Check the order of bootstrapped SCCs. #15923
Conversation
openshift-merge-robot
added
the
size/S
| SecurityContextConstraintNonRoot, | ||
| SecurityContextConstraintHostMountAndAnyUID, | ||
| SecurityContextConstraintHostNS, | ||
| SecurityContextConstraintRestricted, |
There was a problem hiding this comment.
expectedConstraints were not sorted properly?
There was a problem hiding this comment.
Not according to my running this on master. I specifically made this completely separate commit on top of master, so that we get to agree on the proper semantics first.
There was a problem hiding this comment.
expectedConstraints didn't need to be sorted until this PR, if that's what you're asking. Let's add a comment here that this ordering is now important.
|
Cc @openshift/sig-security. |
| sort.Sort(scc.ByPriority(orderedBootstrappedConstraints)) | ||
|
|
||
| for i := 0; i < len(orderedBootstrappedConstraints); i++ { | ||
| constraint := bootstrappedConstraints[i] |
There was a problem hiding this comment.
- for i := 0; i < len(orderedBootstrappedConstraints); i++ {
+ for i := range orderedBootstrappedConstraints {There was a problem hiding this comment.
I've corrected my comment.
There was a problem hiding this comment.
Hmm, this is not equivalent -- I then get
securitycontextconstraints_test.go:43: unexpected contraint no. 0 (by priority). Found hostnetwork, wanted privileged
securitycontextconstraints_test.go:43: unexpected contraint no. 1 (by priority). Found hostnetwork, wanted nonroot
securitycontextconstraints_test.go:43: unexpected contraint no. 2 (by priority). Found hostnetwork, wanted hostmount-anyuid
securitycontextconstraints_test.go:43: unexpected contraint no. 3 (by priority). Found hostnetwork, wanted hostaccess
securitycontextconstraints_test.go:43: unexpected contraint no. 4 (by priority). Found hostnetwork, wanted restricted
securitycontextconstraints_test.go:43: unexpected contraint no. 5 (by priority). Found hostnetwork, wanted anyuid
There was a problem hiding this comment.
shouldn't you be getting the constraint from orderedBootstrappedConstraints to compare against expectedConstraintNames rather than bootstrappedConstraints? You still want the counter anyway to know which expected name to check against.
There was a problem hiding this comment.
Yes, you are right.
I'll need to rethink this.
There was a problem hiding this comment.
@adelton Could you try the following then?
- for i := 0; i < len(orderedBootstrappedConstraints); i++ {
- constraint := bootstrappedConstraints[i]
+ for i, constraint := range orderedBootstrappedConstraints {
| "testing" | ||
|
|
||
| "k8s.io/apiserver/pkg/authentication/serviceaccount" | ||
|
|
||
| securityapi "github.com/openshift/origin/pkg/security/apis/security" | ||
| scc "github.com/openshift/origin/pkg/security/securitycontextconstraints" | ||
| ) | ||
|
|
||
| func TestBootstrappedConstraints(t *testing.T) { | ||
| expectedConstraints := []string{ |
There was a problem hiding this comment.
Consider to rename expectedConstraints to expectedConstraintNames to better express it's content.
adelton
force-pushed
the
issue-14530-sort-test
branch
from
05f482f to
2cec279
Compare
| } | ||
|
|
||
| var orderedBootstrappedConstraints []*securityapi.SecurityContextConstraints |
There was a problem hiding this comment.
Why do we need to introduce orderedBootstrappedConstraints? Why we can't sort bootstrappedConstraints and use it later?
There was a problem hiding this comment.
Because ByPriority wants pointers and bootstrappedConstraints does not get pointers from GetBootstrapSecurityContextConstraints.
I tried sort.Sort(scc.ByPriority(bootstrappedConstraints)) but that did not pan out.
There was a problem hiding this comment.
Because ByPriority wants pointers and bootstrappedConstraints does not get pointers from GetBootstrapSecurityContextConstraints.
Ok, I see. I'll try to prepare PR that changes the return result of GetBootstrapSecurityContextConstraints.
| SecurityContextConstraintNonRoot, | ||
| SecurityContextConstraintHostMountAndAnyUID, | ||
| SecurityContextConstraintHostNS, | ||
| SecurityContextConstraintRestricted, |
There was a problem hiding this comment.
expectedConstraints didn't need to be sorted until this PR, if that's what you're asking. Let's add a comment here that this ordering is now important.
adelton
force-pushed
the
issue-14530-sort-test
branch
from
2cec279 to
70aaf89
Compare
adelton
changed the title
adelton
force-pushed
the
issue-14530-sort-test
branch
from
70aaf89 to
90e5ef3
Compare
adelton
changed the title
| SecurityContextConstraintNonRoot, | ||
| SecurityContextConstraintHostMountAndAnyUID, | ||
| SecurityContextConstraintHostNS, | ||
| SecurityContextConstraintRestricted, | ||
| SecurityContextConstraintsAnyUID, |
There was a problem hiding this comment.
Is this order correct? Why anyuid isn't the last? It has priority: 10 AFAIR. What I'm missing?
There was a problem hiding this comment.
With the latest logic fixes, anyuid is now actually first. Which sounds correct, it matches
[...]
// a higher priority is considered "less" so that it moves to the front of the line
if iSCCPriority > jSCCPriority {
return true
}
90e5ef3 to
d3c8d27
Compare
openshift-merge-robot
added
size/M
Logic fixed -> d3c8d27. |
adelton
changed the title
| SecurityContextConstraintsAnyUID, | ||
| SecurityContextConstraintsHostNetwork, | ||
| SecurityContextConstraintHostMountAndAnyUID, | ||
| SecurityContextConstraintPrivileged, |
There was a problem hiding this comment.
@pweil- Do you agree with such order?
I don't understand it: if user has access to all the SCCs then I'd expect the following order: anyuid, restricted, ..., privileged.
In other words, the question is why hostnetwork goes before restricted?
There was a problem hiding this comment.
this looks like a bug. The host namespaces should be involved in the values. I'm betting they have matching point value and no priority so they're sorting by name.
openshift-merge-robot
added
the
needs-rebase
…sult Automatic merge from submit-queue (batch tested with PRs 15964, 15624, 15924) GetBootstrapSecurityContextConstraints: change return type to a slice of pointers Extracted from #15923 (comment): It turned out that in all the places we need `[]*SecurityContextConstraints`. This PR updates `GetBootstrapSecurityContextConstraints` function to return this type. This change simplify our code. PTAL @pweil- @adelton CC @simo5
adelton
force-pushed
the
issue-14530-sort-test
branch
from
d3c8d27 to
4a1bceb
Compare
openshift-ci-robot
added
size/S
openshift-merge-robot
removed
the
needs-rebase
|
Rebased on master -> 4a1bceb. Could we get this reviewed and merged? Yes, the order will have to change but I'd like to have the test in as a safeguard for any other changes that might go into the code in the mean time. When #15933 is addressed, it will explicitly change the order in |
|
/unassign |
|
@pweil- can you approve? I do not have enough context to do so. |
|
The context is basically: we pre-create some SCCs, so we wonder what their ordering is. This test adds the check. Yes, it uncovered that the order is actually not what we expected, hence #15933 was filed. But to address that, we need some changes that we have in queue for #14530 in #14825. That's why I'd like to add this test now to cover the situation as it is now, and amend the expected results in the test once we actually change the behaviour. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adelton, liggitt, php-coder The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 15923, 16172) |
Related to #14530 and #14825.
Cc @simo5 @openshift/sig-security