From b3200d8f71793f9fd48df81eec679acf07d289ce Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Thu, 13 Jun 2024 16:00:26 +0200 Subject: [PATCH] Cleanup resolved object before validating through dry-run This ensure that we are not going to fail during validation with dry-run. An example of such a failure would be the following scenario. - A task in a namespace has `ownerReferences` with `blockOwnerDeletion: true` - A user uses the `cluster` resolver to fetch that task - That user doesn't have a lot of rights in that namespace (only listing Tasks for example). /kind bug Signed-off-by: Vincent Demeester (cherry picked from commit d3b18ea0beed19d499b610780fdbeb59afc3a6e2) (cherry picked from commit a89b9644c6abc7056064297469913082ecc880d8) --- pkg/reconciler/pipelinerun/resources/pipelineref.go | 6 ++++++ pkg/reconciler/taskrun/resources/taskref.go | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/reconciler/pipelinerun/resources/pipelineref.go b/pkg/reconciler/pipelinerun/resources/pipelineref.go index ffbbbbfd5a0..612920667ec 100644 --- a/pkg/reconciler/pipelinerun/resources/pipelineref.go +++ b/pkg/reconciler/pipelinerun/resources/pipelineref.go @@ -136,6 +136,9 @@ func resolvePipeline(ctx context.Context, resolver remote.Resolver, name string, func readRuntimeObjectAsPipeline(ctx context.Context, namespace string, obj runtime.Object, k8s kubernetes.Interface, tekton clientset.Interface, refSource *v1.RefSource, verificationPolicies []*v1alpha1.VerificationPolicy) (*v1.Pipeline, *trustedresources.VerificationResult, error) { switch obj := obj.(type) { case *v1beta1.Pipeline: + // Cleanup object from things we don't care about + // FIXME: extract this in a function + obj.ObjectMeta.OwnerReferences = nil // Verify the Pipeline once we fetch from the remote resolution, mutating, validation and conversion of the pipeline should happen after the verification, since signatures are based on the remote pipeline contents vr := trustedresources.VerifyResource(ctx, obj, k8s, refSource, verificationPolicies) // Issue a dry-run request to create the remote Pipeline, so that it can undergo validation from validating admission webhooks @@ -154,6 +157,9 @@ func readRuntimeObjectAsPipeline(ctx context.Context, namespace string, obj runt } return p, &vr, nil case *v1.Pipeline: + // Cleanup object from things we don't care about + // FIXME: extract this in a function + obj.ObjectMeta.OwnerReferences = nil vr := trustedresources.VerifyResource(ctx, obj, k8s, refSource, verificationPolicies) // Issue a dry-run request to create the remote Pipeline, so that it can undergo validation from validating admission webhooks // without actually creating the Pipeline on the cluster diff --git a/pkg/reconciler/taskrun/resources/taskref.go b/pkg/reconciler/taskrun/resources/taskref.go index 84da4fd31d9..e8195ba29e1 100644 --- a/pkg/reconciler/taskrun/resources/taskref.go +++ b/pkg/reconciler/taskrun/resources/taskref.go @@ -84,7 +84,8 @@ func GetTaskFuncFromTaskRun(ctx context.Context, k8s kubernetes.Interface, tekto // a remote image to fetch the reference. It will also return the "kind" of the task being referenced. // OCI bundle and remote resolution tasks will be verified by trusted resources if the feature is enabled func GetTaskFunc(ctx context.Context, k8s kubernetes.Interface, tekton clientset.Interface, requester remoteresource.Requester, - owner kmeta.OwnerRefable, tr *v1.TaskRef, trName string, namespace, saName string, verificationPolicies []*v1alpha1.VerificationPolicy) GetTask { + owner kmeta.OwnerRefable, tr *v1.TaskRef, trName string, namespace, saName string, verificationPolicies []*v1alpha1.VerificationPolicy, +) GetTask { kind := v1.NamespacedTaskKind if tr != nil && tr.Kind != "" { kind = tr.Kind @@ -154,6 +155,9 @@ func resolveTask(ctx context.Context, resolver remote.Resolver, name, namespace func readRuntimeObjectAsTask(ctx context.Context, namespace string, obj runtime.Object, k8s kubernetes.Interface, tekton clientset.Interface, refSource *v1.RefSource, verificationPolicies []*v1alpha1.VerificationPolicy) (*v1.Task, *trustedresources.VerificationResult, error) { switch obj := obj.(type) { case *v1beta1.Task: + // Cleanup object from things we don't care about + // FIXME: extract this in a function + obj.ObjectMeta.OwnerReferences = nil // Verify the Task once we fetch from the remote resolution, mutating, validation and conversion of the task should happen after the verification, since signatures are based on the remote task contents vr := trustedresources.VerifyResource(ctx, obj, k8s, refSource, verificationPolicies) // Issue a dry-run request to create the remote Task, so that it can undergo validation from validating admission webhooks @@ -172,6 +176,9 @@ func readRuntimeObjectAsTask(ctx context.Context, namespace string, obj runtime. } return t, &vr, nil case *v1beta1.ClusterTask: + // Cleanup object from things we don't care about + // FIXME: extract this in a function + obj.ObjectMeta.OwnerReferences = nil t, err := convertClusterTaskToTask(ctx, *obj) // Issue a dry-run request to create the remote Task, so that it can undergo validation from validating admission webhooks // without actually creating the Task on the cluster @@ -180,6 +187,9 @@ func readRuntimeObjectAsTask(ctx context.Context, namespace string, obj runtime. } return t, nil, err case *v1.Task: + // Cleanup object from things we don't care about + // FIXME: extract this in a function + obj.ObjectMeta.OwnerReferences = nil vr := trustedresources.VerifyResource(ctx, obj, k8s, refSource, verificationPolicies) // Issue a dry-run request to create the remote Task, so that it can undergo validation from validating admission webhooks // without actually creating the Task on the cluster