diff --git a/go.mod b/go.mod index d5af3c5a69f3b..c06c7a92f6847 100644 --- a/go.mod +++ b/go.mod @@ -56,7 +56,7 @@ require ( github.com/opencontainers/runc v1.1.10 github.com/opencontainers/selinux v1.11.0 github.com/openshift/api v0.0.0-20240207185517-ae973131190e - github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389 + github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688 github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415 github.com/openshift/library-go v0.0.0-20240207105404-126b47137408 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index caa749d3e449b..cf1beadd0a055 100644 --- a/go.sum +++ b/go.sum @@ -689,8 +689,8 @@ github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaL github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift/api v0.0.0-20240207185517-ae973131190e h1:Iv005XrzYnrIl8ptQFI32t2IBgMOx1kkBrqWO3pCp+E= github.com/openshift/api v0.0.0-20240207185517-ae973131190e/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389 h1:EqeY6BMyxhD66eQVj5eLxEqeXeTKW0SGPhvRbmTDuAk= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389/go.mod h1:GEjUQF9Z6GqFUKfk+EMN1DVVtTxeUpbcxAv9WwhzE5U= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688 h1:E7U+i+BKXjzH1bZsB5a9ueSxF/8QeLxA9ZncCb0vecs= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688/go.mod h1:a6meSr6htNKfmmZ8ixLmnim/JL7NkgW7rX7J2vczMp4= github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415 h1:wfnn3E0Z62bB3wYM5eO1AZ9EYZpFd7M1p4PclcIyVv0= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= diff --git a/staging/src/k8s.io/api/go.sum b/staging/src/k8s.io/api/go.sum index fd993b546cbd9..52e36d9633003 100644 --- a/staging/src/k8s.io/api/go.sum +++ b/staging/src/k8s.io/api/go.sum @@ -147,7 +147,7 @@ github.com/opencontainers/runc v1.1.10/go.mod h1:+/R6+KmDlh+hOO8NkjmgkG9Qzvypzk0 github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift/api v0.0.0-20240207185517-ae973131190e/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389/go.mod h1:GEjUQF9Z6GqFUKfk+EMN1DVVtTxeUpbcxAv9WwhzE5U= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688/go.mod h1:a6meSr6htNKfmmZ8ixLmnim/JL7NkgW7rX7J2vczMp4= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/openshift/library-go v0.0.0-20240207105404-126b47137408/go.mod h1:ePlaOqUiPplRc++6aYdMe+2FmXb2xTNS9Nz5laG2YmI= diff --git a/staging/src/k8s.io/apiextensions-apiserver/go.sum b/staging/src/k8s.io/apiextensions-apiserver/go.sum index 041ef433e0beb..309df6f3a0f55 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/go.sum +++ b/staging/src/k8s.io/apiextensions-apiserver/go.sum @@ -376,7 +376,7 @@ github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.m github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift/api v0.0.0-20240207185517-ae973131190e h1:Iv005XrzYnrIl8ptQFI32t2IBgMOx1kkBrqWO3pCp+E= github.com/openshift/api v0.0.0-20240207185517-ae973131190e/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389/go.mod h1:GEjUQF9Z6GqFUKfk+EMN1DVVtTxeUpbcxAv9WwhzE5U= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688/go.mod h1:a6meSr6htNKfmmZ8ixLmnim/JL7NkgW7rX7J2vczMp4= github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7 h1:jUM9Fdf+fT0LTccN58jrypOyzcfQUs1v2UH6f8vdBTA= diff --git a/staging/src/k8s.io/apiserver/go.sum b/staging/src/k8s.io/apiserver/go.sum index d47c0ae900bec..4c105b4af9e95 100644 --- a/staging/src/k8s.io/apiserver/go.sum +++ b/staging/src/k8s.io/apiserver/go.sum @@ -373,7 +373,7 @@ github.com/opencontainers/runc v1.1.10/go.mod h1:+/R6+KmDlh+hOO8NkjmgkG9Qzvypzk0 github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift/api v0.0.0-20240207185517-ae973131190e/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389/go.mod h1:GEjUQF9Z6GqFUKfk+EMN1DVVtTxeUpbcxAv9WwhzE5U= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688/go.mod h1:a6meSr6htNKfmmZ8ixLmnim/JL7NkgW7rX7J2vczMp4= github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7 h1:jUM9Fdf+fT0LTccN58jrypOyzcfQUs1v2UH6f8vdBTA= diff --git a/staging/src/k8s.io/component-base/go.sum b/staging/src/k8s.io/component-base/go.sum index 7feee9fe2a531..58b5c503d8b15 100644 --- a/staging/src/k8s.io/component-base/go.sum +++ b/staging/src/k8s.io/component-base/go.sum @@ -196,7 +196,7 @@ github.com/opencontainers/runc v1.1.10/go.mod h1:+/R6+KmDlh+hOO8NkjmgkG9Qzvypzk0 github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift/api v0.0.0-20240207185517-ae973131190e/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389/go.mod h1:GEjUQF9Z6GqFUKfk+EMN1DVVtTxeUpbcxAv9WwhzE5U= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688/go.mod h1:a6meSr6htNKfmmZ8ixLmnim/JL7NkgW7rX7J2vczMp4= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7 h1:jUM9Fdf+fT0LTccN58jrypOyzcfQUs1v2UH6f8vdBTA= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= diff --git a/staging/src/k8s.io/component-helpers/go.sum b/staging/src/k8s.io/component-helpers/go.sum index 5cf72c1abf7df..9d2219d6151bf 100644 --- a/staging/src/k8s.io/component-helpers/go.sum +++ b/staging/src/k8s.io/component-helpers/go.sum @@ -161,7 +161,7 @@ github.com/opencontainers/runc v1.1.10/go.mod h1:+/R6+KmDlh+hOO8NkjmgkG9Qzvypzk0 github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift/api v0.0.0-20240207185517-ae973131190e/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389/go.mod h1:GEjUQF9Z6GqFUKfk+EMN1DVVtTxeUpbcxAv9WwhzE5U= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688/go.mod h1:a6meSr6htNKfmmZ8ixLmnim/JL7NkgW7rX7J2vczMp4= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7 h1:jUM9Fdf+fT0LTccN58jrypOyzcfQUs1v2UH6f8vdBTA= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= diff --git a/staging/src/k8s.io/kube-aggregator/go.sum b/staging/src/k8s.io/kube-aggregator/go.sum index e61999a138363..1d6015edb0727 100644 --- a/staging/src/k8s.io/kube-aggregator/go.sum +++ b/staging/src/k8s.io/kube-aggregator/go.sum @@ -350,7 +350,7 @@ github.com/opencontainers/runc v1.1.10/go.mod h1:+/R6+KmDlh+hOO8NkjmgkG9Qzvypzk0 github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/openshift/api v0.0.0-20240207185517-ae973131190e/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389/go.mod h1:GEjUQF9Z6GqFUKfk+EMN1DVVtTxeUpbcxAv9WwhzE5U= +github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688/go.mod h1:a6meSr6htNKfmmZ8ixLmnim/JL7NkgW7rX7J2vczMp4= github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= github.com/openshift/ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7 h1:jUM9Fdf+fT0LTccN58jrypOyzcfQUs1v2UH6f8vdBTA= diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go index 01120a173fe7e..701d978f7ca45 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go @@ -9,6 +9,7 @@ import ( "time" apiequality "k8s.io/apimachinery/pkg/api/equality" + "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/labels" kutilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/sets" @@ -28,10 +29,11 @@ import ( rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" securityv1 "github.com/openshift/api/security/v1" - "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching" - sccsort "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/util/sort" securityv1informer "github.com/openshift/client-go/security/informers/externalversions/security/v1" securityv1listers "github.com/openshift/client-go/security/listers/security/v1" + + "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching" + sccsort "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/util/sort" ) const PluginName = "security.openshift.io/SecurityContextConstraint" @@ -470,6 +472,10 @@ var ignoredSubresources = sets.NewString( "status", ) +var ignoredAnnotations = sets.NewString( + "k8s.ovn.org/pod-networks", +) + func shouldIgnore(a admission.Attributes) (bool, error) { if a.GetResource().GroupResource() != coreapi.Resource("pods") { return true, nil @@ -491,16 +497,66 @@ func shouldIgnore(a admission.Attributes) (bool, error) { if pod.Spec.OS != nil && pod.Spec.OS.Name == coreapi.Windows { return true, nil } - // if this is an update, see if we are only updating the ownerRef. Garbage collection does this - // and we should allow it in general, since you had the power to update and the power to delete. - // The worst that happens is that you delete something, but you aren't controlling the privileged object itself - if a.GetOperation() == admission.Update && rbacregistry.IsOnlyMutatingGCFields(a.GetObject(), a.GetOldObject(), kapihelper.Semantic) { - return true, nil + + if a.GetOperation() == admission.Update { + oldPod, ok := a.GetOldObject().(*coreapi.Pod) + if !ok { + return false, admission.NewForbidden(a, fmt.Errorf("object was marked as kind pod but was unable to be converted: %v", a.GetOldObject())) + } + + // never ignore any spec changes + if !kapihelper.Semantic.DeepEqual(pod.Spec, oldPod.Spec) { + return false, nil + } + + // see if we are only doing meta changes that should be ignored during admission + // for example, the OVN controller adds informative networking annotations that shouldn't cause the pod to go through admission again + if shouldIgnoreMetaChanges(pod, oldPod) { + return true, nil + } } return false, nil } +func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool { + // check if we're adding or changing only annotations from the ignore list + for key, newVal := range newPod.ObjectMeta.Annotations { + if oldVal, ok := oldPod.ObjectMeta.Annotations[key]; ok && newVal == oldVal { + continue + } + + if !ignoredAnnotations.Has(key) { + return false + } + } + + // check if we're removing only annotations from the ignore list + for key := range oldPod.ObjectMeta.Annotations { + if _, ok := newPod.ObjectMeta.Annotations[key]; ok { + continue + } + + if !ignoredAnnotations.Has(key) { + return false + } + } + + newPodCopy := newPod.DeepCopyObject() + newPodCopyMeta, err := meta.Accessor(newPodCopy) + if err != nil { + return false + } + newPodCopyMeta.SetAnnotations(oldPod.ObjectMeta.Annotations) + + // see if we are only updating the ownerRef. Garbage collection does this + // and we should allow it in general, since you had the power to update and the power to delete. + // The worst that happens is that you delete something, but you aren't controlling the privileged object itself + res := rbacregistry.IsOnlyMutatingGCFields(newPodCopy, oldPod, kapihelper.Semantic) + + return res +} + // SetSecurityInformers implements WantsSecurityInformer interface for constraint. func (c *constraint) SetSecurityInformers(informers securityv1informer.SecurityContextConstraintsInformer) { c.sccLister = informers.Lister() diff --git a/vendor/modules.txt b/vendor/modules.txt index ef958c445b8b4..ff01054e0a165 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -663,8 +663,8 @@ github.com/openshift/api/security github.com/openshift/api/security/v1 github.com/openshift/api/template/v1 github.com/openshift/api/user/v1 -# github.com/openshift/apiserver-library-go v0.0.0-20231218150122-47b436d2f389 -## explicit; go 1.20 +# github.com/openshift/apiserver-library-go v0.0.0-20240313131158-facc40cc7688 +## explicit; go 1.21 github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1 github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/validation