Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds a webhook to prevent regular users from creating a KubernetesImagePuller resource #493

Merged
merged 5 commits into from
Nov 15, 2023

Conversation

dkwon17
Copy link
Contributor

@dkwon17 dkwon17 commented Nov 2, 2023

This PR is for: https://redhat-internal.slack.com/archives/CHK0J6HT6/p1696522004380079

This PR is based on the same webhook, but for CheCluster: #377

In this screenshot, a regular user sandboxdev-1 is unable to create a KubernetesImagePuller resource:
Screenshot from 2023-11-02 12-25-44

This PR was tested by following these steps and running make dev-deploy-latest and make dev-deploy-e2e-member-local.

Paired with codeready-toolchain/toolchain-e2e#840

Copy link

openshift-ci bot commented Nov 2, 2023

Hi @dkwon17. Thanks for your PR.

I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dkwon17 dkwon17 marked this pull request as draft November 2, 2023 18:29
@dkwon17 dkwon17 marked this pull request as ready for review November 2, 2023 18:37
Copy link
Contributor

@alexeykazakov alexeykazakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally we would like to have Che specific webhooks decoupled from the sandbox operators. That includes both CheCluster validator and the KubernetesImagePuller webhooks. And we can deploy them along with the Che operator through our CD tools.

Is there any specific reason for keeping them here?

@dkwon17
Copy link
Contributor Author

dkwon17 commented Nov 2, 2023

I could be wrong but this seemed to be the easiest way to have the webhook, since there was already a similar webhook (checluster webhook) in this repository

And we can deploy them along with the Che operator through our CD tools.

I need to investigate if this works, but do you mean have the CD tool create a ValidatingWebhookConfiguration object with:

...
      clientConfig:
        service:
          name: member-operator-webhook
          namespace: ${NAMESPACE}
          path: "/validate-users-create-admin-resources"
          port: 443
      rules:
        - operations: ["CREATE"]
          apiGroups: ["che.eclipse.org"]
          apiVersions: ["v1alpha1"]
          resources: ["kubernetesimagepullers"]
          scope: "Namespaced"
        - operations: ["CREATE"]
          apiGroups: ["eclipse.che"]
          apiVersions: ["v2"]
          resources: ["checlusters"]
          scope: Namespaced

And implement a new /validate-users-create-admin-resources endpoint for the member operator webhook server?

I'm still learning how webhooks work and are implemented, but AFAIK this will decouple Che/KubernetesImagePuller specific webhooks from this repo, and can still keep the same functionality

@alexeykazakov
Copy link
Contributor

Webhook is basically a service running in a namespace plus a webhook configuration (ValidatingWebhookConfiguration CR) which defines that webhook and points to the corresponding service.

So you would need to:

  • move your webhook source code to a different repo owned/controlled by the Che team. For example a simple go app which listens to an endpoint & port. See an example of such app here:
    mux.HandleFunc("/validate-users-checlusters", checlusterValidator.HandleValidate)
  • build an image for that webhook
  • Create a manifest for the Deployment (which runs a container for the image you built above), Service and ValidatingWebhookConfiguration.
  • Then add that manifest as an OpenShift Template to our sre repo next to the DevSpaces operator manifests so it's deployed

Copy link

codecov bot commented Nov 2, 2023

Codecov Report

Merging #493 (b756673) into master (1992c36) will increase coverage by 0.06%.
The diff coverage is 50.00%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #493      +/-   ##
==========================================
+ Coverage   82.39%   82.46%   +0.06%     
==========================================
  Files          29       29              
  Lines        3193     3188       -5     
==========================================
- Hits         2631     2629       -2     
+ Misses        426      424       -2     
+ Partials      136      135       -1     
Files Coverage Δ
...lidatingwebhook/validate_k8simagepuller_request.go 30.95% <50.00%> (ø)

@dkwon17 dkwon17 marked this pull request as draft November 6, 2023 16:19
@dkwon17 dkwon17 marked this pull request as ready for review November 9, 2023 15:25
@openshift-ci openshift-ci bot requested a review from alexeykazakov November 9, 2023 15:25
@alexeykazakov
Copy link
Contributor

/ok-to-test

@alexeykazakov
Copy link
Contributor

And could you please do not rebase, squash commits or push with force in PRs? Just keep adding new commits. It would make PR review easier since we could review new commits only instead of reviewing everything from scratch every time.

@dkwon17
Copy link
Contributor Author

dkwon17 commented Nov 10, 2023

/retest

@dkwon17
Copy link
Contributor Author

dkwon17 commented Nov 10, 2023

For the failing e2e test:

Test result
=== CONT  TestSetupMigration
    member.go:2316: checking ValidatingWebhookConfiguration 'member-operator-validating-webhook'
    member.go:2345: 
        	Error Trace:	/tmp/toolchain-e2e/testsupport/wait/member.go:2345
        	            				/tmp/toolchain-e2e/testsupport/wait/member.go:2155
        	            				/tmp/toolchain-e2e/testsupport/init.go:127
        	            				/usr/local/go/src/sync/once.go:74
        	            				/usr/local/go/src/sync/once.go:65
        	            				/tmp/toolchain-e2e/testsupport/init.go:45
        	            				/tmp/toolchain-e2e/test/migration/setup/setup_migration_test.go:12
        	Error:      	Not equal: 
        	            	expected: "users.kubernetesimagepullers.webhook.sandbox"
        	            	actual  : "users.checlusters.webhook.sandbox"
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1 +1 @@
        	            	-users.kubernetesimagepullers.webhook.sandbox
        	            	+users.checlusters.webhook.sandbox
        	Test:       	TestSetupMigration
    member.go:2355: 
        	Error Trace:	/tmp/toolchain-e2e/testsupport/wait/member.go:2355
        	            				/tmp/toolchain-e2e/testsupport/wait/member.go:2155
        	            				/tmp/toolchain-e2e/testsupport/init.go:127
        	            				/usr/local/go/src/sync/once.go:74
        	            				/usr/local/go/src/sync/once.go:65
        	            				/tmp/toolchain-e2e/testsupport/init.go:45
        	            				/tmp/toolchain-e2e/test/migration/setup/setup_migration_test.go:12
        	Error:      	Not equal: 
        	            	expected: "/validate-users-kubernetesimagepullers"
        	            	actual  : "/validate-users-checlusters"
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1 +1 @@
        	            	-/validate-users-kubernetesimagepullers
        	            	+/validate-users-checlusters
        	Test:       	TestSetupMigration
    member.go:2361: 
        	Error Trace:	/tmp/toolchain-e2e/testsupport/wait/member.go:2361
        	            				/tmp/toolchain-e2e/testsupport/wait/member.go:2155
        	            				/tmp/toolchain-e2e/testsupport/init.go:127
        	            				/usr/local/go/src/sync/once.go:74
        	            				/usr/local/go/src/sync/once.go:65
        	            				/tmp/toolchain-e2e/testsupport/init.go:45
        	            				/tmp/toolchain-e2e/test/migration/setup/setup_migration_test.go:12
        	Error:      	Not equal: 
        	            	expected: []string{"che.eclipse.org"}
        	            	actual  : []string{"org.eclipse.che"}
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,3 +1,3 @@
        	            	 ([]string) (len=1) {
        	            	- (string) (len=15) "che.eclipse.org"
        	            	+ (string) (len=15) "org.eclipse.che"
        	            	 }
        	Test:       	TestSetupMigration
    member.go:2362: 
        	Error Trace:	/tmp/toolchain-e2e/testsupport/wait/member.go:2362
        	            				/tmp/toolchain-e2e/testsupport/wait/member.go:2155
        	            				/tmp/toolchain-e2e/testsupport/init.go:127
        	            				/usr/local/go/src/sync/once.go:74
        	            				/usr/local/go/src/sync/once.go:65
        	            				/tmp/toolchain-e2e/testsupport/init.go:45
        	            				/tmp/toolchain-e2e/test/migration/setup/setup_migration_test.go:12
        	Error:      	Not equal: 
        	            	expected: []string{"v1alpha1"}
        	            	actual  : []string{"v2"}
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,3 +1,3 @@
        	            	 ([]string) (len=1) {
        	            	- (string) (len=8) "v1alpha1"
        	            	+ (string) (len=2) "v2"
        	            	 }
        	Test:       	TestSetupMigration
    member.go:2363: 
        	Error Trace:	/tmp/toolchain-e2e/testsupport/wait/member.go:2363
        	            				/tmp/toolchain-e2e/testsupport/wait/member.go:2155
        	            				/tmp/toolchain-e2e/testsupport/init.go:127
        	            				/usr/local/go/src/sync/once.go:74
        	            				/usr/local/go/src/sync/once.go:65
        	            				/tmp/toolchain-e2e/testsupport/init.go:45
        	            				/tmp/toolchain-e2e/test/migration/setup/setup_migration_test.go:12
        	Error:      	Not equal: 
        	            	expected: []string{"kubernetesimagepullers"}
        	            	actual  : []string{"checlusters"}
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,3 +1,3 @@
        	            	 ([]string) (len=1) {
        	            	- (string) (len=22) "kubernetesimagepullers"
        	            	+ (string) (len=11) "checlusters"
        	            	 }
        	Test:       	TestSetupMigration

Any idea where the checluster webhook is coming from? I have the updated tests here: https://github.com/dkwon17/toolchain-e2e/tree/kip_webhook

@alexeykazakov
Copy link
Contributor

alexeykazakov commented Nov 10, 2023

@dkwon17 it's a known problem with our migration e2e tests for webhook.
In our e2e tests we do the following:

  1. install the previous (currently running in prod) version of the operators
  2. run same tests
  3. update the operators (so they now run the newer version from the actual PR)
  4. run all the tests

So we can make sure that the operator upgrade from the current version to the newest one doesn't break anything.
However in steps 1 and 3 we wait for the all the deployments (operator controllers, webhooks, etc) to be be in expected state which includes webhook configuration verification: https://github.com/codeready-toolchain/toolchain-e2e/blob/f30d23daadd3888816b8363be893c68067a36566/testsupport/wait/member.go#L2315
But you are changing the configuration. So the configuration in steps 1 and 3 are different.
Previously we had to disable webhook verification tests temporally to work it around:
See an example of such PR here: codeready-toolchain/toolchain-e2e#809
And then after merging that PR we re-enabled the tests: codeready-toolchain/toolchain-e2e#822

There is another PR to address this problem: codeready-toolchain/toolchain-e2e#836 so we don't have to disable the tests anymore.

cc: @rajivnathan

@dkwon17
Copy link
Contributor Author

dkwon17 commented Nov 13, 2023

I see, thank you for clarification, I've made the e2e tests PR here, with the validation tests temporarily disabled: codeready-toolchain/toolchain-e2e#840

Copy link

openshift-ci bot commented Nov 14, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, dkwon17

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
4.1% 4.1% Duplication

@dkwon17
Copy link
Contributor Author

dkwon17 commented Nov 14, 2023

/retest

1 similar comment
@alexeykazakov
Copy link
Contributor

/retest

@alexeykazakov alexeykazakov merged commit 082aed8 into codeready-toolchain:master Nov 15, 2023
11 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants