Scc check only api #8941
Scc check only api #8941
Conversation
| } | ||
|
|
||
| // PodSpecReviewResult contains information related the a specifc service account for the requested PodSpec. | ||
| type PodSpecReviewResult struct { |
There was a problem hiding this comment.
I think you can use PodSpecSubjectReviewStatus in place of this type.
|
@openshift/api-review roughly what we talked about here: https://github.com/openshift/origin/pull/8199/files This is just the types, impl will come separately to make the review a bit easier. It requires some SCC refactors along the way. |
|
@deads2k thanks waiting for api-review I'm modifying this with your feedback |
sdminonne
force-pushed
the
SCC_check_only_API
branch
from
4f2d020 to
2f4122d
Compare
|
@deads2k commited on top for clarity. PTAL |
|
gofmt |
| @@ -77,6 +78,9 @@ var resourcesToCheck = map[unversioned.GroupResource]unversioned.GroupKind{ | |||
| // we choose not to handle in this plugin | |||
| var resourcesToIgnore = []unversioned.GroupKind{ | |||
| extensions.Kind("DaemonSet"), | |||
| securityapi.Kind("PodSecurityPolicySelfSubjectReview"), // TODO: should this go through admission? | |||
There was a problem hiding this comment.
Yeah, let's run these. The rejection messages will help users figure what's happening to their pods that are being created indirectly.
There was a problem hiding this comment.
Yeah, let's run these. The rejection messages will help users figure what's happening to their pods that are being created indirectly.
I still see this as outstanding. You should just need to provide a way to get the podspec.
There was a problem hiding this comment.
OK. I'm going to do. For some reasons I thought this could be done in the next PR.
There was a problem hiding this comment.
OK. I'm going to do. For some reasons I thought this could be done in the next PR.
If its small, I'd like it here, if its not, we can defer. Just let me know.
|
Looks pretty good to me. @openshift/api-review comments on the types? I think I've talked myself into keep the |
| // PodSpec is the PodSpec to check. | ||
| PodSpec kapi.PodSpec `json:"podSpec"` | ||
|
|
||
| // User is the user you're testing for. |
There was a problem hiding this comment.
Be use to use lower case in the names - since the godoc is used in swagger here, you'll want to refer to the field name as it would be in json. I.e. user is the user you're testing for and if you specify "user" but not "group".
There was a problem hiding this comment.
Done (but only for versioned .../v1/types.go).
sdminonne
force-pushed
the
SCC_check_only_API
branch
from
2f4122d to
0a77a95
Compare
|
PTAL |
openshift-bot
added
the
needs-rebase
|
|
||
| // PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview | ||
| type PodSecurityPolicyReviewSpec struct { | ||
| // PodSpec is the PodSpec to check. The ServiceAccountName field is ignored for this check. |
There was a problem hiding this comment.
David and I discussed, I think we're ok on the semantics of:
If ServiceAccountNames is empty, the PodSpec ServiceAccountName is used, unless it's empty, in which case "default" is used instead. If ServiceAccountNames is specified, PodSpec ServiceAccountName is ignored. There should be a way to say "all service accounts", and it should be obvious as it would be fairly common.
There was a problem hiding this comment.
Update this comment to match the one below for ServiceAccountNames. The ServiceAccountName in the podspec is sometimes used.
|
Approved with those caveats. |
|
@smarterclayton sorry only now I realized that I didn't modify the comment. |
sdminonne
force-pushed
the
SCC_check_only_API
branch
from
0a77a95 to
d66728a
Compare
|
@deads2k @smarterclayton squashed and rebased |
openshift-bot
removed
the
needs-rebase
sdminonne
force-pushed
the
SCC_check_only_API
branch
2 times, most recently
from
3d10dd4 to
5500275
Compare
|
[test] |
|
Failure not related to my code (pretty sure). |
|
You're hitting a merge queue break caused by today's change from schema1 to schema2 on the Docker hub. |
|
Thanks Clayton, should I re-run it? |
|
We haven't fixed it yet. |
| @@ -430,6 +430,7 @@ nodeSelectorLabelBlacklist: | |||
| func TestResourcesToCheck(t *testing.T) { | |||
| known := knownResourceKinds() | |||
| detected := kindsWithPodSpecs() | |||
| //t.Errorf("Detected -> %#v", detected) | |||
|
minor comments, update and squash. |
sdminonne
force-pushed
the
SCC_check_only_API
branch
from
5500275 to
10ebc9a
Compare
Hope it's ok. |
|
|
||
| // ServiceAccountNames is an optional set of ServiceAccounts to run the check with. | ||
| // If ServiceAccountNames is empty, the PodSpec ServiceAccountName is used, | ||
| // unless it's empty, in which case "default" is used instead. |
There was a problem hiding this comment.
this comment doesn't make a lot of sense
There was a problem hiding this comment.
@Kargakis the idea is (if I'm not wrong)
- Look a ServiceAccountNames: if there's some ServiceAccountNames then use them and stop
- If ServiceAccountNames it's empty look at the PodSpec.ServiceAccount.
- Is PodSpec.ServiceAccount NOT empty? Then use it and stop.
- Otherwise use
default.
There was a problem hiding this comment.
Makes sense, thanks! I feel that the comment needs to be more clear though.
sdminonne
force-pushed
the
SCC_check_only_API
branch
from
10ebc9a to
c214793
Compare
|
lgtm [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4432/) (Image: devenv-rhel7_4312) |
|
re[merge] |
|
Evaluated for origin merge up to c214793 |
|
yum, re[test] |
|
Evaluated for origin test up to c214793 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4432/) |
| // if ServiceAccountNames is empty, unless the PodSpec.ServiceAccountName is empty, | ||
| // in which case "default" is used. | ||
| // If ServiceAccountNames is specified, PodSpec.ServiceAccountName is ignored. | ||
| PodSpec kapi.PodSpec |
There was a problem hiding this comment.
I'd like to change this API prior to 1.3 to be PodTemplate, not PodSpec, which fixes our annotation problem and is consistent with all other "template" APIs.
| } | ||
| } | ||
|
|
||
| koCases := map[string]securityapi.PodSecurityPolicySelfSubjectReview{ |
There was a problem hiding this comment.
I'm curious what ko means here? Captain Obvious?
There was a problem hiding this comment.
it's not an OK it's a KO
@deads2k ref #8199 and #8776
As discussed here this PR contains API/types only. Thanks to have a look
Main stuff: