kops icon indicating copy to clipboard operation
kops copied to clipboard
verified publisher icon kubernetes

Accommodate S3 VFS paths designating bucket owner

Open seh opened this issue 3 years ago • 3 comments

In VFS paths using the "s3" scheme designating paths within S3 buckets, accept the "x-amz-expected-bucket-owner" query parameter nominating an AWS account ID that we expect will own the S3 bucket. When this query parameter is present in a parsed VFS path, include its value in AWS Go SDK calls that accept an "ExpectedBucketOwner" parameter. (If there are multiple occurrences of this parameter in the query string, use the first occurrence's value.) If the target S3 bucket turns out to be owned by an AWS account with a different ID, these API calls will fail.

Propagate this expected owning account ID when constructing new VFS paths from a path with such an ID already bound.

seh avatar Aug 31 '22 16:08 seh

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign zetaab for approval by writing /assign @zetaab in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Aug 31 '22 16:08 k8s-ci-robot

@seh I understand that @olemarkus provided a different approach to this change. Do you think this is still needed?

hakman avatar Sep 16 '22 05:09 hakman

Do you think this is still needed?

Testing showed that it was never really necessary, but my investigation led me to discover this feature of the S3 API that I had not known about, and I thought it might be useful to some of our more security-conscious users. If you don't think it's worth adding to kOps, or would prefer a different approach, I understand. I didn't have high confidence that you'd accept this patch. I did think that it was sharing the idea, though.

seh avatar Sep 16 '22 12:09 seh

@seh: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 30 '22 23:11 k8s-ci-robot

@seh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kops-e2e-cni-cilium-etcd 3913dea313e5de8fe03163031abf76e1d723795b link true /test pull-kops-e2e-cni-cilium-etcd
pull-kops-e2e-cni-cilium-eni 3913dea313e5de8fe03163031abf76e1d723795b link true /test pull-kops-e2e-cni-cilium-eni

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot avatar Dec 07 '22 19:12 k8s-ci-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Mar 07 '23 20:03 k8s-triage-robot

This was an interesting idea, but since we don't really need it now, I'll withdraw this proposal.

seh avatar Mar 07 '23 20:03 seh