OCPBUGS-17157: pkg/controller: label RBAC with content hash #3034
Conversation
openshift-ci-robot
added
jira/valid-reference
|
@stevekuznetsov: This pull request references Jira Issue OCPBUGS-17157, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
requested review from
gallettilance,
perdasilva and
jianzhangbjz
|
@stevekuznetsov: This pull request references Jira Issue OCPBUGS-17157, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| @@ -108,7 +108,6 @@ type Operator struct { | |||
| client versioned.Interface | |||
| dynamicClient dynamic.Interface | |||
| lister operatorlister.OperatorLister | |||
| k8sLabelQueueSets map[schema.GroupVersionResource]workqueue.RateLimitingInterface | |||
There was a problem hiding this comment.
I added this in a previous commit but was in a copy-pasta mode and it's not needed.
| Name: gvr.String(), | ||
| }) | ||
| queueInformer, err := queueinformer.NewQueueInformer( | ||
| ctx, | ||
| queueinformer.WithQueue(queue), |
There was a problem hiding this comment.
I forgot this in the original PR to add the labeler functionality.
stevekuznetsov
force-pushed
the
skuznets/rbac-hash
branch
from
69bf96a
to
c2fc318
Compare
| func PolicyRuleHashLabelValue(rules []rbacv1.PolicyRule) (string, error) { | ||
| raw, err := json.Marshal(rules) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| return toBase62(sha256.Sum224(raw)), nil | ||
| } |
There was a problem hiding this comment.
It seems like this could cause an issue if two operators define the same rules for a clusterRole.
The code for creating the objects has not changed, so this PR should not have any effect on that problem. In any case, random values are used to name the objects, so it does not seem like there would be any collisions. The RBAC objects are labelled with a) the CSV that they are created for and b) a hash of the spec. So yes, if someone duplicated the list of permissions they asked for in one CSV, an approach that looked at these labels would not be able to tell those apart - but neither would the previous approach of using the authorizer. Since the question we want to be able to answer is "is the permission satisfied," it does not seem important to be able to distinguish between two identical specs. |
Good point.
Okay cool, if the RBAC has a unique name, a CSV label, and a hash label there's a clear way identify the owner and we can satisfy the "is the permission satisfied" asks. /approve |
openshift-ci
bot
added
the
approved
stevekuznetsov
force-pushed
the
skuznets/rbac-hash
branch
from
c2fc318
to
eab15c6
Compare
|
New changes are detected. LGTM label has been removed. |
When a CSV is processed, it is assumed that the InstallPlan has already run, or that a user that's creating a CSV as their entrypoint into the system has otherwise met all the preconditions for the CSV to exist. As part of validating these preconditions, the CSV logic today uses cluster-scoped listers for all RBAC resources. sets up an in-memory authorizer for these, and queries the CSV install strategie's permissions against those. We would like to restrict the amount of memory OLM uses, and part of that is not caching the world. For the above approach to work, all RBAC objects fulfilling CSV permission preconditions would need to be labelled. In the case that a user is creating a CSV manually, this will not be the case. We can use the SubjectAccessReview API to check for the presence of permissions without caching the world, but since a PolicyRule has slices of verbs, resources, subjects, etc and the SAR endpoint accepts but one of each, there will be (in the general case) a combinatorical explosion of calls to issue enough SARs to cover the full set of permissions. Therefore, we need to limit the amount of times we take that action. A simple optimization is to check for permissions created directly by OLM, as that's by far the most common entrypoint into the system (a user creates a Subscription, that triggers an InstallPlan, which creates the RBAC). As OLM chose to name the RBAC objects with random strings of characters, it's not possible to look at a list of permissions in a CSV and know which resources OLM would have created. Therefore, this PR adds a label to all relevant RBAC resources with the hash of their content. We already have the name of the CSV, but since CSV content is ostensibly mutable, this is not enough. Signed-off-by: Steve Kuznetsov <[email protected]>
stevekuznetsov
force-pushed
the
skuznets/rbac-hash
branch
from
eab15c6
to
cb178b1
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awgreene, stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-robot
merged commit 8eb4f3e
into
operator-framework:master
|
@stevekuznetsov: Jira Issue OCPBUGS-17157: Some pull requests linked via external trackers have merged:
The following pull requests linked via external trackers have not merged: These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-17157 has not been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When a CSV is processed, it is assumed that the InstallPlan has already run, or that a user that's creating a CSV as their entrypoint into the system has otherwise met all the preconditions for the CSV to exist.
As part of validating these preconditions, the CSV logic today uses cluster-scoped listers for all RBAC resources. sets up an in-memory authorizer for these, and queries the CSV install strategie's permissions against those.
We would like to restrict the amount of memory OLM uses, and part of that is not caching the world. For the above approach to work, all RBAC objects fulfilling CSV permission preconditions would need to be labelled. In the case that a user is creating a CSV manually, this will not be the case.
We can use the SubjectAccessReview API to check for the presence of permissions without caching the world, but since a PolicyRule has slices of verbs, resources, subjects, etc and the SAR endpoint accepts but one of each, there will be (in the general case) a combinatorical explosion of calls to issue enough SARs to cover the full set of permissions.
Therefore, we need to limit the amount of times we take that action. A simple optimization is to check for permissions created directly by OLM, as that's by far the most common entrypoint into the system (a user creates a Subscription, that triggers an InstallPlan, which creates the RBAC).
As OLM chose to name the RBAC objects with random strings of characters, it's not possible to look at a list of permissions in a CSV and know which resources OLM would have created. Therefore, this PR adds a label to all relevant RBAC resources with the hash of their content. We already have the name of the CSV, but since CSV content is ostensibly mutable, this is not enough.