Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicitly disable dry run for connect #66083

Merged
merged 1 commit into from
Aug 7, 2018

Conversation

jennybuckley
Copy link

@jennybuckley jennybuckley commented Jul 11, 2018

What this PR does / why we need it:
It isn't clear whether or not dry run would work on connect. I think we should explicitly disable it so no one can try to dry run a connect request and accidentally open a connection.

Release note:

kube-apiserver: setting a `dryRun` query parameter on a CONNECT request will now cause the request to be rejected, consistent with behavior of other mutating API requests. Examples of CONNECT APIs are the `nodes/proxy`, `services/proxy`, `pods/proxy`, `pods/exec`, and `pods/attach` subresources. Note that this prevents sending a `dryRun` parameter to backends via `{nodes,services,pods}/proxy` subresources.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 11, 2018
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Jul 11, 2018
@neolit123
Copy link
Member

@kubernetes/sig-api-machinery-pr-reviews

@@ -98,6 +98,11 @@ func (scope *RequestScope) AllowsStreamSchema(s string) bool {
// ConnectResource returns a function that handles a connect request on a rest.Storage object.
func ConnectResource(connecter rest.Connecter, scope RequestScope, admit admission.Interface, restPath string, isSubresource bool) http.HandlerFunc {
return func(w http.ResponseWriter, req *http.Request) {
if isDryRun(req.URL) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jennybuckley , if we were to forbid dryRun requests for all verbs, why not do this via an HTTP handler filter. 😃

Copy link
Author

@jennybuckley jennybuckley Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reviewing this! The reason is that we plan on enabling it for some verbs in the future, depending on whether or not the dry run feature is enabled. Also, some verbs, like GET, don't make any change in the cluster, so dry running a get is equivalent to just running the get normally, so we don't need to fail if the client sends the dry run flag.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Jul 19, 2018
@liggitt
Copy link
Member

liggitt commented Jul 24, 2018

cc @kubernetes/api-reviewers
for implications of ?dryRun handling on proxy subresources

@liggitt
Copy link
Member

liggitt commented Jul 25, 2018

I'm definitely in favor of this for pods/exec, pods/attach, pods/portforward, etc.

Query parameters on proxy subresources were previously opaque to the apiserver. Which seems more appropriate for the proxy subresources:

  • make the apiserver responsible for dryRun semantics (which means it has to reject for now until there's a way to know if backend can honor it)
  • continue treating the query parameters as opaque and pass everything through?

@lavalamp
Copy link
Member

lavalamp commented Aug 6, 2018

I think I'd like to err on the side of rejecting all dryRun requests to these escape hatches. It is just code, we can relax the rules if someone comes up with a compelling use case. Right now dry run requests don't succeed for anything, so I think it's fine if they continue to not succeed here.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 6, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jennybuckley, lavalamp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 6, 2018
@k8s-github-robot
Copy link

/test all

Tests are more than 96 hours old. Re-running tests.

@jennybuckley
Copy link
Author

/retest

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 66512, 66946, 66083). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit e69cc51 into kubernetes:master Aug 7, 2018
@niklun
Copy link

niklun commented Oct 10, 2019

@lavalamp I hope I've made the use case clear for passing query parameters through in a service/proxy call in issue #82402? Why would you want to prevent sending a dryRun parameter to a service? I honestly don't understand why kubernetes should care about anything after /proxy/ in the request. 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants