Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HNC: Prevent updating labels and annotations with hnc.x-k8s.io suffix on propagated objects #10

Closed
yiqigao217 opened this issue May 5, 2021 · 13 comments · Fixed by #126
Closed

HNC: Prevent updating labels and annotations with hnc.x-k8s.io suffix on propagated objects #10

yiqigao217 opened this issue May 5, 2021 · 13 comments · Fixed by #126
Assignees
@rahulii
Milestone
release-v1.0

Comments

@yiqigao217
Copy link
Contributor

Issue by yiqigao217
Thursday Apr 29, 2021 at 21:12 GMT
Originally opened as kubernetes-retired/multi-tenancy#1500

The webhook does prevent editing the propagated object itself or labels but doesn't prevent updating annotations:

# I'm annotating a propagated object:

$ kubectl annotate role -n b rl propagate.hnc.x-k8s.io/select=abc
role.rbac.authorization.k8s.io/rl annotated

$ kubectl get role -n b -oyaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    annotations:
      propagate.hnc.x-k8s.io/select: abc
    creationTimestamp: "2021-04-29T21:02:29Z"
    labels:
      app.kubernetes.io/managed-by: hnc.x-k8s.io
      hnc.x-k8s.io/inherited-from: a
    name: rl
    namespace: b
    resourceVersion: "5297867"
    selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/b/roles/rl
    uid: 2fc22fd7-7a34-492c-b823-79dd9383b2f8
  rules:
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - update
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
@yiqigao217 yiqigao217 added this to the hnc-v0.9 milestone May 5, 2021
@adrianludwin adrianludwin mentioned this issue Jul 8, 2021
Closed
@k8s-triage-robot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 3, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 2, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adrianludwin adrianludwin removed this from the release-v0.9 milestone Oct 13, 2021
@adrianludwin
Copy link
Contributor

/reopen
/remove-lifecycle rotten

@k8s-ci-robot
Copy link
Contributor

@adrianludwin: Reopened this issue.

In response to this:

/reopen
/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Oct 18, 2021
@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Oct 18, 2021
@adrianludwin adrianludwin added this to the release-v1.0 milestone Oct 18, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 16, 2022
@rahulii
Copy link
Contributor

rahulii commented Jan 17, 2022

@adrianludwin could you give some pointers to get started for this issue? where to look in code for propagated objects?

@adrianludwin
Copy link
Contributor

The validator for propagated objects is https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/internal/objects/validator.go.

I just glanced at the code and it looks like we will stop users from modifying any annotation except the annotations that include hnc.x-k8s.io (see this line). The problem is that the canonical function returns the object with all HNC labels/annotations stripped out, which probably isn't the right thing to do for this function.

How about this as a solution: a few lines above, we check whether the hnc.x-k8s.io/inherited-from label has been modified. But really, we don't want any labels or annotations to be modified by users on propagated objects, and this function (handleInherited) is only called for propagated objects that are being modified by users. So maybe we should modify this code to check for all HNC labels and annotations (i.e., exactly the ones the canonical strips out). Or maybe modify canonical so that we can choose whether to strip out the HNC metadata, and only keep it when calling it here.

Whatever you do, can you please add unit tests that fail before you add the fix, and pass afterwards? And note this in the commit comment (e.g. like this). Thanks!

@adrianludwin adrianludwin changed the title HNC: Prevent updating annotations on propagated objects HNC: Prevent updating labels and annotations with hnc.x-k8s.io suffix on propagated objects Jan 17, 2022
@adrianludwin
Copy link
Contributor

I updated the title to reflect what I believe the problem actually is.

@rahulii
Copy link
Contributor

rahulii commented Jan 18, 2022

/assign

@rahulii
Copy link
Contributor

rahulii commented Jan 18, 2022
edited
Loading

@adrianludwin Thanks for the brief explanation .I got the problem.
I will start with writing the unit tests!!

@rahulii rahulii mentioned this issue Jan 19, 2022
Merged
@adrianludwin
Copy link
Contributor

This was fixed correctly

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rahulii rahulii

Labels
None yet
Projects
None yet
Milestone
release-v1.0
Development

Successfully merging a pull request may close this issue.

Protect all labels and annotations on propagated objects rahulii/hierarchical-namespaces
5 participants
@k8s-ci-robot @adrianludwin @rahulii @yiqigao217 @k8s-triage-robot