Adding CEL Validation for Permission Claim #1529

shawn-hurley · 2022-07-14T18:16:04Z

Summary

Adding CEL Validation as an option for the APIServer

For Permission Claims adding validations:

When group is empty, then only allow resource in [configmaps,secrets,namespaces,serviceaccounts]
If the group is not empty, then make sure we have a specific identity hash.

Related issue(s)

Fixes #1331

test/e2e/apibinding/apibinding_test.go

sttts · 2022-07-15T11:32:14Z

config/crds/apis.kcp.dev_apibindings.yaml

@@ -69,6 +69,12 @@ spec:
                  required:
                  - resource
                  type: object
+                  x-kubernetes-validations:
+                  - message: if claim for core group must only be one of configmaps,


core group does not really matter here. You can claim Services or Pods. I think the only restriction we can and should have is about the identity.

We don't have all of those types in internal api schemes yet so they would have no effect and we wouldn't be able to serve them.

Are we planning on adding all the internal types?

We may want to update this in the future. But if we are providing things like RBAC, that will not be the core group and will not have an identityHash. I believe that for now let's keep as is (most restrictive) and we can open it up as that path is usually more accessible. Thoughts?

shawn-hurley · 2022-07-18T19:17:10Z

pkg/apis/tenancy/initialization/utils_test.go

@@ -25,14 +25,6 @@ import (
 	tenancyv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/tenancy/v1alpha1"
 )

-func TestClusterWorkspaceInitializerLabelPrefix(t *testing.T) {


@stevekuznetsov Can you please verify that this ok?

ClusterWorkspaceInitializerLabelPrefix is ending a slash. So yes, this test is not valid anymore.

Makefile

pkg/apis/apis/v1alpha1/api_cel_test.go

config/crds/apis.kcp.dev_apibindings.yaml-patch

shawn-hurley · 2022-07-19T20:26:20Z

config/crds/apis.kcp.dev_apibindings.yaml-patch

+  path: /spec/versions/name=v1alpha1/schema/openAPIV3Schema/properties/spec/properties/acceptedPermissionClaims/items/x-kubernetes-validations
+  value:
+    - rule: |
+        (((has(self.group) && self.group == '') || !(has(self.group))) && self.resource in ['configmaps', 'namespaces', 'secrets', 'serviceaccounts']) || ((has(self.group) && self.group != '') && (has(self.identityHash) && self.identityHash != ''))


I do not have a way to do it because the rules are ANDed together AFAICT

* Validate that empty group means only internal types that are valid * Validate that if a group is set, that an identityHash must also be set.

sttts · 2022-07-20T18:42:30Z

config/crds/apis.kcp.dev_apibindings.yaml

+                      ['configmaps', 'namespaces', 'secrets', 'serviceaccounts']
+                  - message: .identityHash must be set if .group is not empty.
+                    rule: '!(has(self.group) && self.group != '''') || (has(self.identityHash)
+                      && self.identityHash != '''')'


much better

I honestly have never done logic like this or at least forgot that it was possible. Thanks for teaching!

https://en.wikipedia.org/wiki/Conjunctive_normal_form

sttts · 2022-07-20T18:43:07Z

/lgtm
/approve

openshift-ci · 2022-07-20T18:43:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

stevekuznetsov · 2022-07-20T19:10:53Z

config/crds/apis.kcp.dev_apibindings.yaml

+                    rule: (has(self.group) && self.group != '') || self.resource in
+                      ['configmaps', 'namespaces', 'secrets', 'serviceaccounts']
+                  - message: .identityHash must be set if .group is not empty.
+                    rule: '!(has(self.group) && self.group != '''') || (has(self.identityHash)


What's up with the ''''?

Hm, probably not ideal, but does look like it still passes the identity hash test.

enabling CEL openapi validation for apiserver

0b9bb45

openshift-ci bot requested review from davidfestal and sttts July 14, 2022 18:16

shawn-hurley force-pushed the issue-1331-openapi-permclaim-identiy-core-types branch from 4d12f5d to 1f61d58 Compare July 14, 2022 19:32

sttts reviewed Jul 15, 2022

View reviewed changes

test/e2e/apibinding/apibinding_test.go Outdated Show resolved Hide resolved

sttts reviewed Jul 15, 2022

View reviewed changes

shawn-hurley force-pushed the issue-1331-openapi-permclaim-identiy-core-types branch 2 times, most recently from aed23f7 to f014f44 Compare July 18, 2022 19:12

shawn-hurley commented Jul 18, 2022

View reviewed changes

shawn-hurley force-pushed the issue-1331-openapi-permclaim-identiy-core-types branch 2 times, most recently from 50123c2 to 2d58978 Compare July 18, 2022 20:12

shawn-hurley mentioned this pull request Jul 19, 2022

Add known internal types to internalschemas for the virtual workspace to use (RBAC) #1544

Closed