OCPBUGS-30343: Scope each MCN object to only be accessible from its associated MCD

[djoshy]

This PR adds:

• a ValidatingAdmissionPolicy that limits the service account of a node's MCD from editing the MCN associated with another node
• tests in e2e/techpreview to verify this behavior

How to test manually:

• Launch a cluster in TechPreview
• From a random node's MCD pod, attempt to patch the MCN of another node. This should fail.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-worker-
b-b5r6s.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'

The machineconfignodes "djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal" is invalid: : ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: MCN update request from node djoshy11-gwphs-master-0.c.openshift-gce-devel.internal rejected, updates to MCN djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal can only be done by the machine-config-daemon running on the MCN's owner node

• Attempt to directly patching the MCN by impersonating the machine-config-daemon SA. This should fail.

$ oc patch  machineconfignodes/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}' --as='system:serviceaccount:openshift-machine-config-operator:machine-config-daemon'

The machineconfignodes "djoshy11-s9km2-master-0.c.openshift-gce-devel.internal" is invalid: : ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim

• Attempt to patch the MCN from the MCD running on its node. This should succeed, as it is on the correct node and is using the MCD SA.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'
machineconfignode.machineconfiguration.openshift.io/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal patched

• And last but not least, attempt to patch directly from oc using your admin SA. This should still work as normal as the VAP only applies to requests using the MCD SA.

$ oc patch  machineconfignodes/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'
machineconfignode.machineconfiguration.openshift.io/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal patched

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is invalid:

• expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This PR adds:

• a ValidatingAdmissionPolicy that limits the service account of a node's MCD from editing the MCN associated with another node
• tests in e2e/techpreview to verify this behavior

How to test manually:

• Launch a cluster in TechPreview
• From a random node's MCD pod, attempt to patch the MCN of another node.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'

This should fail with the following:

The machineconfignodes "djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal" is invalid: : ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: MCN update request from node djoshy11-gwphs-master-0.c.openshift-gce-devel.internal rejected, updates to MCN djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal can only be done by the machine-config-daemon running on the MCN's owner node

• Attempt to patch the MCN associated with the node that machine-config-daemon-l2wmr is running on. This should succeed.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'
machineconfignode.machineconfiguration.openshift.io/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal patched

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

/test e2e-techpreview

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

@djoshy: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test 4.12-upgrade-from-stable-4.11-images
• /test cluster-bootimages
• /test e2e-aws-ovn
• /test e2e-aws-ovn-upgrade
• /test e2e-gcp-op
• /test e2e-gcp-op-single-node
• /test e2e-hypershift
• /test images
• /test unit
• /test verify

The following commands are available to trigger optional jobs:

• /test 4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade
• /test bootstrap-unit
• /test e2e-aws-disruptive
• /test e2e-aws-ovn-fips
• /test e2e-aws-ovn-fips-op
• /test e2e-aws-ovn-upgrade-out-of-change
• /test e2e-aws-ovn-workers-rhel8
• /test e2e-aws-proxy
• /test e2e-aws-serial
• /test e2e-aws-single-node
• /test e2e-aws-upgrade-single-node
• /test e2e-aws-workers-rhel8
• /test e2e-azure
• /test e2e-azure-ovn-upgrade
• /test e2e-azure-ovn-upgrade-out-of-change
• /test e2e-azure-upgrade
• /test e2e-gcp-op-techpreview
• /test e2e-gcp-ovn-rt-upgrade
• /test e2e-gcp-rt
• /test e2e-gcp-rt-op
• /test e2e-gcp-single-node
• /test e2e-gcp-upgrade
• /test e2e-metal-assisted
• /test e2e-metal-ipi
• /test e2e-metal-ipi-ovn-dualstack
• /test e2e-metal-ipi-ovn-ipv6
• /test e2e-openstack
• /test e2e-openstack-dualstack
• /test e2e-openstack-externallb
• /test e2e-openstack-parallel
• /test e2e-ovirt
• /test e2e-ovirt-upgrade
• /test e2e-ovn-step-registry
• /test e2e-vsphere
• /test e2e-vsphere-upgrade
• /test e2e-vsphere-upi
• /test e2e-vsphere-upi-zones
• /test e2e-vsphere-zones
• /test okd-e2e-aws
• /test okd-e2e-gcp-op
• /test okd-e2e-upgrade
• /test okd-e2e-vsphere
• /test okd-images
• /test okd-scos-images
• /test security

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-machine-config-operator-master-bootstrap-unit
• pull-ci-openshift-machine-config-operator-master-e2e-aws-ovn
• pull-ci-openshift-machine-config-operator-master-e2e-aws-ovn-upgrade
• pull-ci-openshift-machine-config-operator-master-e2e-aws-ovn-upgrade-out-of-change
• pull-ci-openshift-machine-config-operator-master-e2e-azure-ovn-upgrade-out-of-change
• pull-ci-openshift-machine-config-operator-master-e2e-gcp-op
• pull-ci-openshift-machine-config-operator-master-e2e-gcp-op-single-node
• pull-ci-openshift-machine-config-operator-master-e2e-gcp-op-techpreview
• pull-ci-openshift-machine-config-operator-master-e2e-hypershift
• pull-ci-openshift-machine-config-operator-master-images
• pull-ci-openshift-machine-config-operator-master-okd-images
• pull-ci-openshift-machine-config-operator-master-security
• pull-ci-openshift-machine-config-operator-master-unit
• pull-ci-openshift-machine-config-operator-master-verify

In response to this:

/test e2e-techpreview

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[djoshy]

/test e2e-gcp-op-techpreview

[hexfusion]

😭

[djoshy]

/jira refresh

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[JoelSpeed]

This will need to consider also someone impersonating the service account, see herehttps://github.com/openshift/origin/pull/28673/files#diff-72bbc8936ed74501a136ed7ee2f3cff8f70ac7209ef8d90f87db010f6bfcebeeR134-R139) for an example of how to test this and then here as an example of protecting against the lack of a node extra

[yuqi-zhang]

Q: the daemon seems to also have patch perms. Would this also be needed here?

[djoshy]

I believe UPDATE encompasses patching as well. VAP only gives you a smaller "operation" list to match on, not sure why 🤔

[yuqi-zhang]

probably a dumb question, what is the mechanism by which this is being gated by featuregate?

As in, this will always sync, but if we dont have techpreview on, it will see the object as apiVersion: admissionregistration.k8s.io/v1beta1 and refuse to apply it...?

[djoshy]

It's currently gated in applyManifests here. VAP does GA in 1.30, so we'll have to update this to respect the actual features at that point. If we potentially time the kube bump with MCN GAing we could skip that middle step

[djoshy]

This will need to consider also someone impersonating the service account, see herehttps://github.com/openshift/origin/pull/28673/files#diff-72bbc8936ed74501a136ed7ee2f3cff8f70ac7209ef8d90f87db010f6bfcebeeR134-R139) for an example of how to test this and then here as an example of protecting against the lack of a node extra

Will update to reflect the impersonation case w/o the extra as well.

[djoshy]

I've updated the policy to specifically error for the impersonation condition. I'm still using a matchCondition in the VAP to only check for the machine-config-daemon SA requests, as I think it is a bit easier to read the policy without having to use variables. I've also added a new test for the impersonation case.

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

This PR adds:

• a ValidatingAdmissionPolicy that limits the service account of a node's MCD from editing the MCN associated with another node
• tests in e2e/techpreview to verify this behavior

How to test manually:

• Launch a cluster in TechPreview
• From a random node's MCD pod, attempt to patch the MCN of another node. This should fail.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-worker-
b-b5r6s.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'

The machineconfignodes "djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal" is invalid: : ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: MCN update request from node djoshy11-gwphs-master-0.c.openshift-gce-devel.internal rejected, updates to MCN djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal can only be done by the machine-config-daemon running on the MCN's owner node

• Attempt to directly patching the MCN by impersonating the machine-config-daemon SA. This should fail.

