Allow setting volumes:["none"] to disallow all volume types in SCC

[liggitt]

xref #13419

When reading old SCC objects, we default volumes: null to mean volumes: [*] for backwards compatibility.

If you wanted to disallow all volumes, previously you would specify volumes: []. Once we switch to storing in protobuf, [] will no longer be stored, which means we would default back to [*] the next time we read the object from etcd.

Given that an SCC that disallows all volumes is not usable (since all pods have a secret volume), my main concern is ensuring a previously useless SCC stored in etcd doesn't suddenly become a very permissive SCC.

This PR:

• defaults an SCC with volumes: [] to volumes: [none] (so it can be persisted regardless of storage type and not escalate to allow all volumes on next read)
• validates that an SCC that specifies volumes: [none] doesn't allow any other volume types

[liggitt]

[test]

[liggitt]

cc @openshift/api-review @ironcladlou @smarterclayton

[deads2k]

looks reasonable to me

[smarterclayton]

LGTM, API changes are ok (i briefly contemplated None but if anyone adds a formal none volume type I'll shoot them).

[smarterclayton]

@sdodson this is the reason we want to run oadm migrate storage prior to an etcd v3 upgrade (and what prompted the discussion on whether to always run migrate storage prior to upgrading).

…

On Wed, Jun 14, 2017 at 7:34 AM, David Eads ***@***.***> wrote: looks reasonable to me — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#14625 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p9ldlGMPUf2D0m1TRasRkcuy9KjZks5sD8VUgaJpZM4N5WNG> .

[openshift-bot]

continuous-integration/openshift-jenkins/merge Waiting: You are in the build queue at position: 5

[openshift-bot]

Evaluated for origin merge up to 4b85a5a

[liggitt]

forgot I have to regenerate API docs, will update. hope I make it before I reach the head of the merge queue

[liggitt]

this is the reason we want to run oadm migrate storage prior to an etcd v3 upgrade

etcd v3 upgrade doesn't do json -> proto, does it? the next time the json is read from etcd v3, this would do the conversion properly

[smarterclayton]

It doesn't but better safe than sorry (old api server comes up and does bad things)

…

On Wed, Jun 14, 2017 at 11:52 AM, Jordan Liggitt ***@***.***> wrote: this is the reason we want to run oadm migrate storage prior to an etcd v3 upgrade etcd v3 upgrade doesn't do json -> proto, does it? the next time the json is read from etcd v3, this would do the conversion properly — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#14625 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p18t4fdohxIayboqqiFT1-oD0DM8ks5sEAG1gaJpZM4N5WNG> .

[liggitt]

actually, an old API server fed volumes: ["none"] would also disallow all volume types, which is unexpectedly compatible

[liggitt]

hmm... concerning that jenkins was green (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2225/) when my UPSTREAM commit didn't pass the upstream commit checker (https://travis-ci.org/openshift/origin/builds/242888676)

@stevekuznetsov, are we not running that in jenkins?

[smarterclayton]

No, it runs in travis.

…

On Wed, Jun 14, 2017 at 2:33 PM, Jordan Liggitt ***@***.***> wrote: hmm... concerning that jenkins was green (https://ci.openshift.redhat. com/jenkins/job/test_pull_request_origin/2225/) when my UPSTREAM commit didn't pass the upstream commit checker (https://travis-ci.org/ openshift/origin/builds/242888676) @stevekuznetsov <https://github.com/stevekuznetsov>, are we not running that in jenkins? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#14625 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_pwPIASr2sBdxyyH2-SfGNml9iMxIks5sECePgaJpZM4N5WNG> .

[liggitt]

does red travis block merge?

[smarterclayton]

Not yet.

…

On Wed, Jun 14, 2017 at 2:37 PM, Jordan Liggitt ***@***.***> wrote: does red travis block merge? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#14625 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p0s_F3h_GRffFJM4L5aM8B-1L_Quks5sEChYgaJpZM4N5WNG> .

[stevekuznetsov]

We definitely do run that in the check job -- before we jump into hack/env and run the tests:

+ RESTORE_AND_VERIFY_GODEPS=1
+ make verify-commits -j
hack/verify-upstream-commits.sh
[WARNING] No compiled `commitchecker` binary was found. Attempting to build one using:
[WARNING]   $ hack/build-go.sh tools/rebasehelpers/commitchecker
++ Building go targets for linux/amd64: tools/rebasehelpers/commitchecker
/data/src/github.com/openshift/origin/hack/build-go.sh took 14 seconds
===== Verifying UPSTREAM Commits =====
SUCCESS: All commits are valid.

Is that checker broken?

[liggitt]

Is that checker broken?

It turned Travis red, so I don't think so

[stevekuznetsov]

Once we've got the right git state we run:

# run commitchecker outside release container as it needs
# access to git; also explicitly force godeps verification
branch="$( git rev-parse --abbrev-ref --symbolic-full-name HEAD )"
if [[ "${branch}" == "master" ]]; then
  RESTORE_AND_VERIFY_GODEPS=1 make verify-commits -j
fi

OS_BUILD_ENV_PRESERVE=_output/scripts hack/env TEST_KUBE='true' JUNIT_REPORT='true' make check -j -k

[stevekuznetsov]

@liggitt do you have a git reflog to show us the history of this branch? It looks like Travis recorded the commit it merged as 2db9358 and our Jenkins CI says 793f7b1

[stevekuznetsov]

Nevermind... Travis was pointing at the merge commit but nevertheless had 793f7b1

We should probably create logging for commitchecker so we can debug post-facto

[stevekuznetsov]

@liggitt would appreciate it if you could push that bad ref up as a new PR for repro

[smarterclayton]

[test]

[php-coder]

If you inline this to the if, it will be possible to use field.Index() to complain on particular element.

[php-coder]

Do we need a test for that?

[php-coder]

Is it possible that user specify 'None' or 'NONE'? Would it work?

[php-coder]

Does Kubernetes has the same issue? Are they going to do the same?

[liggitt]

Does Kubernetes has the same issue? Are they going to do the same?

They do not, because the first version of PSP had the Volumes field, so they don't have to default nil to mean "allow all"

[php-coder]

In order to support old clients the boolean fields will always take precedence.

About what "boolean fields" this comment is talking? Does it mean AllowHostDirVolumePlugin?

[liggitt]

yes

[php-coder]

It would be good to also ignore this new value when we're comparing SCCs to sort them by priority:

origin/pkg/security/scc/byrestrictions.go

Lines 69 to 70 in 84b8802

	case kapi.FSTypeSecret, kapi.FSTypeConfigMap,
	kapi.FSTypeEmptyDir, kapi.FSTypeDownwardAPI:

[liggitt]

updated byrestrictions, will hold for move of scc types to origin package

[deads2k]

Chances of my pull testing green today are low. Go ahead and merege, but remind me that I need to mess with this.

[liggitt]

[merge][severity:blocker]

[smarterclayton]

[test]

[smarterclayton]

[test]

[openshift-bot]

Evaluated for origin test up to 2136bfc

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2335/) (Base Commit: ee67917) (PR Branch Commit: 2136bfc)