Description of problem: csi snapshot webhook does not block any invalid update for volumesnapshot and volumesnapshotcontent objects Version-Release number of selected component (if applicable): 4.7.0-0.nightly-2020-12-17-201522 How reproducible: Always Steps to Reproduce: 1. Create a volumesnapshot object with: $ cat snapshot.yaml apiVersion: snapshot.storage.k8s.io/v1beta1 kind: VolumeSnapshot metadata: name: mysnapshot spec: volumeSnapshotClassName: csi-snapshotclass source: persistentVolumeClaimName: test-pvc-5 $ oc get volumesnapshot NAME READYTOUSE SOURCEPVC SOURCESNAPSHOTCONTENT RESTORESIZE SNAPSHOTCLASS SNAPSHOTCONTENT CREATIONTIME AGE mysnapshot true test-pvc-5 1Gi csi-snapshotclass snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 7s 9s 2. Update spec.source.persistentVolumeClaimName field $ oc patch volumesnapshot mysnapshot -p '{"spec": {"source": {"persistentVolumeClaimName": ""}}}' --type merge volumesnapshot.snapshot.storage.k8s.io/mysnapshot patched 3. Check the volumesnapshotcontent: $ oc get volumesnapshotcontent snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 -ojson|jq .spec { "deletionPolicy": "Delete", "driver": "ebs.csi.aws.com", "source": { "volumeHandle": "vol-0b714dfa76a1503e0" }, "volumeSnapshotClassName": "csi-snapshotclass", "volumeSnapshotRef": { "apiVersion": "snapshot.storage.k8s.io/v1beta1", "kind": "VolumeSnapshot", "name": "mysnapshot", "namespace": "openshift-cluster-storage-operator", "resourceVersion": "49089", "uid": "7aced558-1ec1-47a7-bafb-3cd55b8903b2" } } 4. Update spec.source.volumeHandle $ oc patch volumesnapshotcontent snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 -p '{"spec": {"source": {"volumeHandle": ""}}}' --type merge volumesnapshotcontent.snapshot.storage.k8s.io/snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 patched Actual results: volumesnapshot/mysnapshot is updated successfully. $ oc get volumesnapshot NAME READYTOUSE SOURCEPVC SOURCESNAPSHOTCONTENT RESTORESIZE SNAPSHOTCLASS SNAPSHOTCONTENT CREATIONTIME AGE mysnapshot true 1Gi csi-snapshotclass snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 37s 39s volumesnapshotcontent/snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 is updated successfully. $ oc get volumesnapshotcontent snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2 -ojson|jq .spec { "deletionPolicy": "Delete", "driver": "ebs.csi.aws.com", "source": { "volumeHandle": "" }, "volumeSnapshotClassName": "csi-snapshotclass", "volumeSnapshotRef": { "apiVersion": "snapshot.storage.k8s.io/v1beta1", "kind": "VolumeSnapshot", "name": "mysnapshot", "namespace": "openshift-cluster-storage-operator", "resourceVersion": "49089", "uid": "7aced558-1ec1-47a7-bafb-3cd55b8903b2" } } Expected results: The update options should be blocked. Additional info: I1218 07:25:47.886929 1 webhook.go:115] handling request: {"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1beta1","request":{"uid":"1181d17c-cd81-4de4-be84-3e0cfb9f6194","kind":{"group":"snapshot.storage.k8s.io","version":"v1beta1","kind":"VolumeSnapshotContent"},"resource":{"group":"snapshot.storage.k8s.io","version":"v1beta1","resource":"volumesnapshotcontents"},"requestKind":{"group":"snapshot.storage.k8s.io","version":"v1beta1","kind":"VolumeSnapshotContent"},"requestResource":{"group":"snapshot.storage.k8s.io","version":"v1beta1","resource":"volumesnapshotcontents"},"name":"snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2","operation":"UPDATE","userInfo":{"username":"system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa","uid":"b67da9b5-95f1-4034-b22f-f1dfce6f32ee","groups":["system:serviceaccounts","system:serviceaccounts:openshift-cluster-csi-drivers","system:authenticated"]},"object":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshotContent","metadata":{"creationTimestamp":"2020-12-18T07:25:43Z","finalizers":["snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection"],"generation":1,"managedFields":[{"apiVersion":"snapshot.storage.k8s.io/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:finalizers":{".":{},"v:\"snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection\"":{}}},"f:spec":{".":{},"f:deletionPolicy":{},"f:driver":{},"f:source":{".":{},"f:volumeHandle":{}},"f:volumeSnapshotClassName":{},"f:volumeSnapshotRef":{".":{},"f:apiVersion":{},"f:kind":{},"f:name":{},"f:namespace":{},"f:resourceVersion":{},"f:uid":{}}}},"manager":"snapshot-controller","operation":"Update","time":"2020-12-18T07:25:43Z"},{"apiVersion":"snapshot.storage.k8s.io/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:creationTime":{},"f:readyToUse":{},"f:restoreSize":{},"f:snapshotHandle":{}}},"manager":"csi-snapshotter","operation":"Update","time":"2020-12-18T07:25 :46Z"}],"name":"snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2","resourceVersion":"49149","uid":"4a0aee99-1911-4838-825f-dbf9e8eefc9d"},"spec":{"deletionPolicy":"Delete","driver":"ebs.csi.aws.com","source":{"volumeHandle":"vol-0b714dfa76a1503e0"},"volumeSnapshotClassName":"csi-snapshotclass","volumeSnapshotRef":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshot","name":"mysnapshot","namespace":"openshift-cluster-storage-operator","resourceVersion":"49089","uid":"7aced558-1ec1-47a7-bafb-3cd55b8903b2"}},"status":{"creationTime":1608276345000000000,"readyToUse":true,"restoreSize":1073741824,"snapshotHandle":"snap-03087888c3dfd9f99"}},"oldObject":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshotContent","metadata":{"annotations":{"snapshot.storage.kubernetes.io/volumesnapshot-being-created":"yes"},"creationTimestamp":"2020-12-18T07:25:43Z","finalizers":["snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection"],"generation":1,"name":"snapcontent-7aced558-1ec1-47a7-bafb-3cd55b8903b2","resourceVersion":"49149","uid":"4a0aee99-1911-4838-825f-dbf9e8eefc9d"},"spec":{"deletionPolicy":"Delete","driver":"ebs.csi.aws.com","source":{"volumeHandle":"vol-0b714dfa76a1503e0"},"volumeSnapshotClassName":"csi-snapshotclass","volumeSnapshotRef":{"apiVersion":"snapshot.storage.k8s.io/v1beta1","kind":"VolumeSnapshot","name":"mysnapshot","namespace":"openshift-cluster-storage-operator","resourceVersion":"49089","uid":"7aced558-1ec1-47a7-bafb-3cd55b8903b2"}},"status":{"creationTime":1608276345000000000,"readyToUse":true,"restoreSize":1073741824,"snapshotHandle":"snap-03087888c3dfd9f99"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}}
I checked with today's 4.7.0-0.nightly-2021-01-06-055910 (with rebased snapshot-controller + webhook and v1 validation enabled) and volumesnapshot + volumesnapshotcontent patches suggested above are correctly blocked by the validation. I did not dig deeper, but I think that "oc patch volumesnapshotcontent" patches v1 version of the object and its validation was not enabled until today's nightly. Marking as MODIFIED for QA to re-test.
Verified with: 4.7.0-0.nightly-2021-01-10-070949
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633