$ oc patch  machineconfignodes/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}' --as='system:serviceaccount:openshift-machine-config-operator:machine-config-daemon'

The machineconfignodes "djoshy11-s9km2-master-0.c.openshift-gce-devel.internal" is invalid: : ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim

• Attempt to patch the MCN from the MCD running on its node. This should succeed, as it is on the correct node and is using the MCD SA.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'
machineconfignode.machineconfiguration.openshift.io/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal patched

• And last but not least, attempt to patch directly from oc using your admin SA. This should still work as normal as the VAP only applies to requests using the MCD SA.

$ oc patch  machineconfignodes/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'
machineconfignode.machineconfiguration.openshift.io/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal patched

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[yuqi-zhang]

Update lgtm based on my understanding. Will let @JoelSpeed take a look

[JoelSpeed]

Nits, otherwise LGTM

[JoelSpeed]

Nit should have new line as final char

[JoelSpeed]

Nit, should have new line as final char

[djoshy]

Fixed the newlines, I'll hold for pre merge QE review

/hold

[djoshy]

/jira refresh

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-30343, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.17.0) matches configured target version for branch (4.17.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ptalgulk01

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ptalgulk01]

Pre-merge verified https://issues.redhat.com/browse/OCPBUGS-30343
/label qe-approved

[ptalgulk01]

/label qe-approved

[sinnykumari]

Nice work David
/lgtm

[djoshy]

/unhold

[djoshy]

/test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: djoshy, sinnykumari, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [djoshy,sinnykumari,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@djoshy: Jira Issue OCPBUGS-30343: All pull requests linked via external trackers have merged:

• openshift/machine-config-operator#4346

Jira Issue OCPBUGS-30343 has been moved to the MODIFIED state.

In response to this:

This PR adds:

• a ValidatingAdmissionPolicy that limits the service account of a node's MCD from editing the MCN associated with another node
• tests in e2e/techpreview to verify this behavior

How to test manually:

• Launch a cluster in TechPreview
• From a random node's MCD pod, attempt to patch the MCN of another node. This should fail.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-worker-
b-b5r6s.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'

The machineconfignodes "djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal" is invalid: : ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: MCN update request from node djoshy11-gwphs-master-0.c.openshift-gce-devel.internal rejected, updates to MCN djoshy11-gwphs-worker-b-b5r6s.c.openshift-gce-devel.internal can only be done by the machine-config-daemon running on the MCN's owner node

• Attempt to directly patching the MCN by impersonating the machine-config-daemon SA. This should fail.

$ oc patch  machineconfignodes/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}' --as='system:serviceaccount:openshift-machine-config-operator:machine-config-daemon'

The machineconfignodes "djoshy11-s9km2-master-0.c.openshift-gce-devel.internal" is invalid: : ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim

• Attempt to patch the MCN from the MCD running on its node. This should succeed, as it is on the correct node and is using the MCD SA.

$ oc rsh pod/machine-config-daemon-l2wmr ./rootfs/usr/bin/oc patch  machineconfignodes/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'
machineconfignode.machineconfiguration.openshift.io/djoshy11-gwphs-master-0.c.openshift-gce-devel.internal patched

• And last but not least, attempt to patch directly from oc using your admin SA. This should still work as normal as the VAP only applies to requests using the MCD SA.

$ oc patch  machineconfignodes/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal --type=merge -p '{"spec":{"configVersion":{"desired":"rendered-worker-test"}}}'
machineconfignode.machineconfiguration.openshift.io/djoshy11-s9km2-master-0.c.openshift-gce-devel.internal patched

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@djoshy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-images	94e7526	link	false	/test okd-images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-machine-config-operator-container-v4.17.0-202405221910.p0.gf678509.assembly.stream.el9 for distgit ose-machine-config-operator.
All builds following this will include this PR.