-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Safely consume TLSSecurityProfile from APIServer CR #2149
Conversation
7f7b18f
to
5eb8713
Compare
Pull Request Test Coverage Report for Build 3525527586
💛 - Coveralls |
APIServer CR is validating TLSSecurityProfile less strictly than CNAO. HCO in general delegates the validation to the operators that is managing, but this is not true for values directly read from the APIServer CR that are not passing into our validating webhook. So if the cluster admin requires a custom configuration for TLSSecurityProfile on the APIServer CR all the components but CNAO will accept it while CNAO will refuse it continuously. Let's prevent this sanitizing the input. this is not validated Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2137896 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
5eb8713
to
46834de
Compare
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
hco-e2e-image-index-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-gcp In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hco-e2e-upgrade-index-sno-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-sno-azure, ci/prow/hco-e2e-upgrade-prev-index-sno-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hco-e2e-upgrade-prev-index-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-prev-index-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hco-e2e-upgrade-index-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hco-e2e-image-index-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
hco-e2e-kv-smoke-gcp lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@tiraboschi: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
hco-e2e-image-index-sno-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-sno-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: orenc1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherry-pick release-1.8 |
@tiraboschi: new pull request created: #2158 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
APIServer CR is validating TLSSecurityProfile
less strictly than CNAO.
HCO in general delegates the validation
to the operators that is managing,
but this is not true for values directly
read from the APIServer CR
that are not passing into our validating
webhook.
So if the cluster admin requires
a custom configuration for TLSSecurityProfile
on the APIServer CR all the components
but CNAO will accept it while CNAO
will refuse it continuously.
Let's prevent this sanitizing the input.
this is not validated
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2137896
TODO: add unit tests
Signed-off-by: Simone Tiraboschi stirabos@redhat.com
Reviewer Checklist
Release note: