add ingress admission controller to restrict hostname updates #12653
Conversation
|
@knobunc I believe this is ready for review |
|
Please fix the title:
|
| @@ -69,6 +69,7 @@ import ( | |||
| imageadmission "github.com/openshift/origin/pkg/image/admission" | |||
| imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api" | |||
| imageapi "github.com/openshift/origin/pkg/image/api" | |||
| ingressadmit "github.com/openshift/origin/pkg/ingress/admission" | |||
There was a problem hiding this comment.
Why is this ingressadmit when the rest seem to be ...admission?
pkg/ingress/admission/api/types.go
Outdated
|
|
||
| // IngressAdmissionConfig is the configuration for the the ingress | ||
| // controller limiter plugin. It changes the behavior of ingress | ||
| //objects to behave better with openshift routes and routers. |
There was a problem hiding this comment.
We seem to be missing a space here after the //
pkg/ingress/admission/api/types.go
Outdated
| type IngressAdmissionConfig struct { | ||
| unversioned.TypeMeta | ||
|
|
||
| //UpstreamHostnameUpdate when true causes updates that attempt |
There was a problem hiding this comment.
We seem to be missing a space here after the //
pkg/ingress/admission/api/types.go
Outdated
| // controller limiter plugin. It changes the behavior of ingress | ||
| //objects to behave better with openshift routes and routers. | ||
| //*NOTE* Disabling this plugin causes ingress objects to behave | ||
| //the same as in upstream kubernetes |
There was a problem hiding this comment.
I think we need to say that disabling this has potential security implications in the router when handling ingress objects.
pkg/ingress/admission/api/types.go
Outdated
|
|
||
| //UpstreamHostnameUpdate when true causes updates that attempt | ||
| //to add or modify hostnames to succeed. Otherwise those updates | ||
| //fail in order to ensure hostname behavior |
There was a problem hiding this comment.
This needs to be clarified to explain that we don't allow addition or renaming of hostnames in the ingress object when set to false. If set to true then we allow the changes, but that has security implications.
What is the default?
There was a problem hiding this comment.
booleans declared but not initialized are given false in golang. The code is structured so that if other options are added to IngressAdmissionConfig without enabling hostname updates they fail
| "k8s.io/kubernetes/pkg/api/unversioned" | ||
| ) | ||
|
|
||
| // IngressAdmissionConfig is the configuration for the the ingress |
There was a problem hiding this comment.
Same comments here as earlier file
| return nil | ||
| } | ||
|
|
||
| func checkHostnames(oldIngress, newIngress *kextensions.Ingress) bool { |
There was a problem hiding this comment.
Can we call this haveHostsChanged? Or something that makes the actual test more clear.
| } | ||
|
|
||
| func checkHostnames(oldIngress, newIngress *kextensions.Ingress) bool { | ||
| m := make(map[string]int) |
There was a problem hiding this comment.
Any reason to use an int rather than a bool?
There was a problem hiding this comment.
Actually, an empty struct appears even better since then it can optimize away to 0 bytes for the value.
But... Kubernetes has sets.NewString() that makes a set of strings... perhaps we should use that?
There was a problem hiding this comment.
does the sets.NewString() apply here? wouldn't I have to loop through the Ingress.Spec.Rules[] to extract the host strings?
|
|
||
| for _, element := range newIngress.Spec.Rules { | ||
| _, present := m[element.Host] | ||
| if !present { |
There was a problem hiding this comment.
Is it better style to do:
if _, present := m[element.Host]; present {
| }, | ||
| } | ||
| } else { | ||
| //Used to test deleteing a hostname |
JacobTanenbaum
changed the title
JacobTanenbaum
changed the title
JacobTanenbaum
force-pushed
the
IngressAdmissionController
branch
from
f3ee6cd to
e4bd6b4
Compare
|
@openshift/networking |
|
@liggitt @derekwaynecarr Please review |
|
|
||
| func haveHostnamesChanged(oldIngress, newIngress *kextensions.Ingress) bool { | ||
| m := make(map[string]int) | ||
| for _, element := range oldIngress.Spec.Rules { |
There was a problem hiding this comment.
Ingress rule hosts need to be immutable for the same reason as route hosts (prevent theft). TLS hosts are only used to match TLS configuration to a rule which doesn't need to be restricted (it's like changing tls conf for a route).
| } | ||
|
|
||
| func haveHostnamesChanged(oldIngress, newIngress *kextensions.Ingress) bool { | ||
| m := make(map[string]int) |
There was a problem hiding this comment.
the standard convention for sets is to use map[TYPE]struct{}, but even better is k8s.io/apimachinery/pkg/utils/sets.String, which is a pre-built string set with the operations that you want.
| newHost: "foo.com", | ||
| oldHost: "bar.com", | ||
| testName: "Upstream Hostname updates enabled", | ||
| }, |
There was a problem hiding this comment.
should you also test adding a hostname?
JacobTanenbaum
force-pushed
the
IngressAdmissionController
branch
from
097e6e5 to
2366482
Compare
|
[test] |
|
[test] |
|
JacobTanenbaum
force-pushed
the
IngressAdmissionController
branch
from
0a38587 to
4d3e590
Compare
…name field. This ensures that openshift's rules regarding who can serve a hostname does not get violated by ingress objects. If upstream behavior is desired this controller can be disabled in the master config file. I wrote this assuming that we might have other needs for an admission controller with ingress objects and it should not be difficult to extend this one.
… test for adding a hostname
github.com/openshift/origin/pkg/cmd/server/origin.TestAdmissionPluginNames
github.com/openshift/origin/pkg/cmd/server/start.TestAdmissionOnOffCoverage
JacobTanenbaum
force-pushed
the
IngressAdmissionController
branch
from
4d3e590 to
8c59f37
Compare
|
@DirectXMan12 can you look over the recent change please? |
|
|
|
Evaluated for origin test up to dfd9fae |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13570/) (Base Commit: 01edb43) |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13570/) (Base Commit: 01edb43) |
|
[merge] |
|
Evaluated for origin merge up to dfd9fae |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13592/) (Base Commit: c74f1b8) (Image: devenv-rhel7_5856) |
|
could you please give the example master config of disabling the ingress admission? |
|
Remember to squash these in the future - didn't catch it at the time, but could have been reduced to 1 or 2 commits. |
This ensures that openshift's rules regarding who can serve a hostname does not
get violated by ingress objects. If upstream behavior is desired this controller can be
disabled in the master config file.
I wrote this assuming that we might have other needs for an admission controller with ingress
objects and it should not be difficult to extend this one.
Trello Card