PSP reviews: client

[sdminonne]

@soltysh Thanks to have a look. For all-service-accounts flags I'm going to propose a fix for the API (working on it).

[mfojtik]

CC @openshift/cli-review

[mfojtik]

you can use fmt.Fprinln()

[mfojtik]

same here.

[mfojtik]

is this comment related to the function?

[mfojtik]

@smarterclayton don't we have this as helper in kube or origin (for things like oc set image)

[smarterclayton]

We do - it's on the factory.

[soltysh]

It's in

origin/pkg/api/meta/pods.go

Line 52 in 283a990

func GetPodSpec(obj runtime.Object) (*kapi.PodSpec, *field.Path, error) {

actually.

[sdminonne]

@soltysh that func returns a PodSpec while here we need a PodTemplateSpec (with the right meta) In factory as pointed out by @smarterclayton I found this
My only concern is that upstream AttachablePodForObject
invoked here
does not handle batch.CronJob and apps.StatefulSet which I would say it's a bug...
I'm going to submit an upstream PR if you agree.

[mfojtik]

no need for Sprintf

[mfojtik]

expected a single resource?

[sdminonne]

I raised the point int here and we agreed that only one resource should be handled

[soltysh]

Hmmm... that's not quite how I'm reading this. I'd say we want to be able to pass a list of resources and handle that. Generally, this entire code should go into Run. Not quite sure what to do with PrintObject, yet, but I'll get to that.

[soltysh]

What if a user pass a directory with multiple files, we want to handle those.

[sdminonne]

So we're going to handle -R handling recursion as well?

[soltysh]

That's what I understood from the discussion we've had the other day.

[sdminonne]

OK, I understood exactly the opposite. Only one resource and no -R :)
Anyway, reworking it to have multiple resources.

[mfojtik]

o.client, _, err := f.Clients()
if err != nil {}

[mfojtik]

can you add newline here?

[mfojtik]

Checks which Service Account can create a Pod

[soltysh]

Move to separate file, please. And like mentioned before, try to keep the flow similar to how other commands are.

[mfojtik]

maybe add more description to "User"?

[sdminonne]

@mfojtik thanks!. Going to wait for Clayton feedback and I'll modify accordingly

[soltysh]

(5) Create CLI for SCC access check

[soltysh]

Left you some comments.

[soltysh]

a User, ServiceAcount, or a Group...

[soltysh]

theit is interpreted as "What if User is not a member of any group"

and I wouldn't quote User nor Group.

[soltysh]

If User and Group is empty, the check is ...

[soltysh]

Btw. iirc from the discussion we've had in the trello, not specifying user nor group would result in SelfSubjectReview, which means against current user, has something changed here?

[soltysh]

<me ranting>
It's nice and readable to have the NewCmd* function right after *Options structure.
</me ranting>

[soltysh]

The body of this method should go towards:

kcmdutil.CheckErr(opts.Complete(f, cmd, args, out))
kcmdutil.CheckErr(opts.Validate())
kcmdutil.CheckErr(opts.Run())

Not sure if you need Validate, yet ;)

[soltysh]

typo: reviews, beside use full name Pod Security Policy Review

[soltysh]

Same limitation, we don't want to have.

[soltysh]

Same here about not using Sprintf.

[soltysh]

Now I can say validate is not needed, but the shape here should be:

kcmdutil.CheckErr(opts.Complete(f, cmd, args, out))
kcmdutil.CheckErr(opts.Run())

[soltysh]

It's in

origin/pkg/api/meta/pods.go

Line 52 in 283a990

func GetPodSpec(obj runtime.Object) (*kapi.PodSpec, *field.Path, error) {

actually.

[sdminonne]

@soltysh @mfojtik two commits one for each review. No generated code (anyway this must be squashed).
PTAL

[soltysh]

My comments apply to both commands, if mentioned only in one file :)

[soltysh]

If we're not allowed, we need to say so. This applies to all three printPsp* methods.

[soltysh]

btw. name methods, printPSPReview*, PSP here is an acronym, so it should be spelled like one.

[soltysh]

Comment not needed, since you split that to separate files.

[soltysh]

Same, not needed.

[soltysh]

If not Service Account is provided the one specified in ...

[soltysh]

unless the podTemplateSpec.spec.serviceAccoutName it is empty, ...

[soltysh]

That block should be moved to Run, not needed here.

[soltysh]

Or change it to return you just the builder object.

[soltysh]

I'm not sure we need this block. If you care about raw output you can always hit the endpoint by yourself. This is a convenience command, that gives you nice output. Similarly to how oc import-image works. In that case just go with the describer and you'll be good.

[soltysh]

Btw. you're missing the actual implementation of a PSP* describers in https://github.com/openshift/origin/blob/master/pkg/cmd/cli/describe/describer.go

[sdminonne]

@soltysh thanks for the review! PTAL

[soltysh]

Some minor nits in the form but most importantly I'm missing tests for this in test-cmd.sh. Make sure to have a few positive tests and negative, where you're trying to check an object that does not have PodTemplate.

[soltysh]

I like to have the options nicely sorted external values, set by users (ServiceAccountNames, FilenameOptions in your case) and internal values. Reads better :-)

[soltysh]

Same wrt to options.

[soltysh]

No need for value, just put into below function.

