New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1990826: routes without TLS are rejected for missing HSTS annotation #240
Conversation
@candita: This pull request references Bugzilla bug 1990826, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
// Cannot apply HSTS if route is not TLS, but the route is still valid. Just log a warning. | ||
tls := newRoute.Spec.TLS | ||
if tls == nil || (tls.Termination != routeapi.TLSTerminationEdge && tls.Termination != routeapi.TLSTerminationReencrypt) { | ||
klog.Warningf("HSTS Policy not added for %s, wrong termination type: %v", newRoute.Name, tls) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this log a warning on every passthrough or non-TLS route that the plugin observes? That seems a bit noisy, especially as a warning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It only tries to validate if there is HSTS added or changed:
openshift-apiserver/pkg/route/apiserver/admission/requiredrouteannotations/admission.go
Line 106 in f5941a5
if wants == has && newHSTS == oldHSTS { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That means it logs a warning for each passthrough or non-TLS route that is created, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The openshift-apiserver logs for the most recent e2e-aws CI job run for this PR shows these warnings:
W0810 20:18:34.581431 1 admission.go:189] HSTS Policy not added for route-2, wrong termination type: <nil>
W0810 20:18:52.278999 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:19:46.207319 1 admission.go:189] HSTS Policy not added for weightedroute, wrong termination type: <nil>
W0810 20:24:01.136944 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:24:38.956535 1 admission.go:189] HSTS Policy not added for route-1, wrong termination type: <nil>
W0810 20:24:39.032518 1 admission.go:189] HSTS Policy not added for route-2, wrong termination type: <nil>
W0810 20:25:04.799717 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:26:22.782223 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:26:38.298478 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:28:18.489976 1 admission.go:189] HSTS Policy not added for passthrough-route, wrong termination type: &{passthrough }
W0810 20:29:26.733012 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:29:31.775479 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:29:58.628117 1 admission.go:189] HSTS Policy not added for test-vjbft, wrong termination type: <nil>
W0810 20:30:38.974223 1 admission.go:189] HSTS Policy not added for 0, wrong termination type: <nil>
W0810 20:30:39.226531 1 admission.go:189] HSTS Policy not added for 4, wrong termination type: <nil>
W0810 20:30:39.541531 1 admission.go:189] HSTS Policy not added for 11, wrong termination type: <nil>
W0810 20:30:39.595524 1 admission.go:189] HSTS Policy not added for 12, wrong termination type: <nil>
W0810 20:30:45.563139 1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough Redirect}
W0810 20:31:06.028072 1 admission.go:189] HSTS Policy not added for route-1, wrong termination type: <nil>
W0810 20:31:06.090396 1 admission.go:189] HSTS Policy not added for route-2, wrong termination type: <nil>
W0810 20:31:06.167867 1 admission.go:189] HSTS Policy not added for route-override-domain-1, wrong termination type: <nil>
W0810 20:31:06.189040 1 admission.go:189] HSTS Policy not added for 8, wrong termination type: <nil>
W0810 20:32:09.658686 1 admission.go:189] HSTS Policy not added for route-override-domain-1, wrong termination type: <nil>
W0810 20:33:34.032948 1 admission.go:189] HSTS Policy not added for route, wrong termination type: <nil>
That could be a lot of noise on a cluster with thousands of routes. Would it make sense to skip logging for these routes, or at least reduce it from a warning to info?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's strange. I wouldn't think there'd be any HSTS annotations in CI yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh yes, it checks for any newly created route and reports these warnings. It should report those warnings only if HSTS is needed, so I'll look into that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per team chat, we will just ignore silently for now, and address missing annotations on routes as route status in https://issues.redhat.com/browse/NE-678
f5941a5
to
f3bef83
Compare
|
/lgtm |
@@ -108,6 +108,15 @@ func (o *requiredRouteAnnotations) Validate(ctx context.Context, a admission.Att | |||
} | |||
} | |||
|
|||
newRoute := a.GetObject().(*routeapi.Route) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not the one 20 lines higher?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
f3bef83
to
a8c6e73
Compare
@candita: This pull request references Bugzilla bug 1990826, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws |
/bugzilla cc-qa |
@quarterpin: This pull request references Bugzilla bug 1990826, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm Verified via pre-merge verification workflow, more references related to the test can be found in: |
/test e2e-cmd |
/test e2e-cmd |
/test e2e-cmd |
Looks like e2e-cmd keeps hitting BZ#1990041. |
@candita: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: candita, deads2k, Miciah, quarterpin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@candita: All pull requests linked via external trackers have merged: Bugzilla bug 1990826 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Routes without TLS should just be admitted if they are missing HSTS annotation in a domain that requires HSTS annotation.
Error messages should have more information.