currently work this way? Do we run the risk of breaking something else by changing this? Is it possible that this should be fixed at the controller-runtime level?

it's a bug in controller-runtime, fix proposed in kubernetes-sigs/controller-runtime#1539

@regadas
Copy link
Contributor Author

regadas commented Nov 30, 2021

Hi @maxsmythe @liggitt!

Thanks, I was unaware of that proposed fix in kubernetes-sigs/controller-runtime#1539 which makes sense to me. However, it seems to me that there's no agreement if it should go in which will delay things a bit.

Do we run the risk of breaking something else by changing this?

Possibly:

  • requests that didn't match isForbidden will now match (but this is a good thing)
  • parsing Reason when they should be parsing Message

IMO, I think it still makes sense to address this in `gatekeeper because users on current versions or earlier will still benefit from it.

Let me know what do you think. I'll propose a new change that's in line with the above PR and safe for future updates.

@regadas
Set Forbidden as the response status reason
eb5c3db 
Signed-off-by: Filipe Regadas <filiperegadas@gmail.com>
@regadas
fixup! Set Forbidden as the response status reason
90f8a48 
Signed-off-by: Filipe Regadas <filiperegadas@gmail.com>
@maxsmythe
Copy link
Contributor

Thanks @liggitt for the context! Knowing that it's a bug in controller-runtime, it sounds like we're probably safe to fix it here.

Chesterton's fence is ready for removal ;)

maxsmythe
maxsmythe approved these changes Dec 1, 2021
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov-commenter
Copy link

codecov-commenter commented Dec 1, 2021
edited

Codecov Report

Merging #1692 (7bbc27f) into master (09bdc07) will increase coverage by 0.11%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1692      +/-   ##
==========================================
+ Coverage   51.81%   51.93%   +0.11%     
==========================================
  Files          98       98              
  Lines        8711     8718       +7     
==========================================
+ Hits         4514     4528      +14     
+ Misses       3833     3831       -2     
+ Partials      364      359       -5
Flag Coverage Δ
unittests 51.93% <0.00%> (+0.11%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/webhook/policy.go 28.37% <0.00%> (-0.56%) ⬇️
pkg/watch/replay.go 78.97% <0.00%> (-2.28%) ⬇️
...onstrainttemplate/constrainttemplate_controller.go 58.17% <0.00%> (+4.32%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b3d029f...7bbc27f. Read the comment docs.

ritazh
ritazh approved these changes Dec 1, 2021
View reviewed changes
Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ritazh ritazh merged commit d7de2a0 into open-policy-agent:master Dec 1, 2021
priyamshet pushed a commit to priyamshet/gatekeeper-1 that referenced this pull request Dec 14, 2021
@regadas @ritazh @priyamshet
Set Forbidden as the response status reason (open-policy-agent#1692)
3cce955 
* Set Forbidden as the response status reason

Signed-off-by: Filipe Regadas <filiperegadas@gmail.com>

* fixup! Set Forbidden as the response status reason

Signed-off-by: Filipe Regadas <filiperegadas@gmail.com>

Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Priya Shetpriya.shet@gmail.com <priya.shet@gmail.com>
@regadas
Copy link
Contributor Author

regadas commented Mar 23, 2022
edited

Hi @ritazh @priyamshet; quick question: In which version are you aiming to have this in? currently I'm running a fork of gatekeeper because this change is a blocker for me.

Just want to understand for how long I need to keep it 😄

Thanks.

@ritazh
Copy link
Member

ritazh commented Mar 24, 2022

@regadas This commit should be included in the upcoming release v3.8.0 in the next couple of weeks. Thanks for your patience!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritazh ritazh ritazh approved these changes

@maxsmythe maxsmythe maxsmythe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set Forbidden as the response status reason
5 participants
@regadas @maxsmythe @liggitt @codecov-commenter @ritazh