Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admission-gcp: Add SecretBinding validator #428

Merged
merged 1 commit into from
May 17, 2022
Merged

admission-gcp: Add SecretBinding validator #428

merged 1 commit into from
May 17, 2022

Conversation

ialidzhikov
Copy link
Member

@ialidzhikov ialidzhikov commented Apr 18, 2022
edited

/area robustness
/area cost
/kind enhancement
/platform gcp

With the introduction of the provider.type field for SecretBindings, there is the following gap. One can create a SecretBinding with provider.type=gcp for example and reference a non-gcp Secret. Then GCM will add the provider.shoot.gardener.cloud/gcp=true label to the corresponding non-gcp Secret and admission-gcp will start validating UPDATE requests for this Secret. Hence, admission-gcp will reject any UPDATE requests to the Secret with the reason that it is not a valid gcp secret.

To prevent such misconfiguration, admission-gcp now introduces a SecretBinding validator that validates the Secret on SecretBinding creation (previously the Secret was validated on Shoot creation). In this was the admission-gcp component also improves by dropping the cache for SecretBindings - this improvement was also mentioned in #396 (comment).

Part of #143

Special notes for your reviewer:

Release note:

The admission-gcp component introduces a new SecretBinding validator. It validates requests for SecretBindings and checks whether the SecretBinding refers to a valid GCP Secret.

@ialidzhikov ialidzhikov requested review from a team as code owners April 18, 2022 15:19
@gardener-robot gardener-robot added area/cost Cost related area/robustness Robustness, reliability, resilience related kind/enhancement Enhancement, improvement, extension platform/gcp Google cloud platform/infrastructure needs/review Needs review size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) labels Apr 18, 2022
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Apr 18, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Apr 18, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Apr 19, 2022
@gardener-robot
Copy link

@ialidzhikov You need rebase this pull request with latest master branch. Please check.

@gardener-robot gardener-robot added the needs/rebase Needs git rebase label May 4, 2022
rfranzke
rfranzke previously approved these changes May 4, 2022
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice PR!
/lgtm

@rfranzke
Copy link
Member

rfranzke commented May 4, 2022

/rebase

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging needs/rebase Needs git rebase needs/lgtm Needs approval for merging and removed needs/rebase Needs git rebase needs/review Needs review reviewed/lgtm Has approval for merging needs/lgtm Needs approval for merging labels May 4, 2022
@gardener-robot gardener-robot removed the needs/rebase Needs git rebase label May 4, 2022
@ialidzhikov
admission-gcp: Add SecretBinding validator
5c40723 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
@gardener-robot gardener-robot added needs/review Needs review and removed needs/review Needs review labels May 9, 2022
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label May 9, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label May 9, 2022
kon-angelo
kon-angelo approved these changes May 17, 2022
View reviewed changes
Copy link
Contributor

@kon-angelo kon-angelo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@kon-angelo kon-angelo merged commit 366f966 into gardener:master May 17, 2022
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label May 17, 2022
This was referenced May 26, 2022
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kon-angelo kon-angelo kon-angelo approved these changes

@rfranzke rfranzke rfranzke left review comments

Assignees
No one assigned
Labels
area/cost Cost related area/robustness Robustness, reliability, resilience related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/gcp Google cloud platform/infrastructure reviewed/lgtm Has approval for merging size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ialidzhikov @gardener-robot @rfranzke @kon-angelo @gardener-robot-ci-1 @gardener-robot-ci-3