fix: Filter patches to drop "remove" operation to prevent dropping unknown fields
#1333
Conversation
Signed-off-by: Anish Ramasekar <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1333 +/- ##
==========================================
+ Coverage 51.66% 52.85% +1.18%
==========================================
Files 53 53
Lines 2938 2433 -505
==========================================
- Hits 1518 1286 -232
+ Misses 1378 1104 -274
- Partials 42 43 +1 ☔ View full report in Codecov by Sentry. |
aramase
force-pushed
the
aramase/c/fix_fields_dropped
branch
2 times, most recently
from
a221f09 to
3aa02ec
Compare
fields Signed-off-by: Anish Ramasekar <[email protected]>
Signed-off-by: Anish Ramasekar <[email protected]>
Signed-off-by: Anish Ramasekar <[email protected]>
aramase
force-pushed
the
aramase/c/fix_fields_dropped
branch
from
3aa02ec to
046bc26
Compare
aramase
changed the title
"add" operation to prevent dropping unknown fields"remove" operation to prevent dropping unknown fields
aramase
changed the title
"remove" operation to prevent dropping unknown fields"remove" operation to prevent dropping unknown fields
Signed-off-by: Anish Ramasekar <[email protected]>
| // // drop patches that are removing fields | ||
| // // this prevents patches that remove fields that the webhook doesn't know about | ||
| // // ref: https://github.com/Azure/azure-workload-identity/issues/1312 | ||
| // if patch.Operation == "remove" { |
There was a problem hiding this comment.
This commented out approach seems safer? And maybe invert the check so we only keep the type of operations we understand?
| // return patchResponse | ||
|
|
||
| // Merge the original raw object with the modified marshaled pod | ||
| patchedObject, err := strategicpatch.StrategicMergePatch(req.Object.Raw, marshaledPod, corev1.Pod{}) |
There was a problem hiding this comment.
I haven't seen any other webhook use this approach, so it makes me nervous that it won't work correctly in all cases.
| readerObjects: nil, | ||
| }, | ||
| { | ||
| name: "pod has the required label, restart policy in init container", |
There was a problem hiding this comment.
Also add tests where we fabricate fields that will never exist at different nesting levels that don't exist anywhere in corev1.Pod. Like pod.Panda or pod.Spec.Panda or pod.Spec.Jungle.Panda.
|
Closing this PR after further testing. In e2e tests we create a pod with init container and test injecting sidecar proxy. The sidecar is added as the first container in the list so it's started first and the way patches get generated instead of doing a complete replace of {replace /spec/containers/0/name azwi-proxy}
{replace /spec/containers/0/image aramase/proxy:add_op_00}
{add /spec/containers/0/ports [map[containerPort:8080]]}
{add /spec/containers/0/securityContext/privileged false}
{replace /spec/containers/0/securityContext/runAsNonRoot true}
{add /spec/containers/0/securityContext/readOnlyRootFilesystem true}
{remove /spec/containers/0/securityContext/seccompProfile <nil>}
{remove /spec/containers/0/securityContext/runAsUser <nil>}
{remove /spec/containers/0/args/2 <nil>}
{replace /spec/containers/0/args/1 --log-level=info}
{replace /spec/containers/0/args/0 --proxy-port=8080}if we skip "remove" operation, it breaks because the args and other fields incorrectly remain.
|
Reason for Change:
Filter patches to only allow "add" operation to prevent dropping unknown fields
Issue Fixed:
fixes #1312