Bug 1909012

Summary: csi snapshot webhook does not block any invalid update for volumesnapshot and volumesnapshotcontent objects
Product: OpenShift Container Platform Reporter: Qin Ping <piqin>
Component: StorageAssignee: Christian Huffman <chuffman>
Storage sub component: Kubernetes External Components QA Contact: Qin Ping <piqin>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: aos-bugs, chuffman, jsafrane
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:46:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qin Ping 2020-12-18 07:47:31 UTC 
Description of problem:
csi snapshot webhook does not block any invalid update for volumesnapshot and volumesnapshotcontent objects


Version-Release number of selected component (if applicable):
4.7.0-0.nightly-2020-12-17-201522

How reproducible:
Always

Steps to Reproduce:
1. Create a volumesnapshot object with:
$ cat snapshot.yaml 
apiVersion: snapshot.storage.k8s.io/v1beta1
kind: VolumeSnapshot
metadata:
  name: mysnapshot
spec:
  volumeSnapshotClassName: csi-snapshotclass
  source:
    persistentVolumeClaimName: test-pvc-5
$ oc get volumesnapshot
NAME         READYTOUSE   SOURCEPVC    SOURCESNAPSHOTCONTENT   RESTORESIZE   SNAPSHOTCLASS       SNAPSHOTCONTENT                                    CREATIONTIME   AGE
mysnapshot   true         test-pvc-5                           1Gi           csi-snapshotclass   snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2   7s             9s
2. Update spec.source.persistentVolumeClaimName field
$ oc patch volumesnapshot mysnapshot -p '{"spec": {"source": {"persistentVolumeClaimName": ""}}}' --type merge
volumesnapshot.snapshot.storage.k8s.io/mysnapshot patched
3. Check the volumesnapshotcontent:
$ oc get volumesnapshotcontent snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 -ojson|jq .spec
{
  "deletionPolicy": "Delete",
  "driver": "ebs.csi.aws.com",
  "source": {
    "volumeHandle": "vol-0b714dfa76a1503e0"
  },
  "volumeSnapshotClassName": "csi-snapshotclass",
  "volumeSnapshotRef": {
    "apiVersion": "snapshot.storage.k8s.io/v1beta1",
    "kind": "VolumeSnapshot",
    "name": "mysnapshot",
    "namespace": "openshift-cluster-storage-operator",
    "resourceVersion": "49089",
    "uid": "7aced558-1ec1-47a7-bafb-3cd55b8903b2"
  }
}
4. Update spec.source.volumeHandle
$ oc patch volumesnapshotcontent snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 -p '{"spec": {"source": {"volumeHandle": ""}}}' --type merge
volumesnapshotcontent.snapshot.storage.k8s.io/snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 patched


Actual results:
volumesnapshot/mysnapshot is updated successfully.
$ oc get volumesnapshot
NAME         READYTOUSE   SOURCEPVC   SOURCESNAPSHOTCONTENT   RESTORESIZE   SNAPSHOTCLASS       SNAPSHOTCONTENT                                    CREATIONTIME   AGE
mysnapshot   true                                             1Gi           csi-snapshotclass   snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2   37s            39s

volumesnapshotcontent/snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 is updated successfully.
$ oc get volumesnapshotcontent snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 -ojson|jq .spec
{
  "deletionPolicy": "Delete",
  "driver": "ebs.csi.aws.com",
  "source": {
    "volumeHandle": ""
  },
  "volumeSnapshotClassName": "csi-snapshotclass",
  "volumeSnapshotRef": {
    "apiVersion": "snapshot.storage.k8s.io/v1beta1",
    "kind": "VolumeSnapshot",
    "name": "mysnapshot",
    "namespace": "openshift-cluster-storage-operator",
    "resourceVersion": "49089",
    "uid": "7aced558-1ec1-47a7-bafb-3cd55b8903b2"
  }
}


Expected results:
The update options should be blocked.

Additional info:
I1218 07:25:47.886929       1 webhook.go:115] handling request: {"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1beta1","request":{"uid":"1181d17c-cd81-4de4-be84-3e0cfb9f6194","kind":{"group":"snapshot.storage.k8s.io","version":"v1beta1","kind":"VolumeSnapshotContent"},"resource":{"group":"snapshot.storage.k8s.io","version":"v1beta1","resource":"volumesnapshotcontents"},"requestKind":{"group":"snapshot.storage.k8s.io","version":"v1beta1","kind":"VolumeSnapshotContent"},"requestResource":{"group":"snapshot.storage.k8s.io","version":"v1beta1","resource":"volumesnapshotcontents"},"name":"snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2","operation":"UPDATE","userInfo":{"username":"system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa","uid":"b67da9b5-95f1-4034-b22f-f1dfce6f32ee","groups":["system:serviceaccounts","system:serviceaccounts:openshift-cluster-csi-drivers","system:authenticated"]},"object":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshotContent","metadata":{"creationTimestamp":"2020-12-18T07:25:43Z","finalizers":["snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection"],"generation":1,"managedFields":[{"apiVersion":"snapshot.storage.k8s.io/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:finalizers":{".":{},"v:\"snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection\"":{}}},"f:spec":{".":{},"f:deletionPolicy":{},"f:driver":{},"f:source":{".":{},"f:volumeHandle":{}},"f:volumeSnapshotClassName":{},"f:volumeSnapshotRef":{".":{},"f:apiVersion":{},"f:kind":{},"f:name":{},"f:namespace":{},"f:resourceVersion":{},"f:uid":{}}}},"manager":"snapshot-controller","operation":"Update","time":"2020-12-18T07:25:43Z"},{"apiVersion":"snapshot.storage.k8s.io/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:creationTime":{},"f:readyToUse":{},"f:restoreSize":{},"f:snapshotHandle":{}}},"manager":"csi-snapshotter","operation":"Update","time":"2020-12-18T07:25
:46Z"}],"name":"snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2","resourceVersion":"49149","uid":"4a0aee99-1911-4838-825f-dbf9e8eefc9d"},"spec":{"deletionPolicy":"Delete","driver":"ebs.csi.aws.com","source":{"volumeHandle":"vol-0b714dfa76a1503e0"},"volumeSnapshotClassName":"csi-snapshotclass","volumeSnapshotRef":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshot","name":"mysnapshot","namespace":"openshift-cluster-storage-operator","resourceVersion":"49089","uid":"7aced558-1ec1-47a7-bafb-3cd55b8903b2"}},"status":{"creationTime":1608276345000000000,"readyToUse":true,"restoreSize":1073741824,"snapshotHandle":"snap-03087888c3dfd9f99"}},"oldObject":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshotContent","metadata":{"annotations":{"snapshot.storage.kubernetes.io/volumesnapshot-being-created":"yes"},"creationTimestamp":"2020-12-18T07:25:43Z","finalizers":["snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection"],"generation":1,"name":"snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2","resourceVersion":"49149","uid":"4a0aee99-1911-4838-825f-dbf9e8eefc9d"},"spec":{"deletionPolicy":"Delete","driver":"ebs.csi.aws.com","source":{"volumeHandle":"vol-0b714dfa76a1503e0"},"volumeSnapshotClassName":"csi-snapshotclass","volumeSnapshotRef":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshot","name":"mysnapshot","namespace":"openshift-cluster-storage-operator","resourceVersion":"49089","uid":"7aced558-1ec1-47a7-bafb-3cd55b8903b2"}},"status":{"creationTime":1608276345000000000,"readyToUse":true,"restoreSize":1073741824,"snapshotHandle":"snap-03087888c3dfd9f99"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}}
Comment 1 Jan Safranek 2021-01-06 10:34:13 UTC 
I checked with today's 4.7.0-0.nightly-2021-01-06-055910 (with rebased snapshot-controller + webhook and v1 validation enabled) and volumesnapshot + volumesnapshotcontent patches suggested above are correctly blocked by the validation.

I did not dig deeper, but I think that "oc patch volumesnapshotcontent" patches v1 version of the object and its validation was not enabled until today's nightly. Marking as MODIFIED for QA to re-test.
Comment 3 Qin Ping 2021-01-11 06:09:01 UTC 
Verified with: 4.7.0-0.nightly-2021-01-10-070949
Comment 6 errata-xmlrpc 2021-02-24 15:46:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633