Allow proxy to forward requests to namespaces outside of workspace #471
Conversation
alexeykazakov
requested review from
MatousJobanek,
xcoulon,
rajivnathan,
ranakan19 and
mfrancisc
as code owners
There was a problem hiding this comment.
Looks good to me 👍
I think initially it was there for offloading the API server from the requests which can validated on our side.
I have only two comments/thoughts:
-
I'm almost sure this doesn't break anything on the UI side, but maybe worth double checking
-
Do we need to keep all the subtests in the
proxy_communit_tests.go.?
I mean these tests looks like they are testing the same path to me:
plain http request as owner to namespace outside of private workspaceplain http request as owner to namespace outside of community workspaceplain http request as community user to namespace outside of community workspace
it's basically checking that a user that has a valid usersignup and tries to access a namespace which is not in a community workspace or in the home workspace, which according to the new changes it is not being blocked at the proxy level anymore.
So maybe we can have just one "generic" test for verifying that requests to invalid namespaces are proxied?
This PR gets rid of some restrictions. So I would be very surprised if it broke something on the UI side. But you never know :)
I thought about that. It checks all possible combinations (as you mentioned) that the outside-of-workspace namespace is still available. And if we consider it as a feature (that such namespaces are accessible) then I think it's good that we have all the possible cases covered. |
|
Paired with codeready-toolchain/toolchain-e2e#1053 now /retest |
|
/retest |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #471 +/- ##
==========================================
- Coverage 85.93% 85.16% -0.77%
==========================================
Files 32 32
Lines 2488 3175 +687
==========================================
+ Hits 2138 2704 +566
- Misses 265 384 +119
- Partials 85 87 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
I agree with @mfrancisc on that - the tests look like a duplication of the same. Don't block access to a different namespace outside of the selected workspace, I'm not sure if we really need to distinguish between different cases of the workspace.
I can feel the pain now as I got lost in the tests many times as part of the refactoring efforts. This is caused by the way the test is written. The standard "testing" library doesn't nicely work with such combinations of the cases the test is executed with. Gomega does that a bit better, but in such a scale, it would be still very chaotic. |
|
And BTW, as soon as it gets merged, it would be nice to advertise it to Konflux as they faced some issues with it before. |
|
TBH I don't think we need all these combination of the tests, now that the behavior is for the proxy to foward the request to Kube API, it was more useful IMO when we needed/wanted to ensure that the requests are denied at the proxy level. However it's a minor since it's better to have more tests and less :) , and also the tests need to be refactored as @MatousJobanek . So let's maybe to that as part of a major rework of the tests 👍 |
|
I'm still a bit concerned about removing this constraint. I feel I'm concerned that in an environment with a lot of shared workspaces, human errors or wrong configurations won't be warned nor blocked and, as a result, users could potentially harm any namespace they have access to by applying the wrong manifest. In this case debugging will be very hard. In a multi-members setup, this would be even more puzzling to me; the user will be able to perform cross-workspace requests for different subsets of workspaces -impacting the proxy's transparency property.
What about using the public-viewer feature for this requirement? We could create a Alternatively, I'd propose to introduce a feature flag in |
The requests can be, but doesn't have to be cross-workspace. The cluster usually contains more namespaces than those that are managed by KubeSaw.
Let's not try to fix or minimize human mistakes at the level of KubeSaw & Proxy. Let's only focus on authorization/authentication validations. Using a wrong kubeconfig, session, or a kubeconfig context are common mistakes you cannot address at the level of the proxy.
