Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enforce kind on admission review #2512

Merged
merged 3 commits into from
Jan 18, 2023
Merged

feat: enforce kind on admission review #2512

merged 3 commits into from
Jan 18, 2023

Conversation

acpana
Copy link
Contributor

@acpana acpana commented Jan 12, 2023

Fixes #2504

This improves the UX of using gator verify with an AdmissionReview input. Prior, an err would occur deeper in the call stack at evaluation which actually occluded the real issue too:

unexpected number of violations: got 1 violations but want none: got messages [unable to match constraints: invalid request object: failed to unmarshal gkReview object {"spec" ...

This somewhat ties in with #2005 but alas it only solves the problem with missing kind error.

@acpana
feat: enforce kind on admisisno review
37668e8 
Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>
@maxsmythe maxsmythe changed the title feat: enforce kind on admisisno review feat: enforce kind on admission review Jan 12, 2023
maxsmythe
maxsmythe approved these changes Jan 12, 2023
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ritazh
ritazh reviewed Jan 12, 2023
View reviewed changes
pkg/gator/fixtures/fixtures.go
apiVersion: admission.k8s.io/v1beta1
request:
operation: "DELETE"
object:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to emulate real admission requests for the DELETE operation such that

object is the new object being admitted.
It is null for DELETE operations.

https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-request-and-response

Copy link
Member

@ritazh ritazh Jan 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I print input.review.object in the rego after running kubectl delete I definitely see the object and it is not null. This was on a k8s v1.25 cluster. Not sure if the doc is old because the behavior is updated but this was definitely the case before. #144 (comment) very strange.

Copy link
Contributor Author

@acpana acpana Jan 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, this is interesting. We specifically decided to overwrite the Object when I/ we worked on this: https://github.com/open-policy-agent/gatekeeper/blob/master/pkg/util/request_validation.go#L15-L32 which was what g8r was doing before too:

  • gatekeeper/pkg/webhook/policy.go

    Lines 148 to 152 in 149fb90

    if err := util.SetObjectOnDelete(&req); err != nil {
    vResp := admission.Denied(err.Error())
    vResp.Result.Code = http.StatusInternalServerError
    return vResp
    }

If we did want to change things around here, I'd be open to opening a new issue and tackling this in a new PR. Just want to keep this one's scope small to kind enforcement. Would that be ok?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOL looks like I added this in 2019 #146 so it is a GK specific behavior. So for gator, we can assume object is not null then?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO the input should match what we expect to receive from the API server (meaning an appropriate test would show object as nil and gator should handle the rewriting to make object == oldObject).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an appropriate test would show object as nil and gator should handle the rewriting to make object == oldObject).

could I handle this in a followup PR?

@acpana acpana mentioned this pull request Jan 12, 2023
Closed
@acpana acpana requested a review from ritazh January 17, 2023 22:09
ritazh
ritazh approved these changes Jan 17, 2023
View reviewed changes
Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@maxsmythe maxsmythe merged commit eb5256d into open-policy-agent:master Jan 18, 2023
davis-haba pushed a commit to davis-haba/gatekeeper that referenced this pull request Mar 7, 2023
@acpana @davis-haba
feat: enforce kind on admission review (open-policy-agent#2512)
6afec05 
feat: enforce kind on admisisno review

Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>

Signed-off-by: Alex Pana <8968914+acpana@users.noreply.github.com>
@p-linnane p-linnane mentioned this pull request Apr 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxsmythe maxsmythe maxsmythe approved these changes

@ritazh ritazh ritazh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gator verify: validate kind existence for object & oldObject when specifiying AdmissionReview
3 participants
@acpana @ritazh @maxsmythe