🌱 Tunnel: Validate namespace/pod at the syncer side #2819
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
jmprusi
changed the title
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
4 times, most recently
from
fbdc37a to
7889f39
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
from
7889f39 to
4ae92d9
Compare
davidfestal
reviewed
Feb 22, 2023
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
6 times, most recently
from
75a98a2 to
79c0ee4
Compare
|
/retest |
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
8 times, most recently
from
d1dd395 to
ac724b1
Compare
|
/retest |
davidfestal
reviewed
Mar 1, 2023
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
from
ac724b1 to
5e0a7c9
Compare
|
/retest |
davidfestal
reviewed
Mar 2, 2023
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
from
5e0a7c9 to
585ee3c
Compare
|
/lgtm |
sttts
reviewed
Mar 2, 2023
pkg/syncer/tunneler.go
Outdated
| // Ensure that requests are only for pods, and we have the required information, if not, return false. | ||
| if requestInfo.Resource != "pods" || requestInfo.Subresource == "" || requestInfo.Name == "" || requestInfo.Namespace == "" { | ||
| responsewriters.ErrorNegotiated( | ||
| errors.NewForbidden(podGVR.GroupResource(), requestInfo.Name, fmt.Errorf("only pod subresources are allowed")), |
sttts
reviewed
Mar 2, 2023
pkg/syncer/tunneler.go
Outdated
| obj, err := nsInformer.Get(downstreamNamespaceName) | ||
| if errors.IsNotFound(err) { | ||
| responsewriters.ErrorNegotiated( | ||
| errors.NewForbidden(namespaceGVR.GroupResource(), downstreamNamespaceName, fmt.Errorf("namespace %s does not exist", downstreamNamespaceName)), |
There was a problem hiding this comment.
do we want to leak that information?
sttts
reviewed
Mar 2, 2023
pkg/syncer/tunneler.go
Outdated
| } | ||
| if locator.SyncTarget.Name != synctargetName || string(locator.SyncTarget.UID) != syncTargetUID || locator.SyncTarget.ClusterName != string(synctargetClusterName) { | ||
| responsewriters.ErrorNegotiated( | ||
| errors.NewForbidden(namespaceGVR.GroupResource(), downstreamNamespaceName, fmt.Errorf("namespace %q is not owned by this syncer", downstreamNamespaceName)), |
There was a problem hiding this comment.
do we want to leak that information?
There was a problem hiding this comment.
In general, we should not leak the existence of a namespace or a pod.
There was a problem hiding this comment.
I'm returning a more generic forbidden now.
davidfestal
reviewed
Mar 2, 2023
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
from
585ee3c to
182b830
Compare
Done, PTAL |
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
2 times, most recently
from
4f4d3eb to
4d0531a
Compare
|
/lgtm |
sttts
reviewed
Mar 7, 2023
jmprusi
force-pushed
the
1975-implement-pod-access-authorization-in-the-syncer-itself
branch
from
4d0531a to
ec35135
Compare
|
/retest |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds an extra layer of security at the syncer side of the tunneler to ensure that the proxied requests are against a namespace owned by the syncer and a pod in upsync state.
Related issue(s)
Fixes #1975