As I mentioned above, there are namespaces not managed by KubeSaw, and these namespaces should stay like that. Exposing some resources to the entire cluster via RBAC is pretty common thing in some operators (even though I personally don't agree with that approach). This is what Alexey meant by "shared namespaces" |
|
Fully agree with @MatousJobanek on the proxy topic. I truly believe we should stick with our proxy providing the proxy functionality as much as possible. And not making it a RBAC enforcer. Let's leave RBAC to Kube. If RBAC is messed up on the cluster side it's not the Proxy business to fix it. As I mentioned in the description our proxy should focus on:
That's it. |
|
And regarding testing. I agree that the proxy test need some love in general (not related to this PR). But since the underlying proxy logic with all these combinations of shared/private/etc workspaces is quite complex I still think it's safer to keep the tests as is (until we do a deeper refactoring) rather than just dropping them all together or leaving only one combination in place. |
From a UX point of view this behavior really feels strange to me.
I agree, we shouldn't try to minimize human mistakes in KubeSaw and I agree we should defer the most of responsibilities to cluster's RBAC. However, dropping this workspace property doesn't feel right to me.
To me that's the most important reason for not dropping this constraint on Workspaces
Thanks for clarifying. If that's the case the public-viewer idea won't work. Maybe we can add a list of
I don't think it's an RBAC enforcer as it is implemented now, nor that it would be a question of RBAC messed up. The concept of Workspace is not taken in consideration by k8s RBAC, so enforcing Workspace boundaries via RBAC is not doable. My point is that, even though I'm not expecting these changes to have a catastrophic impact, I see they may be harmful in some scenarios. |
Currently we have a real problem. You can't access a namespace which doesn't belong to any workspace via proxy. It's not just a theoretical or potential problem. A few users already complained about this. IMO it's a significant proxy limitation. Is the workspace context concept ideal? No, it's not. And I agree that providing a workspace context to access the namespace from another workspace or a non-workspace namespace does look weird, IMO, it's still lesser of two evils. Let's get rid of this significant limitation now and work on how we could improve UX of accessing such namespaces later since it doesn't look like a trivial task. |
|
/retest |
Co-authored-by: Kanika Rana <[email protected]>
There was a problem hiding this comment.
Looks Good
Left minor comments.
So there is no scenario where the ExpectedProxyResponseStatus is not OK, except for incorrect setup of proxy. Or maybe that there is no use case in proxy now where the expected response is forbidden, is that understanding correct?
pkg/proxy/proxy_community_test.go
Outdated
| // It's not up to the proxy to check permissions on the specific namespace. | ||
| // The target API server will reject the request if the user does not have permissions to access the namespace. | ||
| // Here the request is successful because the underlying mock target cluster API server returns OK | ||
| "plain http request as owner to namespace outside of private workspace": { |
There was a problem hiding this comment.
I'm a bit confused as to what does 'owner' refer to here in the test description. To me, there is not much difference in the two statements below, wrt to the test:
plain http request as owner to namespace outside of private workspace v/s
plain http request to namespace outside of private workspace.
So either I'm missing the significance of owner here and we should add it here (maybe in the comments?) or we can make the test case description simpler and remove owner.
Let me know what you think
There was a problem hiding this comment.
I think the comments preceeding it explain it pretty well. But yeah the 'owner' thing in the test description threw me off a bit as well.
What about plain http request as permitted user to namespace outside of private workspace? Is that accurate?
There was a problem hiding this comment.
Replaced owner by permitted user in c557b41
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexeykazakov, MatousJobanek, mfrancisc, rajivnathan, ranakan19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Co-authored-by: Kanika Rana <[email protected]>
|
alexeykazakov
merged commit 795ca54
into
codeready-toolchain:master
Currently our proxy blocks any requests to namespaces which are outside of the target workspace. And because of this we can't use the proxy to target namespaces which do not belong to any workspace. Like some shared namespaces with resources shared with all authenticated users.
Our proxy do not have to enforce any additional RBAC besides what is already enforced by the target API Server.
The proxy goals are basically the following:
The rest will be taken care by the API Server. If the user does not have permissions to access the namespace then the request will be rejected by the API Server. The Proxy should not be in the RBAC business unless there is a very good reason for this.
See this thread for more details #443 (comment)
Paired with codeready-toolchain/toolchain-e2e#1053