Integration tests are not stable after adding OPA policy for registry feature #721

NikitaSkrynnik · 2022-09-20T10:05:18Z

Description

Heal tests with nsmgr restart are not stable. When we are deleting old nsmgr, it doesn't unregister its forwarder from registry. New nsmgr (with new spiffeID) can't register this forwarder again, because it's already registered by old nsmgr (with old spiffeID).

How to reproduce

Run basic nsm setup
Delete one of NSMGRs
Wait for new NSMGR start
See logs in registry pod

Expected behavior

NSMGR registers its forwarder successfully

Actual behavior

NSMGR can't register its forwarder, because it's already registered by old deleted nsmgr

[TRAC] [type:registry] (2.1)    register={"name":"forwarder-vpp-6tpfn","network_service_names":["forwarder"],"network_service_labels":{"forwarder":{"labels":{"nodeName":"kind-worker","p2p":"true"}}},"url":"tcp://10.244.1.109:5001","expiration_time":{"seconds":1663668686,"nanos":268959800},"initial_registration_time":{"seconds":1663668484,"nanos":824354244}}
[INFO] [type:registry] (2.2)    AUTHORIZE spiffieIDNSEsMap: map[spiffe://example.org/ns/nsm-system/pod/nsmgr-h7h5k:[forwarder-vpp-x565x nse-kernel-56c9ffbff5-bwpvs] spiffe://example.org/ns/nsm-system/pod/nsmgr-tcx5p:[forwarder-vpp-6tpfn]]
[INFO] [type:registry] (2.3)    AUTHORIZE spiffieID: spiffe://example.org/ns/nsm-system/pod/nsmgr-tkc59
[INFO] [type:registry] (2.4)    AUTHORIZE nseName: forwarder-vpp-6tpfn
[ERRO] [type:registry] (2.5)    rpc error: code = PermissionDenied desc = no sufficient privileges;	Error returned from sdk/pkg/registry/common/authorize/authorizeNSEServer.Register;	github.com/networkservicemesh/sdk/pkg/registry/core/trace.logError;		/build/local/sdk/pkg/registry/core/trace/common.go:38;	github.com/networkservicemesh/sdk/pkg/registry/core/trace.(*traceNetworkServiceEndpointRegistryServer).Register;		/build/local/sdk/pkg/registry/core/trace/nse_registry.go:129;	github.com/networkservicemesh/sdk/pkg/registry/core/next.(*nextNetworkServiceEndpointRegistryServer).Register;		/build/local/sdk/pkg/registry/core/next/nse_registry_server.go:59;	github.com/networkservicemesh/sdk/pkg/registry/common/begin.(*beginNSEServer).Register.func2;		/build/local/sdk/pkg/registry/common/begin/nse_server.go:64;	github.com/edwarnicke/serialize.(*Executor).process;		/go/pkg/mod/github.com/edwarnicke/serialize@v1.0.7/serialize.go:68;	runtime.goexit;		/usr/local/go/src/runtime/asm_amd64.s:1571;	
[ERRO] [type:registry] (1.2)   Error returned from sdk/pkg/registry/common/authorize/authorizeNSEServer.Register: rpc error: code = PermissionDenied desc = no sufficient privileges

Possible solultions

Wait until forwarder entry in registry is expired
Add feature for heal servers: immediately delete entry from registry if the connection with endpoint is lost
Disable OPA authorization for cmd-registry-k8s
Add a possibilty for managers to bypass OPA policies
Add roles to pods using spire. Add special role "nsmgr". Accept all register requests in OPA policies if role == "nsmgr" (For example, we can change spiffeID for some pods by adding special labels https://github.com/spiffe/spire/blob/main/support/k8s/k8s-workload-registrar/mode-crd/README.md#label-based-workload-registration)

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Integration tests are not stable after adding OPA policy for registry feature #721

Integration tests are not stable after adding OPA policy for registry feature #721

NikitaSkrynnik commented Sep 20, 2022 •

edited

Loading

Integration tests are not stable after adding OPA policy for registry feature #721

Integration tests are not stable after adding OPA policy for registry feature #721

Comments

NikitaSkrynnik commented Sep 20, 2022 • edited Loading

Description

How to reproduce

Expected behavior

Actual behavior

Possible solultions

NikitaSkrynnik commented Sep 20, 2022 •

edited

Loading