[soltysh]

I doubt you'll be doing both at the same time, either you do specify user and/or group or you don't and invoke self check. I'd split that into two methods one for each check. The code for the two can be shared start from line 148 until 154. The only difference will be setting .spec.User and/or .spec.Groups fields and the actual client calls. Printing should be shared as well.

[soltysh]

You're missing kcmdutil.AddPrinterFlags(cmd).

[sdminonne]

Right

[soltysh]

This doesn't seem to work as I expect:

$ oc policy review -f job.yaml
error:  "hello" cannot create pod: User "test-admin" cannot list all pods in the cluster

$ oc policy subject-review -f job.yaml
error:  "hello" cannot create pod: User "test-admin" cannot list all pods in the cluster

It looks from --loglevel=8 that it's trying to GET https://localhost:8443/api/v1/pods?labelSelector=%3Cnull%3E which it obviously fails to do.

[soltysh]

When I run this from cluster admin, I got this instead:

error:  "hello" cannot create pod: found '<', expected: !, identifier, or 'end of string'

My job.yaml for tests is:

apiVersion: batch/v1
kind: Job
metadata:
  name: hello
spec:
  template:
    metadata:
      name: hello
    spec:
      containers:
      - name: hello
        image: python:3.5.1
        command: ["python", "-c", "print('Hello world!')"]
      restartPolicy: Never

[soltysh]

Some more comments.

[soltysh]

Maybe a word or two that it returns a list of SCC that will allow creating those. I've struggled for a second what's the return value 😉

[soltysh]

IIRC, this is should be no more.

[sdminonne]

going to write a PR to remove in APIs as well.

[soltysh]

API agreed, here should be removed within this PR.

[soltysh]

Same - remove.

[sdminonne]

same

[soltysh]

You need something like that in subject_review.go

[sdminonne]

:\ ok, thanks

[soltysh]

Maybe <none> rather than 'Not allowed', so it's easier to spot.

[sdminonne]

ok

[soltysh]

Same <none> here and below. @fabianofranz wdyt?

[soltysh]

Use ${OS_ROOT}/test/testdata/job.yaml

[soltysh]

It would be nice if you could use different resources for each test, iow. job, deployment, just pod, etc.

[sdminonne]

[test]

[soltysh]

This LGTM, thank you Dario!

Now we need @openshift/cli-review approval for the cli part and @pweil- sign off, if we want to merge this for 1.5

[sdminonne]

@soltysh added code to verify statefulSet with volumeClaimTemplates.
cmd/policy.sh updated with an example of unsupported type

[pweil-]

bump @openshift/cli-review

[pweil-]

Also, please check godoc on all public methods.

[pweil-]

these names may be confusing. Should we prefix with psp or scc (or register with both)?

[juanvallejo]

I agree it would be good to prefix them with either, although I am not sure which prefix would best help describe this

[pweil-]

psp may be confusing until it's turned on in OpenShift. I'd go with scc if we go with any prefix

[sdminonne]

Modified both to scc-review and scc-subject-review.
Data strcture changed as well

[pweil-]

add tests for invalid input that is checked by Complete

[sdminonne]

done

[juanvallejo]

A few comments from @pweil- , but other than that this LGTM from a cli perspective

[juanvallejo]

Although I would not be opposed if not done this way, having this block return a resource.Result, and then using the result's .Visitor(func...) to iterate through each info would match how this is done in other commands.

[sdminonne]

Done

[sdminonne]

@pweil- @juanvallejo thanks for the feedback, I'm modifying.

[sdminonne]

No squash and no code generated. As soon you're OK I'll follow up.

[soltysh]

@pweil- oh well, I'm getting old 😝

[sdminonne]

[test]

[soltysh]

@pweil- mering or leaving out for now?

[pweil-]

double checking priority of this with PM since it is low risk (new commands). My recommendation though is that we get this in a fork ami so it can be tested and merge to master AFTER the 3.5 cut.

[soltysh]

Comments from https://bugzilla.redhat.com/show_bug.cgi?id=1421570 and https://bugzilla.redhat.com/show_bug.cgi?id=1421616 needs addressing. One I've pointed above. The other is about printing resource file name or resource name (depending on what's doable) before printing the actual result of the check. This applies to both commands.

[soltysh]

Shorthand should be -z to be consistent with other commands where serviceaccounts are specified.

[soltysh]

I'm taking back my LGTM, until comments from BZ are fixed.

[sdminonne]

@soltysh PTAL

[soltysh]

Flake #11452.

[test]

[soltysh]

Actually that was #12995 and it happened again. I'm not gonna re-kick it.

[soltysh]

This looks LGTM.

[soltysh]

I'm re-running tests to get a clean pass. Previously it was flake #12995.

[test]

[soltysh]

@smarterclayton this will be merged when last issues is address, @sdminonne is currently working on a fix. Additionally, this will be cherry-picked into 1.5 release. So I'm removing your merge tag for now.

[sdminonne]

@soltysh: PTAL

[soltysh]

This LGTM. I'm spinning fork_ami and let qa test it.

[soltysh]

Flake #9490.

re-[test]

[openshift-bot]

Evaluated for origin test up to 20bcb5d

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/400/) (Base Commit: 2d20080)

[soltysh]

Based on qa approval, and verbal approval from @pweil- and @mfojtik

[merge]

[openshift-bot]

Evaluated for origin merge up to 20bcb5d

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/415/) (Base Commit: 0ea6f5d) (Image: devenv-rhel7_5954)