Skip to content

Commit

Permalink
change resource-verification-mode to verification-no-match-policy
Browse files Browse the repository at this point in the history
This commits changes trusted resources feature flag from
resource-verification-mode to verification-no-match-policy. This is a
backward imcompatiable change as discussed in TEP--0091. Before this
commit the feature flag is used to skip/enforce the verification. This
commit changes this to check the existence of matched
VerificationPolicy. So to enable the verification, users just need to
apply VerificationPolicy to match the resources. To disable the
verification, users need to remove the policies and set the
verification-no-match-policy to allow (by default).

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
  • Loading branch information
Yongxuanzhang committed Mar 13, 2023
1 parent 808c7fe commit 7cf6f5b
Show file tree
Hide file tree
Showing 22 changed files with 334 additions and 306 deletions.
8 changes: 4 additions & 4 deletions config/config-feature-flags.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,10 @@ data:
# Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a
# CloudEvents sink is configured in the config-defaults config map
send-cloudevents-for-runs: "false"
# Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify
# will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip"
# will skip the whole verification
resource-verification-mode: "skip"
# Setting this flag to "deny" will enforce verification of tasks/pipeline. Failing to verify
# will fail the taskrun/pipelinerun. "warn" will only log the err message and "allow"
# will skip the whole verification if no matching policies are found.
verification-no-match-policy: "allow"
# Setting this flag to "true" enables populating the "provenance" field in TaskRun
# and PipelineRun status. This field contains metadata about resources used
# in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
Expand Down
14 changes: 7 additions & 7 deletions docs/additional-configs.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
---
title: "Additional Configuration Options"
linkTitle: "Additional Configuration Options"
weight: 109
weight: 109
description: >
Additional configurations when installing Tekton Pipelines
---
-->

This document describes additional options to configure your Tekton Pipelines
installation.

Expand Down Expand Up @@ -98,7 +98,7 @@ Environment variables can be configured in the following ways, mentioned in orde
3. Environment variables specified via a `default` `PodTemplate`.
4. Environment variables specified via a `PodTemplate`.

The environment variables specified by a `PodTemplate` supercedes all other ways of specifying environment variables. However, there exists a configuration i.e. `default-forbidden-env`, the environment variable specified in this list cannot be updated via a `PodTemplate`.
The environment variables specified by a `PodTemplate` supercedes all other ways of specifying environment variables. However, there exists a configuration i.e. `default-forbidden-env`, the environment variable specified in this list cannot be updated via a `PodTemplate`.

For example:

Expand Down Expand Up @@ -238,7 +238,7 @@ The default is `false`. For more information, see the [associated issue](https:/
most stable features to be used. Set it to "alpha" to allow [alpha
features](#alpha-features) to be used.

- `resource-verification-mode`: Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip" will skip the whole verification.
- `verification-no-match-policy`: Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip" will skip the whole verification.
- `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.

- `enable-provenance-in-status`: set this flag to "true" to enable recording
Expand Down Expand Up @@ -285,7 +285,7 @@ Features currently in "alpha" are:
| [Matrix](./matrix.md) | [TEP-0090](https://github.com/tektoncd/community/blob/main/teps/0090-matrix.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | |
| [Task-level Resource Requirements](compute-resources.md#task-level-compute-resources-configuration) | [TEP-0104](https://github.com/tektoncd/community/blob/main/teps/0104-tasklevel-resource-requirements.md) | [v0.39.0](https://github.com/tektoncd/pipeline/releases/tag/v0.39.0) | |
| [Object Params and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | | |
| [Trusted Resources](./trusted-resources.md) | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md) | N/A | `resource-verification-mode` |
| [Trusted Resources](./trusted-resources.md) | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md) | N/A | `verification-no-match-policy` |
| [`Provenance` field in Status](pipeline-api.md#provenance) | [issue#5550](https://github.com/tektoncd/pipeline/issues/5550) | N/A | `enable-provenance-in-status` |
| [Larger Results via Sidecar Logs](#enabling-larger-results-using-sidecar-logs) | [TEP-0127](https://github.com/tektoncd/community/blob/main/teps/0127-larger-results-via-sidecar-logs.md) | [v0.43.0](https://github.com/tektoncd/pipeline/releases/tag/v0.43.0) | `results-from` |

Expand Down Expand Up @@ -313,7 +313,7 @@ To exceed this limit of 4096 bytes, you can enable larger results using sidecar

**Note**: to enable this feature, you need to grant `get` access to all `pods/log` to the `Tekton pipeline controller`. This means that the tekton pipeline controller has the ability to access the pod logs.

1. Create a cluster role and rolebinding by applying the following spec to provide log access to `tekton-pipelines-controller`.
1. Create a cluster role and rolebinding by applying the following spec to provide log access to `tekton-pipelines-controller`.

```
kubectl apply -f optional_config/enable-log-access-to-controller/
Expand All @@ -326,7 +326,7 @@ kubectl patch cm feature-flags -n tekton-pipelines -p '{"data":{"results-from":"
```
3. If you want the size per result to be something other than 4096 bytes, you can set the `max-result-size` feature flag in bytes by setting `max-result-size: 8192(whatever you need here)`. **Note:** The value you can set here cannot exceed the size of the CRD limit of 1.5 MB.
```
kubectl patch cm feature-flags -n tekton-pipelines -p '{"data":{"max-result-size":"<VALUE-IN-BYTES>"}}'
```
Expand Down
16 changes: 9 additions & 7 deletions docs/trusted-resources.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,19 +54,21 @@ metadata:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
resource-verification-mode: "enforce"
verification-no-match-policy: "deny"
```
**Note:** `resource-verification-mode` needs to be set as `enforce` or `warn` to enable resource verification.
`verification-no-match-policy` configurations:
* `allow`: Don't fail the taskrun/pipelinerun if no matching policies are found. Don't log.
* `warn`: Don't fail the taskrun/pipelinerun and log a warning if no matching policies are found.
* `deny`: Fail the taskrun/pipelinerun if no matching policies are found.

`resource-verification-mode` configurations:
* `enforce`: Failing verification will mark the taskruns/pipelineruns as failed.
* `warn`: Log warning but don't fail the taskruns/pipelineruns.
* `skip`: Directly skip the verification.
**Notes:**
* To skip the verification: make sure if no policies exist and `verification-no-match-policy` is set to `allow`.
* To enable the verification: install VerificationPolicy to match the resources.

Or patch the new values:
```bash
kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"resource-verification-mode":"enforce"}}
kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"verification-no-match-policy":"deny"}}
```

#### Config key at VerificationPolicy
Expand Down
47 changes: 27 additions & 20 deletions pkg/apis/config/feature_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,14 @@ const (
AlphaAPIFields = "alpha"
// BetaAPIFields is the value used for "enable-api-fields" when beta APIs should be usable as well.
BetaAPIFields = "beta"
// EnforceResourceVerificationMode is the value used for "resource-verification-mode" when verification is applied and fail the
// DenyNoMatchPolicy is the value used for "verification-no-match-policy" when verification is applied and fail the
// TaskRun or PipelineRun when verification fails
EnforceResourceVerificationMode = "enforce"
// WarnResourceVerificationMode is the value used for "resource-verification-mode" when verification is applied but only log
DenyNoMatchPolicy = "deny"
// WarnNoMatchPolicy is the value used for "verification-no-match-policy" when verification is applied but only log
// the warning when verification fails
WarnResourceVerificationMode = "warn"
// SkipResourceVerificationMode is the value used for "resource-verification-mode" when verification is skipped
SkipResourceVerificationMode = "skip"
WarnNoMatchPolicy = "warn"
// AllowNoMatchPolicy is the value used for "verification-no-match-policy" when verification is skipped
AllowNoMatchPolicy = "allow"
// ResultExtractionMethodTerminationMessage is the value used for "results-from" as a way to extract results from tasks using kubernetes termination message.
ResultExtractionMethodTerminationMessage = "termination-message"
// ResultExtractionMethodSidecarLogs is the value used for "results-from" as a way to extract results from tasks using sidecar logs.
Expand Down Expand Up @@ -73,8 +73,8 @@ const (
EnforceNonfalsifiabilityNone = ""
// DefaultEnforceNonfalsifiability is the default value for "enforce-nonfalsifiability".
DefaultEnforceNonfalsifiability = EnforceNonfalsifiabilityNone
// DefaultResourceVerificationMode is the default value for "resource-verification-mode".
DefaultResourceVerificationMode = SkipResourceVerificationMode
// DefaultNoMatchPolicyConfig is the default value for "verification-no-match-policy".
DefaultNoMatchPolicyConfig = AllowNoMatchPolicy
// DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
DefaultEnableProvenanceInStatus = false
// DefaultResultExtractionMethod is the default value for ResultExtractionMethod
Expand All @@ -93,7 +93,7 @@ const (
enableAPIFields = "enable-api-fields"
sendCloudEventsForRuns = "send-cloudevents-for-runs"
enforceNonfalsifiability = "enforce-nonfalsifiability"
verificationMode = "resource-verification-mode"
verificationMode = "verification-no-match-policy"
enableProvenanceInStatus = "enable-provenance-in-status"
resultExtractionMethod = "results-from"
maxResultSize = "max-result-size"
Expand All @@ -113,7 +113,7 @@ type FeatureFlags struct {
SendCloudEventsForRuns bool
AwaitSidecarReadiness bool
EnforceNonfalsifiability string
ResourceVerificationMode string
VerificationNoMatchPolicy string
EnableProvenanceInStatus bool
ResultExtractionMethod string
MaxResultSize int
Expand Down Expand Up @@ -182,7 +182,7 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
if err := setFeature(sendCloudEventsForRuns, DefaultSendCloudEventsForRuns, &tc.SendCloudEventsForRuns); err != nil {
return nil, err
}
if err := setResourceVerificationMode(cfgMap, DefaultResourceVerificationMode, &tc.ResourceVerificationMode); err != nil {
if err := setVerificationNoMatchPolicy(cfgMap, DefaultNoMatchPolicyConfig, &tc.VerificationNoMatchPolicy); err != nil {
return nil, err
}
if err := setFeature(enableProvenanceInStatus, DefaultEnableProvenanceInStatus, &tc.EnableProvenanceInStatus); err != nil {
Expand Down Expand Up @@ -292,15 +292,15 @@ func setMaxResultSize(cfgMap map[string]string, defaultValue int, feature *int)
return nil
}

// setResourceVerificationMode sets the "resource-verification-mode" flag based on the content of a given map.
// setVerificationNoMatchPolicy sets the "verification-no-match-policy" flag based on the content of a given map.
// If the value is invalid or missing then an error is returned.
func setResourceVerificationMode(cfgMap map[string]string, defaultValue string, feature *string) error {
func setVerificationNoMatchPolicy(cfgMap map[string]string, defaultValue string, feature *string) error {
value := defaultValue
if cfg, ok := cfgMap[verificationMode]; ok {
value = strings.ToLower(cfg)
}
switch value {
case EnforceResourceVerificationMode, WarnResourceVerificationMode, SkipResourceVerificationMode:
case DenyNoMatchPolicy, WarnNoMatchPolicy, AllowNoMatchPolicy:
*feature = value
default:
return fmt.Errorf("invalid value for feature flag %q: %q", verificationMode, value)
Expand Down Expand Up @@ -328,18 +328,25 @@ func EnableStableAPIFields(ctx context.Context) context.Context {
return setEnableAPIFields(ctx, StableAPIFields)
}

// CheckEnforceResourceVerificationMode returns true if the ResourceVerificationMode is EnforceResourceVerificationMode
// CheckAllowVerificationNoMatchPolicy returns true if the VerificationNoMatchPolicy is AllowNoMatchPolicy
// else returns false
func CheckEnforceResourceVerificationMode(ctx context.Context) bool {
func CheckAllowVerificationNoMatchPolicy(ctx context.Context) bool {
cfg := FromContextOrDefaults(ctx)
return cfg.FeatureFlags.ResourceVerificationMode == EnforceResourceVerificationMode
return cfg.FeatureFlags.VerificationNoMatchPolicy == AllowNoMatchPolicy
}

// CheckWarnResourceVerificationMode returns true if the ResourceVerificationMode is WarnResourceVerificationMode
// CheckDenyVerificationNoMatchPolicy returns true if the VerificationNoMatchPolicy is DenyNoMatchPolicy
// else returns false
func CheckWarnResourceVerificationMode(ctx context.Context) bool {
func CheckDenyVerificationNoMatchPolicy(ctx context.Context) bool {
cfg := FromContextOrDefaults(ctx)
return cfg.FeatureFlags.ResourceVerificationMode == WarnResourceVerificationMode
return cfg.FeatureFlags.VerificationNoMatchPolicy == DenyNoMatchPolicy
}

// CheckWarnVerificationNoMatchPolicy returns true if the VerificationNoMatchPolicy is WarnNoMatchPolicy
// else returns false
func CheckWarnVerificationNoMatchPolicy(ctx context.Context) bool {
cfg := FromContextOrDefaults(ctx)
return cfg.FeatureFlags.VerificationNoMatchPolicy == WarnNoMatchPolicy
}

// CheckAlphaOrBetaAPIFields return true if the enable-api-fields is either set to alpha or set to beta
Expand Down
Loading

0 comments on commit 7cf6f5b

Please sign in to comment.