feat: add deny-label-ns flag which supports wildcard #1051
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @AhmedGrati. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
✅ Deploy Preview for kubernetes-sigs-nfd ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
k8s-ci-robot
added
the
size/M
There was a problem hiding this comment.
Thanks @AhmedGrati for working on this!
I don't think we want to replace -extra-label-ns, just add -deny-label-ns on top of that. This will allow strict namespace control (if a user wants that) e.g. with
-deny-label-ns="*" -extra-label-ns=example.com
you could deny everything but example.com, kind of mimicking what we currently do
/ok-to-test
pkg/nfd-master/nfd-master.go
Outdated
| @@ -449,6 +451,17 @@ func verifyNodeName(cert *x509.Certificate, nodeName string) error { | |||
| return nil | |||
| } | |||
|
|
|||
| func isNamespaceDenied(labelNs string, deniedNs map[string]struct{}) bool { | |||
| for ns := range deniedNs { | |||
| deniedNsWildcard := fmt.Sprintf("*.%v", ns) | |||
There was a problem hiding this comment.
I don't think we want to forcibly make all items a glob. Otherwise you couldn't do something like "deny kubernetes.io but allow all *.kubernetes.io"
There was a problem hiding this comment.
Yes true, but I just followed what was said here. Which means basically denying all namespaces. In fact, the user will input a namespace (without wildcard) and we will deny all sub-namespaces by default.
However, If you see that we need to give users the flexibility to deny all sub-namespaces using wildcards, I think we should change this implementation above.
There was a problem hiding this comment.
It can be that what I suggested above is not the "right thing to do". NOT forcing a glob (i.e. not automatically denying sub-namespaces) would give us the most flexibility. I now feel that if we forcibly deny all sub-namespaces it will bit us later (could be countered by supporting wildcards in -extra-label-ns though)
Let's see what others think. Any thoughts on this @cedricmckinnie @ArangoGutierrez @zvonkok @fmuyassarov ?
pkg/nfd-master/nfd-master.go
Outdated
| g := glob.MustCompile(deniedNsWildcard) | ||
| if g.Match(labelNs) { |
There was a problem hiding this comment.
I'm not entirely sure we need to support full-fledged globs (performance, extra external dependency), we could probably do away with something like
if strings.HasPrefix(ns, "*") {
deniedSuffix := strings.TrimLeft(ns, "*")
if strings.HasSuffix(labelNs, deniedSuffix) {
return true
}
} else if labelNs == ns {
return true
}
return falseAnd just document that we support asterisk ("*") in front of the name to deny all sub-namespaces. WDYT?
Also, we probably want to pre-process the user input at startup to repeat same string (or glob) operations over and over again.
There was a problem hiding this comment.
Yes got it, and it's a valid point I think. I just didn't understand the last point. Can you explain it to me further, please?
There was a problem hiding this comment.
Can you explain it to me further, please?
My point is that in the current implementation for each label we create, we run through the deny list and do glob.MustCompile for each deny item. That is for each time a label request arrives, for each label, for each item in deny list do compile. Even though that information is basically static, doing compile once at the startup would be enough and save a lot of cpu cycles
Same could basically be applied to the simplified poor-man's asterisk-based I proposed. I.e. pre-process the deny list to two separate lists, one to do exact matches (==) and one to do suffixes (HasSuffix())
There was a problem hiding this comment.
@marquiz what about having working with such wildcards: prefix.*.suffix. The aesterik-based implementation won't work in the expected way. isn't it?
There was a problem hiding this comment.
It's just me, but I wouldn't be concerned about complex regexs or globs at the moment. Think about how domain names and IP addresses generally work, for example, you don't generally specify IP ranges like 192.168.*.3. For sub-namespaces I see a clear use case, though. More advanced globbing can be added later if it is clearly needed
k8s-ci-robot
added
ok-to-test
| } | ||
|
|
||
| flagset.StringVar(&args.CaFile, "ca-file", "", | ||
| "Root certificate for verifying connections") | ||
| flagset.StringVar(&args.CertFile, "cert-file", "", | ||
| "Certificate used for authenticating connections") | ||
| flagset.Var(&args.ExtraLabelNs, "extra-label-ns", |
There was a problem hiding this comment.
@marquiz should we have both flags at least for a release, having ExtraLabelNS to print a deprecation warning? I feel that removing the flag all together could break some users deployments if they try a roll-update and the pod get's called with old flags.
WDYT?
There was a problem hiding this comment.
@marquiz suggested that we keep the extra-label-ns flag because that would give flexibility to our users.
There was a problem hiding this comment.
@ArangoGutierrez yes, I don't see any reason removing the existing flag. It will also give flexibility in enabling scenarios like "deny all except for example.com/ and acme.io/"
AhmedGrati
force-pushed
the
feat-add-deny-label-ns-with-wildcard
branch
from
c9695a1 to
2b927c8
Compare
AhmedGrati
changed the title
AhmedGrati
force-pushed
the
feat-add-deny-label-ns-with-wildcard
branch
2 times, most recently
from
e1eff45 to
5182050
Compare
AhmedGrati
requested review from
marquiz
and removed request for
adrianchiris and
fmuyassarov
There was a problem hiding this comment.
Thanks for the update @AhmedGrati
I think we need to adjust the docs a bit more, probably removing all references to -extra-label-ns in docs/usage/customization-guide.md and also adjust description of -extra-label-ns in docs/reference/master-commandline-reference.md to match the new behavior.
|
@marquiz why should we remove all references to |
Heh, my comment wasn't very clear 😇 I should've written that review all references to |
Oh yes got it now, thank you 😊 |
AhmedGrati
force-pushed
the
feat-add-deny-label-ns-with-wildcard
branch
from
5182050 to
1b46830
Compare
AhmedGrati
requested review from
marquiz and
ArangoGutierrez
and removed request for
marquiz
k8s-ci-robot
added
size/L
|
@marquiz I added the fact that we'll forcibly deny the |
That is very much true. D'ya have plans for adding e2e-tests? 😉 |
|
@marquiz I'll work on adding the e2e tests, but it'll take me some time. |
No worries, that would be really cool. I think we can take that as a separate PR |
|
Okay then, I'll finish the requested changes and I'll create a separate issue and PR for the e2e tests. |
AhmedGrati
force-pushed
the
feat-add-deny-label-ns-with-wildcard
branch
3 times, most recently
from
9f9badd to
1d5fead
Compare
AhmedGrati
requested review from
marquiz and
ArangoGutierrez
and removed request for
marquiz and
ArangoGutierrez
There was a problem hiding this comment.
Thanks @AhmedGrati for the update. Looks like we're almost there, just a few small comments/suggestions
EDIT: also I think you want to drop this from the customization guide:
Note that in the example above `-extra-label-ns=my.namespace` must be specified
on the nfd-master command line.
pkg/nfd-master/nfd-master.go
Outdated
| nfd.deniedNs.wildcard = wildcardDeniedNs | ||
| // We forcibly deny kubernetes.io | ||
| nfd.deniedNs.normal["kubernetes.io"] = struct{}{} | ||
| nfd.deniedNs.wildcard["kubernetes.io"] = struct{}{} |
There was a problem hiding this comment.
To be correct i think we want to deny *.kubernetes.io
| nfd.deniedNs.wildcard["kubernetes.io"] = struct{}{} | |
| nfd.deniedNs.wildcard[".kubernetes.io"] = struct{}{} |
Signed-off-by: AhmedGrati <[email protected]>
AhmedGrati
force-pushed
the
feat-add-deny-label-ns-with-wildcard
branch
from
1d5fead to
b499799
Compare
There was a problem hiding this comment.
Thanks @AhmedGrati for your efforts on this! From my perspective this looks good to go 👍
| @@ -392,7 +409,7 @@ func (m *nfdMaster) updateMasterNode() error { | |||
| // into extended resources. This function also handles proper namespacing of | |||
| // labels and ERs, i.e. adds the possibly missing default namespace for labels | |||
| // arriving through the gRPC API. | |||
| func filterFeatureLabels(labels Labels, extraLabelNs map[string]struct{}, labelWhiteList regexp.Regexp, extendedResourceNames map[string]struct{}) (Labels, ExtendedResources) { | |||
| func (m *nfdMaster) filterFeatureLabels(labels Labels) (Labels, ExtendedResources) { | |||
There was a problem hiding this comment.
Thanks, this looks so much cleaner 👍
k8s-ci-robot
added
the
approved
|
/assign @ArangoGutierrez @fmuyassarov |
|
Many thanks for your review @marquiz 👌. |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 1fea083de80ed12d154588ced604dfdc9a91d7be
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AhmedGrati, ArangoGutierrez, marquiz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Resolves #1022.
Signed-off-by: AhmedGrati [email protected]