Allow project admins to create/edit/delete NetworkPolicies #14830
Conversation
|
@openshift/networking PTAL @liggitt I assume this is ok by you? |
|
What facility allows cluster admins to lock down network access to/from a namespace? |
|
You mean "as a cluster admin, I want to be able to block two projects from communicating, even when both of those projects want to communicate with each other"? This PR does not allow for that. Do we need to? (If you just meant "can cluster admins prevent project admins from creating policies allowing themselves to access particular other namespaces?" then that's the misunderstanding about NetworkPolicy I mentioned above. NetworkPolicy doesn't work that way. You can only allow other people to connect to your namespace, not allow yourself to connect to other people's namespaces.) |
|
[test] |
|
transient networking problem ("Docker registry lookup failed"). [test] |
|
flake #14043 [test] |
You can't actually. We never auto-tighten and tightening by hand is generally scary for people. |
|
So a few things about this need be very clear in our docs:
@smarterclayton This will significantly complicate any, "let users label their namespaces" feature in the future. Are we going to give up on the self-labeling feature (which makes this resource far less useful), lock down the allowed label selectors for networkpolicies (which has compatibility problems), or something else? |
|
Hrmph. Where were you when I was trying to convince everyone of all that upstream a few months ago. I'm assuming that eventually upstream will add a new selector to NetworkPolicy to allow you to select namespaces by name (or else require that all namespaces have certain well-known labels with values that can't be modified by users). Until then, yes, NetworkPolicy NamespaceSelectors are either useless or insecure, depending on how other things are configured. But anyway, that's not really relevant to this PR: we're already shipping NetworkPolicy (as Tech Preview), people are already using it, and there are use cases for it even without using NamespaceSelectors. (And there are even scenarios where project admins can write NetworkPolicies using NamespaceSelectors, if the cluster admins modify the default project template to automatically add a "name" label to every namespace). So, anyway, this PR makes it so that project admins can create/edit their own NetworkPolicies. Is anyone objecting to merging this? |
I remember bringing it up in a sig-auth call quite some time ago and suggesting a specific whitelist of namespace names to avoid accidents and increase clarity for the simplest cases. It would also have eliminated the labelling need problem. Doing that would have effectively discouraged label selection except by cluster-admins which I think would work well.
I'm currently against because I'm concerned about unexpected interactions with work on a feature to allow for namespace labelling by users. If we flesh one or other other out more completely, perhaps we can come up with a set of rules that will work properly. Throwing out the first idea that pops into my head, admission plugin (so that we can enforce on any cluster with webhook admission) that only allows namespace labels under a particular namespace. You get most of the power you want today and we don't get excessively boxed in for namespace labels later. |
danwinship
changed the title
|
Enabling this doesn't block us in for namespace labels. End users are
able to allow labels if they want, we just need to communicate in the
future that its cooperative, not adversarial. Adversarial label
selection might come from autogenerated labels users can't edit.
Either way, this should go into 3.6, and protections on label
selection when we enable them will have to be taken into account on
those systems at that time. If we allow users to set labels on
projects, they're going to have to be namespaced to prevent collisions
with crq or other existing use cases anyway.
|
|
Restated another way - we're already constrained in how we allow users
to set labels, and this only makes it more obvious.
|
|
Alright, ret[test] (others touched this file) and [merge]. |
These should still be documented. This could easily become pretend protection in an update that allows labeling and online dedicated admins in particular may care. |
|
Evaluated for origin test up to 292931f |
|
Evaluated for origin merge up to 292931f |
|
@danwinship, should this PR get merged? The title (still) contains [DO NOT MERGE] so it's confusing ... |
deads2k
changed the title
He added it when I wanted the hold (very polite). I've updated it now. |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2808/) (Base Commit: 91c5480) (PR Branch Commit: 292931f) |
|
continuous-integration/openshift-jenkins/merge FAILURE (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/1173/) (Base Commit: 91c5480) (PR Branch Commit: 292931f) |
|
green test on recent head with no other permission changes at the top of the queue or in master after base. |
This is how it's supposed to work.
Some customers have argued that they don't actually want this behavior, but as far as we've been able to tell, that has always been based on the mistaken belief that this would allow project admins to give themselves access to other projects. But anyway, we can adjust the permissions for 3.7 if really necessary. This is definitely the right default behavior for 3.6.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1461208
https://trello.com/c/CBQ3Rc00
@knobunc