Bug 2063938
| Summary: | sing the hard coded rest-mapper in library-go | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Abu Kashem <akashem> |
| Component: | kube-apiserver | Assignee: | Abu Kashem <akashem> |
| Status: | CLOSED ERRATA | QA Contact: | jmekkatt |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.11 | CC: | mfojtik, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-10 10:54:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Abu Kashem
2022-03-14 16:36:18 UTC
Verification steps for the fix as below
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.0-0.nightly-2022-03-20-160505 True False 9h Cluster version is 4.11.0-0.nightly-2022-03-20-160505
1. User mapping to a role binding to create restricted access.
Created role for pods with all access except delete.
$ oc get role pod-reader -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2022-03-24T14:22:55Z"
name: pod-reader
namespace: default
resourceVersion: "223277"
uid: bd0ccf49-b2e2-44fc-931c-e9677eef3a15
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- update
- patch
Created a rolebinding to map the testuser-0 to the above role.
$ oc get rolebinding read-pods -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2022-03-24T14:23:04Z"
name: read-pods
namespace: default
resourceVersion: "216553"
uid: 28d77cf1-86bf-48dc-81b0-fa5872cb360e
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: testuser-0
2. Created two replicasets and corresponding pods.
$ cat replicaset.yaml
apiVersion: apps/v1
kind: ReplicaSet
metadata:
annotations:
deployment.kubernetes.io/desired-replicas: "2"
deployment.kubernetes.io/max-replicas: "5"
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2022-03-24T13:38:21Z"
generation: 1
labels:
app: hello
pod-template-hash: 84d58449c5
name: hello
namespace: default
resourceVersion: "199669"
uid: 0882ce27-61d9-4ed7-8b4f-ad9a3829e556
spec:
replicas: 1
selector:
matchLabels:
app: hello
pod-template-hash: 84d58449c5
template:
metadata:
creationTimestamp: null
labels:
app: hello
pod-template-hash: 84d58449c5
spec:
containers:
- image: quay.io/openshifttest/hello-openshift@sha256:1e70b596c05f46425c39add70bf749177d78c1e98b2893df4e5ae3883c2ffb5e
imagePullPolicy: IfNotPresent
name: hello
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
availableReplicas: 1
fullyLabeledReplicas: 1
observedGeneration: 1
readyReplicas: 1
replicas: 1
$ cat replicaset_second.yaml
apiVersion: apps/v1
kind: ReplicaSet
metadata:
annotations:
deployment.kubernetes.io/desired-replicas: "2"
deployment.kubernetes.io/max-replicas: "5"
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2022-03-24T13:38:21Z"
generation: 1
labels:
app: hello-second
pod-template-hash: 84d58449c5
name: hello-second
namespace: default
resourceVersion: "199669"
uid: 0882ce27-61d9-4ed7-8b4f-ad9a3829e556
spec:
replicas: 1
selector:
matchLabels:
app: hello-second
pod-template-hash: 84d58449c5
template:
metadata:
creationTimestamp: null
labels:
app: hello-second
pod-template-hash: 84d58449c5
spec:
containers:
- image: quay.io/openshifttest/hello-openshift@sha256:1e70b596c05f46425c39add70bf749177d78c1e98b2893df4e5ae3883c2ffb5e
imagePullPolicy: IfNotPresent
name: hello-second
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
availableReplicas: 1
fullyLabeledReplicas: 1
observedGeneration: 1
readyReplicas: 1
replicas: 1
$ oc create -f replicaset.yaml
replicaset.apps/hello created
$ oc create -f replicaset_second.yaml
replicaset.apps/hello-second created
$ oc get replicaset -n default
NAME DESIRED CURRENT READY AGE
hello 1 1 1 88m
hello-second 1 1 1 85m
3. Evaluate the hardcoded_restmapper change with the help of default admission control "OwnerReferencesPermissionEnforcement" with below steps.
Login as testuser-0.
$ oc login -u testuser-0 -p aeg-GMuhh-6Z
Login successful.
list the all the available pods
$ oc get pods -n default
NAME READY STATUS RESTARTS AGE
hello-mt57r 1/1 Running 0 16m
hello-second-v8fb5 1/1 Running 0 48m
Edit and change the pod definition i.e under ownerReferences, change the name of the replicaset with another one as below.
Change pod definition from
apiVersion: v1
kind: Pod
<TRIMMED>
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: hello
uid: 336ef9b6-32d8-4d62-8978-4a86dd381a6b
<TRIMMED>
to the pod definition
apiVersion: v1
kind: Pod
<TRIMMED>
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: hello-second
uid: 336ef9b6-32d8-4d62-8978-4a86dd381a6b
<TRIMMED>
$ oc edit pod hello-mt57r
error: pods "hello-mt57r" could not be patched: pods "hello-mt57r" is forbidden: cannot set an ownerRef on a resource you can't delete: , <nil>
$ oc get pod hello-mt57r -o yaml
apiVersion: v1
kind: Pod
metadata:
<TRIMMED>
name: hello-mt57r
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: hello
uid: 336ef9b6-32d8-4d62-8978-4a86dd381a6b
resourceVersion: "222736"
uid: d89f2b35-d082-4b7e-949f-fa7a520571ba
spec:
containers:
- image: quay.io/openshifttest/hello-openshift@sha256:1e70b596c05f46425c39add70bf749177d78c1e98b2893df4e5ae3883c2ffb5e
imagePullPolicy: IfNotPresent
name: hello
<TRIMMED>
The error while editing & saving the pod definition, clearly indicate that the "OwnerReferencesPermissionEnforcement" admission controller invoked successfully as the testuser-0 can't change the ownerReferences definition due to missing delete permission from role definition.Also the testuser-0 could list or get the pod definitions without any issue.
Hence the default OwnerReferencesPermissionEnforcement works as expected , it also confirms that the hardcoded_restmapper change also works .
Inline steps confirms that the PR has been merged with the tested 4.11 build. $ oc adm release info --commits registry.ci.openshift.org/ocp/release:4.11.0-0.nightly-2022-03-20-160505 --registry-config=/home/jmekkatt/docker/config.json | grep hyperkube hyperkube https://github.com/openshift/kubernetes 02aefbfd4f05e308ba3e645f76190a42db159805 $cd kubernetes $ git log --date local --pretty="%h %an %cd - %s" 02aefbfd | grep "#1215" 21cef0d2648 OpenShift Merge Robot Thu Mar 17 11:47:44 2022 - Merge pull request #1215 from tkashem/rest-mappings Hence with the tested steps, moved ticket state to "verified". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |