Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reset managedFields corrupted by admission controllers #98074

Merged

Conversation

kwiesmueller
Copy link
Member

What type of PR is this?
/kind bug

What this PR does / why we need it:
When a mutating admission controller changes managedFields in a way that causes them to be invalid, this change will reset them to their state before the admission chain modified them.

Which issue(s) this PR fixes:

Fixes #96688

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

The apiserver now resets managedFields that got corrupted by a mutating admission controller.

/sig api-machinery
/wg api-expression
/cc @apelisse

@k8s-ci-robot k8s-ci-robot requested a review from apelisse January 14, 2021 19:25
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. wg/api-expression Categorizes an issue or PR as relevant to WG API Expression. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 14, 2021
@kwiesmueller
Copy link
Member Author

For a reason I still don't understand the webhook tests fail for me locally with unable to sync kubernetes service: Endpoints "kubernetes" is invalid: subsets[0].addresses[0].ip: Invalid value: "127.0.0.1": may not be in the loopback range (127.0.0.0/8).
Let's hope it works in CI.

@k8s-ci-robot k8s-ci-robot added area/apiserver area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jan 14, 2021
@kwiesmueller kwiesmueller force-pushed the admission-reset-managedFields branch from 6cde0f1 to eb4d0af Compare January 14, 2021 21:05
@fedebongio
Copy link
Contributor

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 14, 2021
@kwiesmueller
Copy link
Member Author

/retest

@kwiesmueller
Copy link
Member Author

I don't really understand what I could have done to cause this specific error.
/retest

@apelisse
Copy link
Member

apelisse commented Jan 15, 2021

Conformance test fail specifically on admission webhooks, that might be related ;-)
bazel-test fails on endpoint, I haven't looked but I'm sure you've changed something there.

@apelisse
Copy link
Member

A few questions based on our discussion:

  1. Why is the result of mutating webhooks not validated? I bet it is, why is this specific field not properly validated?
  2. Since this is around the whole admission rather than per plugin, should we send an invalid fields set by a plugin to the following plugins?
  3. What happens if we don't validate the whole "FieldSet", how do we treat these errors in general?

@kwiesmueller kwiesmueller force-pushed the admission-reset-managedFields branch from 4f17899 to 9eb9385 Compare February 1, 2021 17:17
@kwiesmueller
Copy link
Member Author

/retest

@kwiesmueller kwiesmueller force-pushed the admission-reset-managedFields branch 4 times, most recently from 1094f21 to 9f45cd3 Compare February 2, 2021 15:14
@apelisse
Copy link
Member

apelisse commented Feb 4, 2021

Rather than making this into a "admission wrapper", would it make sense to apply this right after admission instead in the DefaultUpdatedObjectInfo function, e.g. https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go#L596-L604?

@kwiesmueller kwiesmueller force-pushed the admission-reset-managedFields branch from 0ee0fc6 to 470ad03 Compare March 1, 2021 19:07
Copy link
Member

@apelisse apelisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still need to look at the changes to the internal decoding functions.

{
FieldsType: "FieldsV1",
},
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe make a test that shows that corrupting the "FieldsV1" isn't good

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually this test is no longer testing what it did before.
All tests fail for the same reason, something is missing from the managedFields entry.
The manager name is not even covered by the reset anymore but still gets reset.

The test just makes sure a reset happens if anything is invalid.
The details are tested in the decoding tests. I'll simplify this one.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the test quite a bit and it should actually do what it's supposed to do now.

// DecodeManagedFields converts ManagedFields from the wire format (api format)
// to the format used by sigs.k8s.io/structured-merge-diff
func DecodeManagedFields(encodedManagedFields []metav1.ManagedFieldsEntry) (Managed, error) {
return internal.DecodeManagedFields(encodedManagedFields)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't look at internal yet, but can we get rid of the indirection here? I'd rather avoid having too many "DecodeManagedFields" functions if possible :-)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at it for a bit, but I didn't want to move too much outside the internal package if not needed.
There are a few internal types and decoding functions right now, but in theory we could move everything I think.
We would be splitting up decoding and encoding though, or move encoding as well. But I'm not sure if I want to also expose encoding.
Have a look and tell me what you think, I can do it either way.

@@ -219,7 +224,7 @@ func (f *FieldManager) Apply(liveObj, appliedObj runtime.Object, manager string,
}

// Decode the managed fields in the live object, since it isn't allowed in the patch.
managed, err := internal.DecodeObjectManagedFields(accessor.GetManagedFields())
managed, err := DecodeManagedFields(accessor.GetManagedFields())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but somewhat unrelated, shouldn't we do something useful if the managedfields is invalid here?

Should we replace emptyManagedFieldsOnErr method with a decodeManagedFieldsOrEmpty, which could be used here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we keep returning the error here if decoding fails (it is apply)?
What would we want to happen if live is corrupted?
It could only happen if somebody updates it and then applies would fail in the future. I'd say we then should prevent invalid managedFields from getting persisted, what this PR tries to at least make harder.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, if the managed fields are corrupted in the apiserver, then someone can't apply anymore. The right thing to do is to restart fresh I would say.


func emptyManagedFieldsOnErr(managed Managed, err error) (Managed, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This always returns nil error, does it need to return that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I made it this way for ease of use so it can just wrap the function call for providing the same return values.
So no additional error check or anything is required.

// to the format used by sigs.k8s.io/structured-merge-diff
func decodeManagedFields(encodedManagedFields []metav1.ManagedFieldsEntry) (managed managedStruct, err error) {
func DecodeManagedFields(encodedManagedFields []metav1.ManagedFieldsEntry) (ManagedInterface, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's good, thanks!

@apelisse
Copy link
Member

apelisse commented Mar 1, 2021

Beside the new validation that I think you have to revert, mostly nits, thanks!

@Jefftree Jefftree mentioned this pull request Mar 2, 2021
Copy link
Member

@apelisse apelisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks Kevin!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 5, 2021
@lavalamp
Copy link
Member

lavalamp commented Mar 7, 2021

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kwiesmueller, lavalamp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2021
@k8s-ci-robot k8s-ci-robot merged commit 4cf8823 into kubernetes:master Mar 7, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Mar 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on. wg/api-expression Categorizes an issue or PR as relevant to WG API Expression.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Server-Side Apply] Prevent mutating admission controllers from corrupting managedFields
6 participants