-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-30343: Scope each MCN object to only be accessible from its associated MCD #4346
Conversation
@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/test e2e-techpreview |
Skipping CI for Draft Pull Request. |
@djoshy: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-gcp-op-techpreview |
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func TestMCNScopeSadPath(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😭
/jira refresh |
@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will need to consider also someone impersonating the service account, see herehttps://github.com/openshift/origin/pull/28673/files#diff-72bbc8936ed74501a136ed7ee2f3cff8f70ac7209ef8d90f87db010f6bfcebeeR134-R139) for an example of how to test this and then here as an example of protecting against the lack of a node extra
resourceRules: | ||
- apiGroups: ["machineconfiguration.openshift.io"] | ||
apiVersions: ["v1alpha1"] | ||
operations: ["CREATE","UPDATE"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: the daemon seems to also have patch perms. Would this also be needed here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe UPDATE encompasses patching as well. VAP only gives you a smaller "operation" list to match on, not sure why 🤔
@@ -1359,6 +1361,12 @@ func (optr *Operator) syncMachineConfigDaemon(config *renderConfig) error { | |||
configMaps: []string{ | |||
mcdKubeRbacProxyConfigMapPath, | |||
}, | |||
validatingAdmissionPolicies: []string{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably a dumb question, what is the mechanism by which this is being gated by featuregate?
As in, this will always sync, but if we dont have techpreview on, it will see the object as apiVersion: admissionregistration.k8s.io/v1beta1
and refuse to apply it...?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's currently gated in applyManifests here. VAP does GA in 1.30, so we'll have to update this to respect the actual features at that point. If we potentially time the kube bump with MCN GAing we could skip that middle step
Will update to reflect the impersonation case w/o the extra as well. |
I've updated the policy to specifically error for the impersonation condition. I'm still using a |
@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update lgtm based on my understanding. Will let @JoelSpeed take a look
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nits, otherwise LGTM
matchConditions: | ||
# Only check requests from machine-config-daemon SA, this allows all other SAs with the correct RBAC to modify MCNs. | ||
- name: "check-only-machine-config-daemon-requests" | ||
expression: "request.userInfo.username == 'system:serviceaccount:openshift-machine-config-operator:machine-config-daemon'" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit should have new line as final char
name: "mcn-guards-binding" | ||
spec: | ||
policyName: "mcn-guards" | ||
validationActions: [Deny] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, should have new line as final char
Fixed the newlines, I'll hold for pre merge QE review /hold |
/jira refresh |
@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Pre-merge verified https://issues.redhat.com/browse/OCPBUGS-30343 |
/label qe-approved |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work David
/lgtm
/unhold |
/test all |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: djoshy, sinnykumari, yuqi-zhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
f678509
into
openshift:master
@djoshy: Jira Issue OCPBUGS-30343: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-30343 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@djoshy: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
[ART PR BUILD NOTIFIER] This PR has been included in build ose-machine-config-operator-container-v4.17.0-202405221910.p0.gf678509.assembly.stream.el9 for distgit ose-machine-config-operator. |
This PR adds:
How to test manually: