Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split webhook validation #10284

Merged
merged 38 commits into from
Nov 13, 2024
Merged

Split webhook validation #10284

merged 38 commits into from
Nov 13, 2024

Conversation

sheidkamp
Copy link
Contributor

@sheidkamp sheidkamp commented Nov 6, 2024
edited
Loading

Description

Split the ValidatingWebhookConfiguration into 2 webhooks to allow different FailurePolicies for gloo and non-gloo resources.

Code changes

None - changes are Helm, tests, and docs

CI changes

Added ValidationSplitWebhook tests to TestValidationStrict tests

Docs changes

Context

Having changes to kubernetes core objects such as secrets and namespaces go through the Gloo Service's validating webhook can prevent changes unrelated to any gloo configuration from being applied if the FailurePolicy is Fail. By splitting the webhooks and allowing different FailurePolicies to be set, this can be avoided.

Testing steps

  • Create cluster and build images:
./ci/kind/setup-kind.sh
  • Install with the gloo FailurePolicy of Fail and kubes FailurePolicy of Ignore
 helm upgrade --install gloo _test/gloo-${VERSION}.tgz --create-namespace --namespace gloo-system --set-string gloo.deployment.image.tag=${VERSION} --set discovery.deployment.enablePodSecurityContext=true --set discovery.enabled=true --set gateway.validation.failurePolicy="Fail" --set gateway.validation.kubeCoreFailurePolicy="Ignore" --set gateway.validation.alwaysAcceptResources=false --set gateway.validation.allowWarnings=false --set gateway.validation.alwaysAcceptResources=false --set gateway.validation.allowWarnings=false
  • Create an upstream (Gloo resource) and a secret (Kube resource)
glooctl create upstream static --static-hosts jsonplaceholder.typicode.com:80 --name json-upstream -n gloo-system
glooctl create secret apikey infra-apikey --apikey doesntmatter
  • Scale down the Gloo deployment:
kubectl scale --replicas=0 deployment/gloo -n gloo-system
  • Try to delete the secret (should succeed)
 kubectl delete secret infra-apikey -n gloo-system
  • Try to delete the upstream (should fail)
delete upstream -n gloo-system json-upstream
  • Scale back up
kubectl scale --replicas=1 deployment/gloo -n gloo-system
  • Update the configuration to set the gloo webhook failurePolicy to Ignore and the kube webhook failurePolicy to Fail
 helm upgrade --install gloo _test/gloo-${VERSION}.tgz --namespace gloo-system --set gateway.validation.failurePolicy="Ignore" --set gateway.validation.kubeCoreFailurePolicy="Fail"
  • Recreate the deleted secret:
glooctl create secret apikey infra-apikey --apikey doesntmatter
  • Scale down the Gloo deployment:
kubectl scale --replicas=0 deployment/gloo -n gloo-system
  • Try to delete the secret (should fail)
 kubectl delete secret infra-apikey -n gloo-system
  • Try to delete the upstream (should succeed)
delete upstream -n gloo-system json-upstream

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@solo-changelog-bot
Copy link

Issues linked to changelog:
solo-io#10247

@github-actions github-actions bot added keep pr updated signals bulldozer to keep pr up to date with base branch work in progress signals bulldozer to keep pr open (don't auto-merge) labels Nov 6, 2024
@sheidkamp sheidkamp removed the keep pr updated signals bulldozer to keep pr up to date with base branch label Nov 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 6, 2024
edited
Loading

Visit the preview URL for this PR (updated for commit 9c28910):

https://gloo-edge--pr10284-sheidkamp-split-vali-f1w7xqqf.web.app

(expires Wed, 20 Nov 2024 00:09:17 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 77c2b86e287749579b7ff9cadb81e099042ef677

@sheidkamp sheidkamp requested a review from a team as a code owner November 7, 2024 14:21
sam-heilbron
sam-heilbron reviewed Nov 7, 2024
View reviewed changes
Copy link
Contributor

@sam-heilbron sam-heilbron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that it could be valuable to capture the background for the split configs in https://github.com/solo-io/gloo/tree/main/projects/gateway/pkg/services/k8sadmission. That way we have a public source of truth for that decision.

The changes look good overall. I'd like to see unit tests for the new field, and i imagine we want to rely on the default value (fail open) for our e2e tests (so no changes would be needed)

install/helm/gloo/generate/values.go Outdated Show resolved Hide resolved
install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml Outdated Show resolved Hide resolved
install/helm/gloo/values-template.yaml Outdated Show resolved Hide resolved
install/test/helm_test.go Outdated Show resolved Hide resolved
sam-heilbron
sam-heilbron reviewed Nov 11, 2024
View reviewed changes
Copy link
Contributor

@sam-heilbron sam-heilbron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes LGTM!

I know there are some small documentation changes that we intend to make, I just wanted to 👍 the general direction.

@sheidkamp sheidkamp added the keep pr updated signals bulldozer to keep pr up to date with base branch label Nov 12, 2024
@sheidkamp sheidkamp force-pushed the sheidkamp/split-validating-webhook branch from 7c91dac to 1e0dc8c Compare November 12, 2024 18:50
@sheidkamp sheidkamp removed the work in progress signals bulldozer to keep pr open (don't auto-merge) label Nov 12, 2024
jenshu
jenshu reviewed Nov 12, 2024
View reviewed changes
install/helm/gloo/generate/values.go Outdated
Comment on lines 482 to 483
FailurePolicy *string `json:"failurePolicy,omitempty" desc:"failurePolicy defines how unrecognized errors for Gloo resources from the Gateway validation endpoint are handled - allowed values are 'Ignore' or 'Fail'. Defaults to Ignore "`
KubeCoreFailurePolicy *string `json:"kubeCoreFailurePolicy,omitempty" desc:"kubeCoreFailurePolicy defines how unrecognized errors for core resources from the Gateway validation endpoint are handled - allowed values are 'Ignore' or 'Fail'. If this is set to 'Fail' modifications to core resources such as secrets and namespace that are defined in the validating webhook will be blocked if the Gloo Service is not available. Defaults to Ignore "`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we don't need to mention the default values in the description since the docs will extract that from values-template.yaml

jenshu
jenshu reviewed Nov 12, 2024
View reviewed changes
test/kubernetes/e2e/features/validation/split_webhook/suite.go Outdated
Comment on lines 23 to 24
// var _ e2e.NewSuiteFunc = NewKubeFailTestingSuite
// var _ e2e.NewSuiteFunc = NewGlooFailTestingSuite
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup

jenshu
jenshu reviewed Nov 12, 2024
View reviewed changes
test/kubernetes/e2e/features/validation/split_webhook/suite.go Outdated
func (s *testingSuite) TearDownSuite() {
// nothing at the moment
}
func (s *testingSuite) SetupDownSuite() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup

@sheidkamp sheidkamp added the work in progress signals bulldozer to keep pr open (don't auto-merge) label Nov 12, 2024
jenshu
jenshu reviewed Nov 12, 2024
View reviewed changes
test/kubernetes/e2e/features/validation/split_webhook/suite.go Outdated
manifest := manifests[testName]
output, err := s.testInstallation.Actions.Kubectl().DeleteFileWithOutput(s.ctx, manifest.filename, "-n", s.testInstallation.Metadata.InstallNamespace)
// May have already been deleted
if err == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about the case where err != nil

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated to track successful deletion and only cleanup if neccessary.

jenshu
jenshu reviewed Nov 12, 2024
View reviewed changes
install/test/5-gateway-validation-webhook-configuration_test.go Outdated
structuredDeployment, ok := webhookObject.(*admissionregistrationv1.ValidatingWebhookConfiguration)
ExpectWithOffset(1, ok).To(BeTrue(), fmt.Sprintf("Webhook %+v should be able to cast to a structured deployment", webhook))

//ExpectWithOffset(1, structuredDeployment.Spec.Template.ObjectMeta.Annotations).To(BeEmpty(), fmt.Sprintf("No annotations should be present on deployment %+v", structuredDeployment))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still need this line?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope, deleted

@sheidkamp sheidkamp removed the work in progress signals bulldozer to keep pr open (don't auto-merge) label Nov 12, 2024
@soloio-bulldozer soloio-bulldozer bot merged commit f40d935 into main Nov 13, 2024
19 checks passed
@soloio-bulldozer soloio-bulldozer bot deleted the sheidkamp/split-validating-webhook branch November 13, 2024 00:33
@github-actions github-actions bot mentioned this pull request Nov 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidjumani davidjumani davidjumani left review comments

@jenshu jenshu jenshu approved these changes

@Nadine2016 Nadine2016 Nadine2016 approved these changes

@sam-heilbron sam-heilbron sam-heilbron approved these changes

Assignees
No one assigned
Labels
keep pr updated signals bulldozer to keep pr up to date with base branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sheidkamp @sam-heilbron @davidjumani @Nadine2016 @jenshu