SCC check API: REST #11075
SCC check API: REST #11075
Conversation
sdminonne
force-pushed
the
SCC_check_API_REST
branch
from
0321dcd to
8894590
Compare
|
[test] |
| return pspr, err | ||
| } | ||
|
|
||
| if len(serviceAccounts) == 0 { |
There was a problem hiding this comment.
I wonder if we shouldn't return an error to a user in this case. It seems reasonable.
| ) | ||
| pspsrs := securityapi.PodSecurityPolicySubjectReviewStatus{} | ||
| if provider, namespace, err = oscc.CreateProviderFromConstraint(ns, namespace, constraint, r.client); err != nil { | ||
| errs = append(errs, fmt.Errorf("unable to create provider provider for service account %s: %v", sa.Name, err)) |
There was a problem hiding this comment.
unable to create provider provider for...
| userInfo := serviceaccount.UserInfo(ns, sa.Name, "") | ||
| saConstraints, err := r.sccMatcher.FindApplicableSCCs(userInfo) | ||
| if err != nil { | ||
| errs = append(errs, fmt.Errorf("error finding SCC for ServiceAccount %s: %v", sa.Name, err)) |
There was a problem hiding this comment.
s/error finding/unable to find
There was a problem hiding this comment.
Your using full SecurityContextConstraints in other places, maybe you should do here, as well.
| } | ||
| ns, ok := kapi.NamespaceFrom(ctx) | ||
| if !ok { | ||
| return pspr, kapierrors.NewBadRequest("namespace parameter required.") |
There was a problem hiding this comment.
You should return nil, when there was an error.
| } | ||
| serviceAccounts, err := getServiceAccounts(pspr.Spec, r.client, ns) | ||
| if err != nil { | ||
| return pspr, err |
| filled, err := FillPodSecurityPolicySubjectReviewStatus(&pspsr.Status, provider, pspsr.Spec.Template.Spec, constraint) | ||
| if err != nil { | ||
| glog.Errorf("unable to fill PodSecurityPolicySubjectReviewStatus from constraint %v", err) | ||
| continue |
| return pspsr, nil | ||
| } | ||
|
|
||
| // FillPodSecurityPolicySubjectReviewStatus fills PodSecurityPolicySubjectReviewStatus |
There was a problem hiding this comment.
This comment isn't much helpful. Can you describe what it fills? SCC, something else?
| } | ||
| if errs := oscc.AssignSecurityContext(provider, pod, field.NewPath(fmt.Sprintf("provider %s: ", provider.GetSCCName()))); len(errs) > 0 { | ||
| glog.Errorf("unable to assign SecurityContextConstraints provider: %v", errs) | ||
| //TODO: fills s.Reason |
There was a problem hiding this comment.
How about just putting the same text the error has into s.Reason instead of leaving this TODO?
| } | ||
| ref, err := kapi.GetReference(constraint) | ||
| if err != nil { | ||
| //TODO: fills s.Reason |
| } | ||
| } | ||
|
|
||
| func TestAllowed(t *testing.T) { |
There was a problem hiding this comment.
Again, error paths should be tested.
|
It would be also nice, if you could split your PR into two: your changes and generated changes (iow. swagger-related stuff). It's easier for a reviewer to focus on the changes, only. |
|
@soltysh you mean splitting the commits right? |
yup |
sdminonne
force-pushed
the
SCC_check_API_REST
branch
from
8894590 to
8b8822d
Compare
|
sdminonne
force-pushed
the
SCC_check_API_REST
branch
from
8b8822d to
39d7eeb
Compare
|
With sdminonne#1 in I'll approve the changes, I want to see a clean test run, first. |
|
@soltysh thanks |
|
[test] |
| @@ -165,6 +167,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews", | |||
| "selfsubjectrulesreviews", "subjectaccessreviews").RuleOrDie(), | |||
| authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(), | |||
| // permissions to check PSP, these creates are non-mutating | |||
| authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(), | |||
There was a problem hiding this comment.
seems like a project admin ought to be able to use these too. Already done?
| if len(psprSpec.ServiceAccountNames) > 0 { | ||
| errs := []error{} | ||
| for _, saName := range psprSpec.ServiceAccountNames { | ||
| sa, err := client.Core().ServiceAccounts(namespace).Get(saName) |
There was a problem hiding this comment.
Do we already have a cache of service accounts in the API server to manage pod admission (betting yes). If so, re-use that cache.
There was a problem hiding this comment.
If its not already in a shared informer factory, then an issue with a link to here will do.
| return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a PodSecurityPolicyReview: %#v", obj)) | ||
| } | ||
| if errs := securityvalidation.ValidatePodSecurityPolicyReview(pspr); len(errs) > 0 { | ||
| return nil, kapierrors.NewInvalid(securityapi.Kind(pspr.Kind), "", errs) |
There was a problem hiding this comment.
I think kind will be empty. Hard coding the string is fine.
|
|
||
| } | ||
| if len(errs) > 0 { | ||
| return nil, kerrors.NewAggregate(errs) |
There was a problem hiding this comment.
This needs to be wrapped in some kind of status error.
|
I think we want admission to collapse onto the same review mechanism at some point, but this would be a good start. |
sdminonne
force-pushed
the
SCC_check_API_REST
branch
from
d30b6f9 to
0e9bfae
Compare
sdminonne
force-pushed
the
SCC_check_API_REST
branch
from
0e9bfae to
3c6fea4
Compare
|
@deads2k if there are no objections I'd like to merge this on green tests. |
|
[test] |
|
Evaluated for origin test up to 3c6fea4 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9519/) |
|
[merge] |
|
flake #10327 re-[merge] |
|
Evaluated for origin merge up to 3c6fea4 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9543/) (Image: devenv-rhel7_5109) |
|
@soltysh thanks! |
@soltysh