Add complete k8s object validation and defaults on standalone #1521
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
d1ce74c to
b1ccbc6
Compare
f835b9e to
4baded7
Compare
|
I linked this PR to close #1318 as well because trying to decode the content of tetragon/pkg/tracingpolicy/generictracingpolicy_test.go Lines 456 to 488 in 9405281 But with this PR it will actually now pass a proper validation step while decoding |
f15f66f to
1378eb6
Compare
|
Followups would be:
|
1378eb6 to
df8fc28
Compare
Use native k8s types in order to not redeclare existing struct and be compatible when calling k8s functions. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Before that, validation was only applied via the JSON unmarshalling, so mostly type validation. Only the k8s API server was checking the CRD schema validation thus making it possible to load a Tracing Policy in standalone that was an invalid k8s object. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Before we had a discrepancy between using custom resources Tracing Policies on k8s and in standalone mode. If you went via the API server, the validation and default was applied but going straight via gRPC or --tracing-policy flag allowed to circumvent validation and most importantly defaulting. Creating potentially different behavior loading on k8s and in standalone. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
To avoid having FromYAML and FromYAMLNamespaced, and similar for FromFile, use a common interface between GenericTracingPolicy and GenericTracingPolicyNamespaced. Note we could get rid of one type as they represent the same object internally, just keep GenericTracingPolicy and remove that interface. We can then distinguish between Namespaced or not by reading the Kind of the resource. That's a matter of preference between type casting and calling a method to distinguish which kind is it really. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Missing omitempty JSON tag was making validation requiring that empty JSON arrays should be indicated explicitly with `array: null` to be a valid object. I think it was forgotten by the authors. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Testing cases were often invalids, which was not particularly an issue given what was tested, but the new mandatory validation step detected many issues. Most of that was missing `kind: TracingPolicy`. We had many, around 50 so I injected that automatically, it might have been overlooking some `kind: TracingPolicyNamespaced`. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
New validation made some Tracing Policy containing tracepoints without types on args invalid. Tracepoints are stables and well defined so we parse the format files to retrieve the args if we don't specify them in the Tracing Policy. Unfortunately, we could not just add a Optional Kubebuilder tag on the field because Enum still need to match the exact list, which cannot contain an empty value. So we define the new 'auto' type which is the default can be used for autodetection on tracepoint. We prevent the use of 'auto' on kprobe but we could implement similar auto detection with BTF support. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
- Make tetragon-oci-hook its own module so that we can use an old cel version. Google CEL dependency was in conflict with the version used in the k8s API server that was needed to perform defaulting. - Add a replace directive for the tetragon/api pkg for the new tetragon-oci-hook module. - Add vendoring of the new module in the Makefile vendor command - Remove cilium replacement. I'd expect this to be fine. The replacement is also removed from cilium's main branch. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Add the new entry for the tetragon OCI hook Go module and try to remove useless packageRules by adding the postUpgradeTasks and postUpdateOptions directly to all Go updates. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
df8fc28 to
d08f4e3
Compare
kevsecurity
approved these changes
Oct 4, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See individual commits.
This PR actually uncovered a few issues/bugs in type declaration and TracingPolicy tests. We will now have the same custom resource validation and defaults when deploying on k8s using CRD mechanisms and in standalone, this should unify the behavior.
Code addition is huge because we needed to make a binary an independent Go module because of a version mismatch in a library and I vendored the dependencies.
This might break user workflow if they relied on the fact that the validation was not properly done on standalone.