Include update operation in build admission controller

[csrwng]

It is possible to update a bc that was created with an allowed type to a type that is not allowed. This change closes that loophole.

Fixes #6556

[csrwng]

@bparees ptal
@jwforres fyi

[bparees]

expected

[csrwng]

fixed

[bparees]

lgtm

[openshift-bot]

[Test]ing while waiting on the merge queue

[deads2k]

[test]

[deads2k]

@csrwng Not a known flake:

FAILURE after 0.168s: hack/../test/cmd/builds.sh:79: executing 'oc patch bc/ruby-sample-build -p '{"spec":{"output":{"to":{"name":"different:tag1"}}}}'' expecting success: the command returned the wrong error code
There was no output from the command.
Standard error from the command:
Error from server: resource: required value
!!! Error in hack/../test/cmd/../../hack/cmd_util.sh:195
    'return 1' exited with status 1
Call stack:
    1: hack/../test/cmd/../../hack/cmd_util.sh:195 os::cmd::expect_success(...)
    2: hack/../test/cmd/builds.sh:79 main(...)
Exiting with status 1
!!! Error in hack/test-cmd.sh:288
    '${test}' exited with status 1
Call stack:
    1: hack/test-cmd.sh:288 main(...)
Exiting with status 1
[FAIL] !!!!! Test Failed !!!!

[csrwng]

@deads2k thanks. Just discovered that this is a bug in the upstream API server... patch calls the admission control plugin with an empty object. If it gets permission, then proceeds to patch the stored object. So the admission control plugin never gets a chance to determine whether the patched object is valid or not. https://github.com/openshift/origin/blob/master/Godeps/_workspace/src/k8s.io/kubernetes/pkg/apiserver/resthandler.go#L399-L407

To get this PR in, I can add a check for an empty object and let it go through. However, you'll be able to use patch to change a build config to a type that you're not allowed to use.

[csrwng]

Opened k8s issue: kubernetes/kubernetes#19479

[csrwng]

Added check for an actual update @deads2k ptal

[deads2k]

Can't I do a force update without a ResourceVersion? Name would have to be present.

[csrwng]

ha, you're right... name is a better check

[csrwng]

updated to use name

[deads2k]

Removing merge tags while I look at how hard proper admission will be. Depending on how bad it is, we may wait and apply this on top. I will update one way or the other this afternoon.

[csrwng]

reverted to not checking object on update - will depend on upstream fix

[deads2k]

Try building on top of #6608. It should make the update admission chain work how you expect.

[csrwng]

[test]

[csrwng]

[test]

[csrwng]

[test]

[csrwng]

@deads2k I added a commit to modify the bootstrap policy for the build controller sa. Because we are now checking build update operations, the build controller cannot update builds without having access to the build type virtual resources. How would migration of existing policy be handled in this case?

[liggitt]

Wait, why didn't the build controller already have those permissions? How was it able to create builds without them?

[csrwng]

@liggitt the build controller doesn't create builds, only the BuildConfig controller does. Looking at the startup code, the BuildImageChangeTriggerController gets a PrivilegedLoopbackOpenShiftClient, not a service account client.

[liggitt]

is it odd that we're gating create and update on create permission on the subresource? I'd sort of expect create to check create, and update to check update

[csrwng]

I had discussed this with @bparees ... I'm fine with either way. Because it is a virtual resource, separating create from update didn't seem to gain us much. You still have separate permission for create or update of the actual resource and requiring that permissions be aligned seemed overkill.

[liggitt]

fair enough, just reads weird

[liggitt]

maybe worth a comment in the policy, in case someone is confused

[csrwng]

added comment and updated test fixture

[csrwng]

seems like a flake [test]

[deads2k]

flake: #6635

[deads2k]

lgtm. squash and merge at will.

[csrwng]

[merge]

[csrwng]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/4630/) (Image: devenv-rhel7_3146)

[csrwng]

Failing on #6651

[liggitt]

[test][merge]

[openshift-bot]

Evaluated for origin test up to abdb4b3

[openshift-bot]

Evaluated for origin merge up to abdb4b3

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/8544/)