origin icon indicating copy to clipboard operation
origin copied to clipboard
verified publisher icon openshift

NO-JIRA: Demonstrate trampoline pod write fix

Open deads2k opened this issue 1 year ago • 14 comments

By using the serviceaccount node claim and validatingadmissionpolicy it is possible to restrict the ability of a serviceaccount to write particular resources to only those instances of resource/foo that have name == node-name or .spec.nodeName == node-name while allowing impeded access for other users. If it is using a serviceaccount token (most do), this requires no modification to the workload being restricted.

I can write up a more detailed enhancement/blog post if desired, but this demonstrates how it can be done with today's TechPreview technology (may require https://github.com/openshift/api/pull/1831).

Once https://github.com/openshift/origin/pull/28670 merges, this will automatically only run on TechPreview and be skipped on Default installations.

per request /cc @derekwaynecarr

likely interest /cc @mrunalp @knobunc

deads2k avatar Mar 27 '24 21:03 deads2k

@deads2k: This pull request explicitly references no jira issue.

In response to this:

By using the serviceaccount node claim and validatingadmissionpolicy it is possible to restrict the ability of a serviceaccount to write particular resources to only those instances of resource/foo that have name == node-name or .spec.nodeName == node-name while allowing impeded access for other users. If it is using a serviceaccount token (most do), this requires no modification to the workload being restricted.

I can write up a more detailed enhancement/blog post if desired, but this demonstrates how it can be done with today's TechPreview technology (may require https://github.com/openshift/api/pull/1831).

Once https://github.com/openshift/origin/pull/28670 merges, this will automatically only run on TechPreview and be skipped on Default installations.

per request /cc @derekwaynecarr

likely interest /cc @mrunalp @knobunc

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 27 '24 21:03 openshift-ci-robot

Checking that skip now

/retest

deads2k avatar Mar 28 '24 01:03 deads2k

/test e2e-gcp-ovn-techpreview

deads2k avatar Mar 28 '24 01:03 deads2k

/retest

deads2k avatar Mar 28 '24 23:03 deads2k

Job Failure Risk Analysis for sha: 9e430ae8c002146454cfc5d6ef8072a2014efa0a

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-agnostic-ovn-cmd IncompleteTests
Tests for this run (26) are below the historical average (469): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

openshift-trt-bot avatar Mar 29 '24 03:03 openshift-trt-bot

: [sig-auth][Feature:ServiceAccountTokenNodeBinding][OCPFeatureGate:ValidatingAdmissionPolicy] per-node SA tokens can restrict access by-node [Suite:openshift/conformance/parallel] passed on techpreview

deads2k avatar Mar 29 '24 14:03 deads2k

fyi @cdoern @yuqi-zhang (for some of the items we need to address)

mrunalp avatar Mar 29 '24 23:03 mrunalp

@deads2k any plans to make the extra info available on 4.17?

xpivarc avatar Apr 10 '24 07:04 xpivarc

@deads2k any plans to make the extra info available on 4.17?

I think that promotion will happen by default.

deads2k avatar Apr 10 '24 14:04 deads2k

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Apr 12 '24 20:04 openshift-ci[bot]

/test e2e-gcp-ovn-techpreview

deads2k avatar Apr 15 '24 15:04 deads2k

Job Failure Risk Analysis for sha: 19700295bd747374026887ca4434b570c6b2e029

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node Low
[sig-arch] events should not repeat pathologically for ns/openshift-etcd
This test has passed 75.51% of 49 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node'] in the last 14 days.

openshift-trt-bot avatar Apr 15 '24 18:04 openshift-trt-bot

/test e2e-gcp-ovn-techpreview

deads2k avatar May 06 '24 21:05 deads2k

@deads2k: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 826a620367cf5478eb1963cb37095371e10ed732 link true /test verify
ci/prow/e2e-aws-ovn-single-node-upgrade 826a620367cf5478eb1963cb37095371e10ed732 link false /test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-aws-ovn-single-node 826a620367cf5478eb1963cb37095371e10ed732 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-gcp-ovn-builds 826a620367cf5478eb1963cb37095371e10ed732 link true /test e2e-gcp-ovn-builds
ci/prow/e2e-gcp-ovn-rt-upgrade 826a620367cf5478eb1963cb37095371e10ed732 link false /test e2e-gcp-ovn-rt-upgrade
ci/prow/e2e-metal-ipi-ovn-ipv6 826a620367cf5478eb1963cb37095371e10ed732 link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-ovn-edge-zones 826a620367cf5478eb1963cb37095371e10ed732 link true /test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci[bot] avatar May 08 '24 19:05 openshift-ci[bot]

moved upstream to https://github.com/kubernetes/kubernetes/pull/124711

deads2k avatar May 31 '24 17:05 deads2k