Allow ImageReview backend to add audit annotations. #64597
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
k8s-github-robot
added
the
kind/api-change
wteiken
changed the title
k8s-ci-robot
added
release-note
|
/assign @derekwaynecarr @liggitt |
|
Ideally this would to into the 1.11 release, given that this is a minor change. |
|
@wteiken: You must be a member of the kubernetes-milestone-maintainers github team to set the milestone. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
wteiken
force-pushed
the
add_review_annotations2
branch
from
1652e85
to
719a31c
Compare
k8s-ci-robot
removed
the
cncf-cla: yes
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
wteiken
force-pushed
the
add_review_annotations2
branch
from
7991bcc
to
af5b242
Compare
k8s-ci-robot
added
cncf-cla: yes
|
/assign @derekwaynecarr @liggitt |
|
/test pull-kubernetes-e2e-gce-100-performance |
wteiken
force-pushed
the
add_review_annotations2
branch
3 times, most recently
from
2be487d
to
a17e101
Compare
|
/test pull-kubernetes-e2e-kops-aws |
|
@liggitt @tallclair Updated the PR to use the attributes annotations |
pkg/apis/imagepolicy/types.go
Outdated
| // prefix-less (i.e., the admission controller will add an appropriate | ||
| // prefix). Annotations are only added to the attributes if the the | ||
| // creation is allowed. | ||
| AttributeAnnotations map[string]string |
There was a problem hiding this comment.
let's match the admission webhook response field name of auditAnnotations
pkg/apis/imagepolicy/types.go
Outdated
| // Annotations that should be added to the annotations in the attributes | ||
| // object of the admission controller request. The keys should be | ||
| // prefix-less (i.e., the admission controller will add an appropriate | ||
| // prefix). Annotations are only added to the attributes if the the |
There was a problem hiding this comment.
I'd expect to be able to add annotations to the audit event even for rejected requests
There was a problem hiding this comment.
Up to now I assumed you'd just put the data in the error, but I can see that constraint is a bit artificial, will change.
| return nil | ||
| } | ||
| for k, v := range review.Status.AttributeAnnotations { | ||
| attributes.AddAnnotation(AuditKeyPrefix+k, v) |
There was a problem hiding this comment.
check error and log a warning if if failed
|
|
||
| // AuditKeyPrefix is used as the prefix for all audit keys handled by | ||
| // this pluggin. Some well known suffixes are listed below. | ||
| AuditKeyPrefix = PluginName + ".image-policy.k8s.io/" |
There was a problem hiding this comment.
are upper-case prefix names allowed in audit annotations? I didn't think they were
There was a problem hiding this comment.
@tallclair @sttts seems like audit annotations should allow the qualified keys metadata annotations does
There was a problem hiding this comment.
The spec says it should be the plugin name. Should we just change the plugin name to all lower case?
There was a problem hiding this comment.
Yeah, lowercase is required. We should update the documentation to clarify.
BTW - here is the validation we use on the annotation key:
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L37-L70
There was a problem hiding this comment.
that was for webhook-returned audit annotations... webhook admission plugin names are lowercase... I would lowercase the name for purposes of this annotation
|
|
||
| // AuditKeyPrefix is used as the prefix for all audit keys handled by | ||
| // this pluggin. Some well known suffixes are listed below. | ||
| AuditKeyPrefix = PluginName + ".image-policy.k8s.io/" |
There was a problem hiding this comment.
Yeah, lowercase is required. We should update the documentation to clarify.
BTW - here is the validation we use on the annotation key:
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L37-L70
| @@ -181,6 +199,12 @@ func (a *Plugin) admitPod(pod *api.Pod, attributes admission.Attributes, review | |||
| return errors.New("one or more images rejected by webhook backend") | |||
| } | |||
|
|
|||
| if review.Status.AttributeAnnotations == nil { | |||
| return nil | |||
| } | |||
There was a problem hiding this comment.
nit: you don't need this - nil in go is equivalent to an empty slice, so the for loop will just skip.
| } | ||
| for _, tt := range tests { | ||
| // Use a closure so defer statements trigger between loop iterations. | ||
| func() { |
There was a problem hiding this comment.
prefer:
t.Run(tt.test, func(t *testing.T) { ... })
|
LGTM, please squash down (can leave the generated files in their own commit if you like), then will tag for merge |
wteiken
changed the title
This can be used to create annotations that will allow auditing of the created pods. The change also introduces "fail open" audit annotations in addition to the previously existing pod annotation for fail open. The pod annotations for fail open will be deprecated soon.
wteiken
force-pushed
the
add_review_annotations2
branch
from
db54455
to
73c522f
Compare
|
@liggitt @tallclair Thanks for the review! Squashed the branch, all tests pass. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign @derekwaynecarr |
|
@liggitt @tallclair Will this be picked up at some point or do I need to ping @derekwaynecarr explicitly? |
|
ping is fine or add @deads2k for approval |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekwaynecarr, liggitt, wteiken The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/test all Tests are more than 96 hours old. Re-running tests. |
|
@wteiken: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 64597, 67854, 67734, 67917, 67688). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
/retest |
What this PR does / why we need it:
This can be used to create annotations that will allow auditing of the created
pods.
The change also introduces "fail open" audit annotations in addition to the
previously existing pod annotation for fail open. The pod annotations for
fail open will be deprecated soon.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: