Skip to content

Add console extension manifests #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 5 commits into from
Jun 24, 2019
Merged

Add console extension manifests #229

openshift-merge-robot merged 5 commits into from
Jun 24, 2019

Conversation

@benjaminapetersen
Copy link
Contributor

@benjaminapetersen benjaminapetersen commented May 16, 2019

Adds 3 new CRDs for console extensions:

  • ConsoleLink
  • ConsoleCLIDownload
  • ConsoleNotification (Banners)

Related to Console PRs:

@openshift-ci-robot openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 16, 2019
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 16, 2019
@benjaminapetersen
Copy link
Contributor Author

benjaminapetersen commented May 16, 2019

/hold

WIP. Need to make sure we know where these will live in the API, if the group is correct, and if any will be converted into top-level config/operator config items instead of custom resources.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 16, 2019
@benjaminapetersen
Copy link
Contributor Author

benjaminapetersen commented May 16, 2019

fyi @rhamilto @spadgett

@benjaminapetersen benjaminapetersen changed the title Add console extension manifests [WIP] Add console extension manifests May 16, 2019
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 16, 2019
@spadgett spadgett added this to the v4.2 milestone May 16, 2019
@spadgett
Copy link
Member

spadgett commented May 16, 2019

@jwforres fyi

benjaminapetersen
benjaminapetersen commented May 16, 2019
View reviewed changes
@benjaminapetersen benjaminapetersen mentioned this pull request May 17, 2019
Merged
5 tasks
rhamilto
rhamilto reviewed May 22, 2019
View reviewed changes
rhamilto
rhamilto reviewed May 22, 2019
View reviewed changes
benjaminapetersen
benjaminapetersen commented May 22, 2019
View reviewed changes
manifests/00-crd-extension-console-cli.yaml Outdated
description:
type: string
description: Description of the CLI download (can include markdown)
link:
Copy link
Contributor Author

@benjaminapetersen benjaminapetersen May 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly needs to be links [ ]

Copy link
Contributor Author

@benjaminapetersen benjaminapetersen May 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see https://github.com/openshift/console/pull/1441/files#r276345530

Copy link
Contributor Author

@benjaminapetersen benjaminapetersen May 29, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to further consider this? Would there be a link for the binary + a link for docs, for example? @rhamilto @spadgett

benjaminapetersen
benjaminapetersen commented May 22, 2019
View reviewed changes
benjaminapetersen
benjaminapetersen commented May 23, 2019
View reviewed changes
benjaminapetersen
benjaminapetersen commented May 23, 2019
View reviewed changes
benjaminapetersen
benjaminapetersen commented May 23, 2019
View reviewed changes
benjaminapetersen
benjaminapetersen commented May 23, 2019
View reviewed changes
enj
enj reviewed May 28, 2019
View reviewed changes
@benjaminapetersen
Copy link
Contributor Author

benjaminapetersen commented Jun 3, 2019

level=fatal msg="failed to initialize the cluster: Could not update rolebinding \"console-extensions\" (243 of 378): timed out waiting for the condition"

@benjaminapetersen benjaminapetersen force-pushed the extensions/manifests branch 2 times, most recently from 8e1966f to fac016f Compare June 4, 2019 20:06
benjaminapetersen
benjaminapetersen commented Jun 4, 2019
View reviewed changes
@benjaminapetersen
Copy link
Contributor Author

benjaminapetersen commented Jun 5, 2019

/retest

flake details:

Jun 04 21:24:00.789 E clusteroperator/monitoring changed Degraded to True: Failed to rollout the stack. Error: running task Updating prometheus-adapter failed: reconciling PrometheusAdapter Deployment failed: updating deployment object failed: waiting for DeploymentRollout of prometheus-adapter: deployment prometheus-adapter is not ready. status: (replicas: 3, updated: 2, ready: 2, unavailable: 1)
Jun 04 21:25:58.536 E ns/openshift-monitoring pod/prometheus-adapter-7b8ccf5fd4-tdzv6 node/ip-10-0-139-114.ec2.internal container=prometheus-adapter container exited with code 2 (Error):

@benjaminapetersen benjaminapetersen changed the title [WIP] Add console extension manifests Add console extension manifests Jun 6, 2019
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 6, 2019
@bparees
Copy link
Contributor

bparees commented Jun 6, 2019

I spoke with @enj about the permissions aspect of this. He indicated it is not a blocker, but I can understand his concerns about doing this which largely fall in two areas:

  1. there's risk that someone extends this api resource in the future and inadvertently exposes something to all users that should not be exposed. I definitely share this concern. Even if it's not inadvertent you might find yourself wanting to extend this api in the future and being unable to because of the way it is shared.

  2. there have been previous exploits that resulted from the platform allowing all users to do something we thought was safe that turned out not to be which has resulted in a general movement away from the use of "all users" type permissions. I think there's less risk of that here (it is a read only resource with very limited surface area).

My view on the way forward is:

Proceed with this as is (Granting permission to all authenticated users) for now. I don't want to see the UI team have to go implement a more complicated config controller flow right this minute, and @spadgett expressed some legitimate concerns about the quality of user experience we could provide if we did so (though i think it might be worth probing what options exist there a bit more, in terms of forcing browser refreshes or something, as suggested by @enj). But file away a tech debt card to refactor this in the future(to use a config controller or other operator logic pattern) so we can eventually remove this permission. Ideally if the additional 4.2 runway allows it, fix it in 4.2, but worst case, keep it on the roadmap, don't view this as the long term solution.

@enj @spadgett Does that seem reasonable?

@enj
Copy link
Contributor

enj commented Jun 8, 2019

I spoke with @enj about the permissions aspect of this. He indicated it is not a blocker, but I can understand his concerns about doing this which largely fall in two areas:

1. there's risk that someone extends this api resource in the future and inadvertently exposes something to all users that should not be exposed.  I definitely share this concern.  Even if it's not inadvertent you might find yourself wanting to extend this api in the future and being unable to because of the way it is shared.

2. there have been previous exploits that resulted from the platform allowing all users to do something we thought was safe that turned out not to be which has resulted in a general movement away from the use of "all users" type permissions.

I think there's less risk of that here (it is a read only resource with very limited surface area).

For context, the exploit resulted in full cluster compromise via discovery, i.e. an API that is by definition read only and "safe" (because it is just metadata about what APIs are available on the cluster). It had nothing to do with the data itself and was a by product of the complexity of the underling wiring (and CRDs are very complex under the hood). That complexity combined with a missing error check is what led to the CVE.

Do I think another similar CVE is likely? No.

Would I like to assume it will happen and take precautions? Yes.

My view on the way forward is:

Proceed with this as is (Granting permission to all authenticated users) for now. I don't want to see the UI team have to go implement a more complicated config controller flow right this minute, and @spadgett expressed some legitimate concerns about the quality of user experience we could provide if we did so (though i think it might be worth probing what options exist there a bit more, in terms of forcing browser refreshes or something, as suggested by @enj). But file away a tech debt card to refactor this in the future(to use a config controller or other operator logic pattern) so we can eventually remove this permission. Ideally if the additional 4.2 runway allows it, fix it in 4.2, but worst case, keep it on the roadmap, don't view this as the long term solution.

@enj @spadgett Does that seem reasonable?

Sounds reasonable. @spadgett @benjaminapetersen I am trusting you guys to make an honest attempt at an architecture that does not involve assigning RBAC to all authenticated users.

@spadgett spadgett mentioned this pull request Jun 8, 2019
Closed
@benjaminapetersen
Copy link
Contributor Author

benjaminapetersen commented Jun 20, 2019

/retest

@benjaminapetersen benjaminapetersen mentioned this pull request Jun 20, 2019
Merged
@spadgett
Copy link
Member

spadgett commented Jun 22, 2019

/retest

spadgett
spadgett requested changes Jun 22, 2019
View reviewed changes
@spadgett
Copy link
Member

spadgett commented Jun 24, 2019

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 24, 2019
spadgett
spadgett approved these changes Jun 24, 2019
View reviewed changes
Copy link
Member

@spadgett spadgett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 24, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 24, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benjaminapetersen, spadgett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [benjaminapetersen,spadgett]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 969ef29 into openshift:master Jun 24, 2019
@benjaminapetersen benjaminapetersen deleted the extensions/manifests branch June 24, 2019 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhamilto rhamilto rhamilto left review comments

@spadgett spadgett spadgett approved these changes

+1 more reviewer

@enj enj enj left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@spadgett spadgett

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

v4.2

Development

Successfully merging this pull request may close these issues.

7 participants

@benjaminapetersen @spadgett @bparees @enj @openshift-ci-robot @rhamilto @openshift-merge-robot