-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OwnerReferencesPermissionEnforcement #1244
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
/cc @brianmcarey @EdDev Hi, are you interesting in this ? |
Kubevirt is an U/S project and the reasoning to add something like this should be focused on the usefulness it has for it (and not for a D/S project). D/S projects have their own tests and rules. If this validation improves Kubevirt security and stability, please reason for the exact benefits this validation has and how it helps the project, regardless of any D/S potential usage of it. |
Well it helps us on upstream to stricly validate RBACs All info in this short paragraph "This admission controller protects the access to the metadata.ownerReferences of an object so that only users with delete permission to the object can change it. This admission controller also protects the access to metadata.ownerReferences[x].blockOwnerDeletion of an object, so that only users with update permission to the finalizers subresource of the referenced owner can change it." For me it could save time at the past when i developed CNAO rbacs optimization, and today a chance like this but oin kind saved me time to simulate an error that was found only on OpenShift, locally on kind. |
/test check-provision-k8s-1.28 |
I tried to explain that you cannot reason such a change by naming a D/S project. Please add to the PR and a short summary in the commit message why this change is beneficial to Kubevirt, how it helps it and what is gained. Please add all the needed reasoning and convincing in the PR description and drop the mentioning of the D/S project. After you provide the convincing details, you could mention that some K8S distributions are using it by default (but to be clear, that is not the main reason that should be provided). |
Ok thanks, closing now, will get to it in the future (need to finish few things) |
before more changes, @brianmcarey wdyt about this change ? |
I would need a reason why this would be needed or useful to kubevirt as @EdDev mentioned. |
Reasoning, and taking CNAO as example (but can also happen on kubevirt) Given this info, would you / Edy want this going forward ? |
Closing this now, i think it is totally fine to have a robust provider which is bit stricter as some k8s distributions are, |
Btw a generic solution can be to allow enabling additional admission-plugins via env vars |
/hold cancel drafing |
Signed-off-by: Or Shoval <oshoval@redhat.com>
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Since kubevirtci code bash was changed bigly this PR is not relevant anymore in the current state of it |
What this PR does / why we need it:
It will allow to detect RBAC errors that are enabled by default on OpenShift
but not by default on vanilla k8s clusters.
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist
This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.
Release note: