Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update apiVersions of webhook rule #11149

Merged
merged 2 commits into from
Sep 7, 2023

Conversation

mikutas
Copy link
Contributor

@mikutas mikutas commented Jul 23, 2023

HttpRoute v1beta2/v1beta3 seems not to be validated via webhook

❯ helm template charts/linkerd-crds/ --show-only templates/policy/httproute.yaml | yq .spec.versions[].name
v1alpha1
v1beta1
v1beta2
v1beta3

@mikutas mikutas force-pushed the validate-httproute-v1beta2v1beta3 branch 2 times, most recently from 2f4b477 to 19bba53 Compare July 25, 2023 00:21
@mikutas mikutas force-pushed the validate-httproute-v1beta2v1beta3 branch from 19bba53 to 68a40e5 Compare July 25, 2023 10:26
@mikutas mikutas marked this pull request as ready for review July 26, 2023 11:18
@mikutas mikutas requested a review from a team as a code owner July 26, 2023 11:18
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good find 👍
It's important to note that even before this change, v1beta2 and v1beta3 were getting sent to the validator regardless, because it uses the default matchPolicy: Equivalent, which means the resource will get sent for any of the versions for that API group that are getting served (currently all are getting served, and v1beta3 is the one marked for storage).
I think it's still good practice to consider all the versions here, but to avoid updating every time, perhaps a wildcard '*' would do? @adleong wdyt?

@mikutas mikutas changed the title fix: validate HttpRoute v1beta2/v1beta3 chore: validate HttpRoute v1beta2/v1beta3 Jul 29, 2023
@mikutas mikutas changed the title chore: validate HttpRoute v1beta2/v1beta3 Update apiVersions of webhook rule Jul 29, 2023
@alpeb
Copy link
Member

alpeb commented Aug 3, 2023

@mikutas After talking off-github with @adleong we agreed having a wildcard there should let us not having to worry about updating that entry anymore. Do you mind updating it accordingly?

so that we don't worry about updating the field

Signed-off-by: Takumi Sue <[email protected]>
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mikutas , this looks good to me 👍

Copy link
Member

@mateiidavid mateiidavid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much @mikutas!

@mateiidavid mateiidavid merged commit 33dd17f into linkerd:main Sep 7, 2023
33 checks passed
mateiidavid added a commit that referenced this pull request Sep 7, 2023
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this change fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([11265])
* Improved help messaging for `linkerd multicluster link` ([11265])
* Changed hostPort lookup behaviour in the destination service; previously,
  endpoint lookups for pods bound on a hostPort would return the Pod IP which
  would result in loss of connectivity on pod restart, hostIPs are now always
  returned when a pod uses a hostPort ([11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([10231])

[11309]: #11309
[11296]: #11296
[11328]: #11328
[11301]: #11301
[11265]: #11265
[11149]: #11149
[10231]: #10231

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid mentioned this pull request Sep 7, 2023
@mikutas mikutas deleted the validate-httproute-v1beta2v1beta3 branch September 9, 2023 04:40
mateiidavid added a commit that referenced this pull request Sep 11, 2023
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([#11265])
* Improved help messaging for `linkerd multicluster link` ([#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([#10231])

[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
HTTPRoute resources are sent to the validator regardless of their version (v1beta2, v1beta3) due to the match policy of the resource (resource is sent for any version of the API being served). However, it is good practice to consider all versions explicitly in the webhook rule. This change adds a wildcard operator to consider any HTTPRoute version for admission.

Signed-off-by: Takumi Sue <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([linkerd#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([linkerd#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([linkerd#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([linkerd#11265])
* Improved help messaging for `linkerd multicluster link` ([linkerd#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([linkerd#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([linkerd#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([linkerd#10231])

[linkerd#11309]: linkerd#11309
[linkerd#11296]: linkerd#11296
[linkerd#11328]: linkerd#11328
[linkerd#11301]: linkerd#11301
[linkerd#11265]: linkerd#11265
[linkerd#11149]: linkerd#11149
[linkerd#10231]: linkerd#10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
HTTPRoute resources are sent to the validator regardless of their version (v1beta2, v1beta3) due to the match policy of the resource (resource is sent for any version of the API being served). However, it is good practice to consider all versions explicitly in the webhook rule. This change adds a wildcard operator to consider any HTTPRoute version for admission.

Signed-off-by: Takumi Sue <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([linkerd#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([linkerd#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([linkerd#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([linkerd#11265])
* Improved help messaging for `linkerd multicluster link` ([linkerd#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([linkerd#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([linkerd#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([linkerd#10231])

[linkerd#11309]: linkerd#11309
[linkerd#11296]: linkerd#11296
[linkerd#11328]: linkerd#11328
[linkerd#11301]: linkerd#11301
[linkerd#11265]: linkerd#11265
[linkerd#11149]: linkerd#11149
[linkerd#10231]: linkerd#10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
mateiidavid added a commit that referenced this pull request Sep 21, 2023
This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
`remoteDiscoverySelector` field in the `Link` resource would cause all services
to be exported. Finally, this release addresses two security vulnerabilities,
[CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous
other fixes and enhancements.

* CLI
  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
    inject` (thanks @mikutas!) ([#10231])

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin ([#11296])

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

* Helm
  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  * Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

* Multicluster
  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
    multicluster link would cause all services to be mirrored ([#11309])
  * Removed time out from `linkerd multicluster gateways` command; when no
    metrics exist the command will return instantly ([#11265])
  * Improved help messaging for `linkerd multicluster link` ([#11265])

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
    ([#11361])

[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid mentioned this pull request Sep 21, 2023
mateiidavid added a commit that referenced this pull request Sep 25, 2023
* stable-2.14.1

This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
`remoteDiscoverySelector` field in the `Link` resource would cause all services
to be exported. Finally, this release addresses two security vulnerabilities,
[CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous
other fixes and enhancements.

* CLI
  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
    inject` (thanks @mikutas!) ([#10231])

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin ([#11296])

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

* Helm
  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  * Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

* Multicluster
  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
    multicluster link would cause all services to be mirrored ([#11309])
  * Removed time out from `linkerd multicluster gateways` command; when no
    metrics exist the command will return instantly ([#11265])
  * Improved help messaging for `linkerd multicluster link` ([#11265])

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
    ([#11361])

[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

Signed-off-by: Matei David <[email protected]>
Signed-off-by: Eliza Weisman <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants