test/extended/authorization/rbac: Condition console RBAC on 'Console' capability #27681
Conversation
|
Launching a payload run to see whether this fix works or needs further tweaks: /payload-job periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities /hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
@wking: trigger 1 job(s) for the /payload-(job|aggregate) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/da538920-9b75-11ed-90d2-600418f4ba34-0 |
|
/approve let's see how the test job does |
openshift-ci
bot
added
the
approved
wking
force-pushed
the
console-conditional-rbac-rules
branch
2 times, most recently
from
fa64951 to
61fdce8
Compare
|
/payload-job periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities |
|
@wking: trigger 1 job(s) for the /payload-(job|aggregate) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a1aa86d0-9c44-11ed-831c-3b8f6065f0b5-0 |
$ curl -s https://storage.googleapis.com/origin-ci-test/logs/openshift-origin-27681-ci-4.13-e2e-aws-sdn-no-capabilities/1618038496394481664/build-log.txt | grep 'The default cluster RBAC policy should have correct RBAC rules'
started: 0/127/413 "[sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel]"
passed: (4.7s) 2023-01-25T01:07:26 "[sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel]"/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
| ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) | ||
| defer cancel() | ||
|
|
||
| exist, err := exutil.DoesApiResourceExist(oc.AdminConfig(), "clusterversions", "config.openshift.io") |
There was a problem hiding this comment.
do we ever expect this not to exist? when?
and if so, i'm inclined to think we'd want to check all the rbac rules (because if clusterversions doesn't exist somehow, then presumably all caps should be enabled), rather than what the current logic does which is to ignore the rbac for optionalcaps when the clusterversion resource type does not exist.
There was a problem hiding this comment.
This portion of my code is pattern-matching from here, where it looks like the goal is supporting MicroShift (#27540). I'm not sure how reliable the "no ClusterVersion" -> "so it's MicroShift" -> "so we want all these conditional RBAC rules" chain is, so maybe we want to pivot to "if the resource the RBAC relates to is present, expect the RBAC to be present"?
There was a problem hiding this comment.
hrrrrrm. yeah, the lack of a clusterversion resource, which strongly implies microshift, would imply potentially a different subset of rbac rules to be expected. (e.g. microshift might have some "optional capabilities" always enabled, and some other ones always disabled, so just saying "if it's microshift, assume all optional caps are disabled" doesn't seem quite right to me).
the fact that the microshift team hadn't previously found the need to disable these checks for their CI would seem to further confirm that these rbac rules do exist on microshift clusters (though admittedly that seems slightly surprising).
@dhellmann can you weigh in on what rbac rules would/would not be expected on a microshift cluster, compared to a traditional OCP cluster with all capabilities enabled?
There was a problem hiding this comment.
There's a ConfigMap that can be used to detect a MicroShift cluster, so we don't need to make any assumptions. https://github.com/openshift/microshift/blob/main/docs/debugging_tips.md#checking-the-microshift-version
I'm having a little trouble making sense of what the test is trying to check. I see the code below is looking at rbacv1.PolicyRule. Is that an API type? I do not see that present in MicroShift. Is that being translated into some other type somehow?
$ oc api-resources | grep -i rbac
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
roles rbac.authorization.k8s.io/v1 true Role
There was a problem hiding this comment.
@ingvagabund or @pacevedom can you help here? Is this test even relevant to MicroShift?
There was a problem hiding this comment.
Since we need to rework this one I would agree with these changes.
you agree with the changes as they currently exist in the PR, or you agree w/ the changes i proposed?
There was a problem hiding this comment.
Sorry, I meant the ones you proposed. There is no need to check if clusterversion is there when the test is already broken by over 20 other resources permissions.
Even if the check was kept, the test would still need to be worked on to fit it into MicroShift.
There was a problem hiding this comment.
From the point of enabling running all e2e tests over MicroShift this is "just" another instance where we need to improve the logic. We will need to re-iterate on all affected tests again. So +1 for what @bparees suggests to unblock the PR.
There was a problem hiding this comment.
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled, and to
only add the snapshot-linked rules when `CSISnapshot` is enabled.
MicroShift won't have a ClusterVersion custom resource definition, but
the test is already failing there [2], so this pivot doesn't break
them any worse. Once they have a plan for how they would like to
handle it, they can come back and make those changes in follow-up
work.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
[2]: openshift#27681 (comment)
wking
force-pushed
the
console-conditional-rbac-rules
branch
from
61fdce8 to
f655a70
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bparees, wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold Revision f655a70 was retested 3 times: holding |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@wking: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
… capability
Clusters that disable the 'Console' capability are currently failing
this test-case [1]:
: [sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel] expand_less
Run #0: Failed expand_less 3s
{ fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:229]: Jan 3 13:43:14.134: test data for system:authenticated has too many unnecessary permissions:
{APIGroups:["console.openshift.io"], Resources:["consoleclidownloads"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleexternalloglinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolelinks"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolenotifications"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleplugins"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consolequickstarts"], Verbs:["get" "list" "watch"]}
{APIGroups:["console.openshift.io"], Resources:["consoleyamlsamples"], Verbs:["get" "list" "watch"]}
{APIGroups:["helm.openshift.io"], Resources:["helmchartrepositories"], Verbs:["get" "list"]}
{APIGroups:["snapshot.storage.k8s.io"], Resources:["volumesnapshotclasses"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}
This commit uses the pattern that 6d1143a (cli: remove metal3 CRDs
when capabilities are none, 2022-04-08, openshift#26998) began using for CRDs
to only add the console-linked rules when Console is enabled, and to
only add the snapshot-linked rules when `CSISnapshot` is enabled.
MicroShift won't have a ClusterVersion custom resource definition, but
the test is already failing there [2], so this pivot doesn't break
them any worse. Once they have a plan for how they would like to
handle it, they can come back and make those changes in follow-up
work.
It has also been around three years since bb09b26 (Add
system:authenticated exception for CRDs used by console for
extensions, 2019-06-21, openshift#23231)'s "eliminating this exception in the
near future", so I'm softening that to "may eventually". Extending
system:authenticated is still not a great pattern to follow, but it
may never be worth the time it would take the console team to build an
alternative mechanism.
[1]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-ci-4.13-e2e-aws-sdn-no-capabilities/1610257913278894080
[2]: openshift#27681 (comment)
7 participants
Clusters that disable the
Consolecapability are currently failing this test-case:This commit uses the pattern that 6d1143a (#26998) began using for CRDs to only add the console-linked rules when
Consoleis enabled, and to only add the snapshot-linked rules whenCSISnapshotis enabled.