Skip to content

OCPBUGS-11933: Ignore informative annotations upon admission #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 13, 2024
Merged

OCPBUGS-11933: Ignore informative annotations upon admission #117

merged 2 commits into from
Mar 13, 2024

Conversation

liouk
Copy link
Member

@liouk liouk commented Jul 17, 2023

This PR introduces a list of known informative annotations; pod admission then will ignore any pod mutations that only add these annotations.

The goal is to prevent a pod to be re-admitted and potentially change the SCC under which it gets admitted when a mutation only adds informative annotations, which shouldn't cause SCC changes.

This also fixes a bug in the TestShouldIgnore unit test within pkg/securitycontextconstraints/sccadmission/admission_test.go.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 17, 2023
@openshift-ci-robot
Copy link

@liouk: This pull request references Jira Issue OCPBUGS-11933, which is invalid:

  • expected the bug to target the "4.14.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This PR introduces a list of known informative annotations; pod admission then will ignore any pod mutations that only add these annotations.

The goal is to prevent a pod to be re-admitted and potentially change the SCC under which it gets admitted when a mutation only adds informative annotations, which shouldn't cause SCC changes.

This also fixes a bug in the TestShouldIgnore unit test within pkg/securitycontextconstraints/sccadmission/admission_test.go.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested review from ibihim and s-urbaniak July 17, 2023 13:36
@liouk
Copy link
Member Author

liouk commented Jul 17, 2023

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 17, 2023
@openshift-ci-robot
Copy link

@liouk: This pull request references Jira Issue OCPBUGS-11933, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.14.0) matches configured target version for branch (4.14.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested a review from xingxingxia July 17, 2023 13:40
@liouk liouk changed the title OCPBUGS-11933: Ignore informative annotations upon admission WIP: OCPBUGS-11933: Ignore informative annotations upon admission Jul 17, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 17, 2023
@liouk liouk force-pushed the admission-informative-annotations branch 3 times, most recently from 4b9741c to d892ff7 Compare July 24, 2023 14:12
@liouk liouk changed the title WIP: OCPBUGS-11933: Ignore informative annotations upon admission OCPBUGS-11933: Ignore informative annotations upon admission Jul 25, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 25, 2023
stlaz
stlaz reviewed Jul 26, 2023
View reviewed changes
@liouk liouk changed the title OCPBUGS-11933: Ignore informative annotations upon admission WIP: OCPBUGS-11933: Ignore informative annotations upon admission Jul 28, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 28, 2023
@liouk liouk force-pushed the admission-informative-annotations branch from d892ff7 to 9a75644 Compare July 28, 2023 10:24
@liouk liouk changed the title WIP: OCPBUGS-11933: Ignore informative annotations upon admission OCPBUGS-11933: Ignore informative annotations upon admission Jul 28, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 28, 2023
stlaz
stlaz reviewed Aug 17, 2023
View reviewed changes
@liouk
Copy link
Member Author

liouk commented Aug 24, 2023

/hold
contains fixups

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 24, 2023
@liouk
Copy link
Member Author

liouk commented Aug 31, 2023

/hold
holding until 4.14 stabilized or branched out

@stlaz
Copy link
Contributor

stlaz commented Sep 7, 2023

please create a proof PR in openshift/kubernetes

@liouk liouk force-pushed the admission-informative-annotations branch from dbffacb to 9836a75 Compare September 7, 2023 12:53
@liouk
Copy link
Member Author

liouk commented Sep 7, 2023

/hold cancel
fixups removed
the automation should be capable of merging this when the critical-fixes-only gate is lifted

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 7, 2023
@liouk liouk force-pushed the admission-informative-annotations branch from 9836a75 to 077f27f Compare September 7, 2023 12:56
@liouk liouk mentioned this pull request Sep 18, 2023
Closed
@liouk liouk force-pushed the admission-informative-annotations branch from 077f27f to 7385c01 Compare September 18, 2023 13:14
@liouk
Copy link
Member Author

liouk commented Oct 5, 2023

please create a proof PR in openshift/kubernetes

@stlaz this is the poc PR: openshift/kubernetes#1708

stlaz
stlaz reviewed Oct 9, 2023
View reviewed changes
stlaz
stlaz reviewed Oct 9, 2023
View reviewed changes
@stlaz
Copy link
Contributor

stlaz commented Oct 9, 2023

/approve
we may want to ask @deads2k to have a peek but the PR seems ok to me

@liouk liouk force-pushed the admission-informative-annotations branch from 7385c01 to 593b8dc Compare October 16, 2023 09:10
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 16, 2023
@liouk liouk force-pushed the admission-informative-annotations branch from 593b8dc to a0fc30b Compare October 16, 2023 09:21
deads2k
deads2k reviewed Nov 13, 2023
View reviewed changes
pkg/securitycontextconstraints/sccadmission/admission.go
return false, admission.NewForbidden(a, fmt.Errorf("object was marked as kind pod but was unable to be converted: %v", a.GetOldObject()))
}

// never ignore any spec changes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

once vertical scaling is a thing, we will ignore some. Just be ready.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is #128 legit, too?

deads2k
deads2k reviewed Nov 13, 2023
View reviewed changes
@liouk liouk force-pushed the admission-informative-annotations branch from a0fc30b to def0bab Compare November 16, 2023 13:21
deads2k
deads2k reviewed Nov 16, 2023
View reviewed changes
pkg/securitycontextconstraints/sccadmission/admission.go Outdated

// do not consider annotations for further comparisons, they were checked above
origNewAnnotations := newPod.ObjectMeta.Annotations
newPod.ObjectMeta.Annotations = oldPod.ObjectMeta.Annotations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't mutate inputs. This got us into trouble in validation a couple years back. This isn't needed to make the mutatingGCFields check work.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right -- I wanted to avoid another deep copy (as the IsMutatingGCFields check does one). I did this now by overriding the equalities, and in particular for the map[string]string type (which is the type of Annotations).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed with @stlaz, opted for doing an object deep-copy and modifying the annotations of the copy in order to perform the controller GCFields check.

@liouk liouk force-pushed the admission-informative-annotations branch from def0bab to 08aef77 Compare January 25, 2024 13:46
@liouk liouk force-pushed the admission-informative-annotations branch from 08aef77 to 8e50815 Compare February 5, 2024 15:47
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 5, 2024

@liouk: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@stlaz
Copy link
Contributor

stlaz commented Mar 13, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 13, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 13, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liouk, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit facc40c into openshift:master Mar 13, 2024
@openshift-ci-robot
Copy link

@liouk: Jira Issue OCPBUGS-11933: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-11933 has been moved to the MODIFIED state.

In response to this:

This PR introduces a list of known informative annotations; pod admission then will ignore any pod mutations that only add these annotations.

The goal is to prevent a pod to be re-admitted and potentially change the SCC under which it gets admitted when a mutation only adds informative annotations, which shouldn't cause SCC changes.

This also fixes a bug in the TestShouldIgnore unit test within pkg/securitycontextconstraints/sccadmission/admission_test.go.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Apr 11, 2024
Merged
@openshift-merge-robot
Copy link
Contributor

Fix included in accepted release 4.16.0-0.nightly-2024-04-13-070448

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k deads2k left review comments

@ibihim ibihim Awaiting requested review from ibihim

@s-urbaniak s-urbaniak Awaiting requested review from s-urbaniak

@xingxingxia xingxingxia Awaiting requested review from xingxingxia

+1 more reviewer

@stlaz stlaz stlaz left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@stlaz stlaz

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@liouk @openshift-ci-robot @stlaz @openshift-merge-robot @deads2k