Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add denyserviceexternalips admission (KEP 2200) #97395

Merged
merged 2 commits into from Jan 28, 2021
Merged

Add denyserviceexternalips admission (KEP 2200) #97395

merged 2 commits into from Jan 28, 2021

Conversation

thockin
Copy link
Member

@thockin thockin commented Dec 18, 2020
edited by liggitt

/kind feature

What this PR does / why we need it:

Implements KEP 2200 (kubernetes/enhancements#2176). Adds an optional admission controller to block use of the externalIPs feature (#97110)

Which issue(s) this PR fixes:

xref #97110 - we'll need docs and stuff too

New admission controller "DenyServiceExternalIPs" is available.  Clusters which do not *need* the Service "externalIPs" feature should enable this controller and be more secure.

- [KEP]: https://github.com/kubernetes/enhancements/pull/2176
- [CVE]: https://github.com/kubernetes/kubernetes/issues/97110

@thockin thockin added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 18, 2020
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 18, 2020
@thockin thockin mentioned this pull request Dec 18, 2020
Merged
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 18, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 18, 2020
@fedebongio
Copy link
Contributor

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 22, 2020
aojea
aojea reviewed Dec 23, 2020
View reviewed changes
plugin/pkg/admission/network/denyserviceexternalips/admission.go Outdated
// ValidateInitialization ensures lister is set.
func (plug *externalIPsDenierPlugin) ValidateInitialization() error {
if plug.lister == nil {
return fmt.Errorf("missing lister")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, other plugins seems to provide more information on the error
return fmt.Errorf("%s requires a service lister", PluginName)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally copied this from some other plugin. I do not know what the best-practice here.

aojea
aojea reviewed Dec 23, 2020
View reviewed changes
plugin/pkg/admission/network/denyserviceexternalips/admission.go Outdated
// externalIPsDenierPlugin holds state for and implements the admission plugin.
type externalIPsDenierPlugin struct {
*admission.Handler
lister corev1listers.ServiceLister
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just for learning, for what is being used the lister?
I can´t find any reference

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copied from somewhere - it looks like I picked a bad example and can do it more simply. Will push a new version soon.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The verify job fails because you still have the lister

@thockin
Copy link
Member Author

thockin commented Dec 24, 2020

New version pushed - passes unit tests, still need to actually deploy it

@thockin
Copy link
Member Author

thockin commented Dec 24, 2020

Manually tested in my own cluster. Seems to work as intended.

@aojea
Copy link
Member

aojea commented Dec 30, 2020

/retest

[sig-storage] Downward API volume should provide container's cpu limit [NodeConformance] [Conformance]

@thockin thockin mentioned this pull request Jan 4, 2021
Closed
deads2k
deads2k reviewed Jan 7, 2021
View reviewed changes
plugin/pkg/admission/network/denyserviceexternalips/admission.go
return nil
}

klog.V(4).Infof("Denying new use of ExternalIPs on Service %s/%s", newSvc.Namespace, newSvc.Name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe give a path that matches the style of our paths in validation as a nicer hint.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which paths do you mean? namespaces/n/services/s or something else?

@deads2k
Copy link
Contributor

deads2k commented Jan 7, 2021

impl looks fine if we approve the kep.

@tallclair
Copy link
Member

lgtm

@thockin
Copy link
Member Author

thockin commented Jan 26, 2021

This is held until the KEP itself merges (kubernetes/enhancements#2176) so you can say the magic word if you want to. Or we can wait :)

@thockin thockin mentioned this pull request Jan 28, 2021
Closed
4 tasks
@thockin
Copy link
Member Author

thockin commented Jan 28, 2021

KEP has merged.

@aojea
Copy link
Member

aojea commented Jan 28, 2021

#97395 (comment)
#97395 (comment)
making those lgtm effective ...
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 28, 2021
@thockin thockin removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 28, 2021
@k8s-ci-robot k8s-ci-robot merged commit 24f1303 into kubernetes:master Jan 28, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jan 28, 2021
@thockin thockin mentioned this pull request Jan 29, 2021
Merged
@prashant1221
Copy link

will these changes be backported to v1.17, is it affected by CVE-2020-8554?

@aojea
Copy link
Member

aojea commented Feb 3, 2021

I think that previous versions should be using the published external webhook
https://github.com/kubernetes-sigs/externalip-webhook
#97110

@rtheis
Copy link

rtheis commented Mar 5, 2021

This is awesome and a much appreciated enhancement. Given the clean design and implementation, I second @prashant1221 request to consider cherry-picking this to 1.18, 1.19 and 1.20. While the webhook works, it certainly isn't simple to setup and brings its own set of problems that many folks would prefer to avoid.

@thockin thockin deleted the externalips-admission branch August 2, 2021 04:57
@liggitt liggitt mentioned this pull request Sep 10, 2021
Merged
@aojea aojea mentioned this pull request Nov 29, 2021
Closed
@pacoxu pacoxu mentioned this pull request Dec 1, 2021
Closed
@diogopcx diogopcx mentioned this pull request Jun 27, 2023
Open
@aojea aojea mentioned this pull request Jul 13, 2023
Merged
@apcxtest apcxtest mentioned this pull request Aug 17, 2023
Closed
@aojea aojea mentioned this pull request Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aojea aojea aojea left review comments

@deads2k deads2k deads2k left review comments

@JornShen JornShen JornShen left review comments

@dchen1107 dchen1107 Awaiting requested review from dchen1107

Assignees

@aojea aojea

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@thockin @k8s-ci-robot @fedebongio @aojea @deads2k @tallclair @prashant1221 @rtheis @JornShen