Skip to content

CNTRLPLANE-940: Add CEL expression compile validation for Authentication admission #2353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CNTRLPLANE-940: Add CEL expression compile validation for Authentication admission #2353

wants to merge 1 commit into from
+133 −2

Conversation

everettraven
Copy link

@everettraven everettraven commented Jul 1, 2025
edited
Loading

What this PR does / why we need it:

Updates the OpenShift-specific admission plugin for admission time validation of the authentications.config.openshift.io resource to add validation for CEL expressions that can be specified in claim mappings as of openshift/api#2234 in TPNU clusters.

This changes makes it so that we can reject, at admission time, CEL expressions that will not successfully compile.

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jul 1, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 1, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 1, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jul 1, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-940 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Jul 1, 2025
@everettraven
Copy link
Author

/test all

1 similar comment
@everettraven
Copy link
Author

/test all

@everettraven
Copy link
Author

/retest-required

@everettraven everettraven force-pushed the feature/oidc-cel-admission-plugin branch from 435949d to ec4738b Compare July 9, 2025 12:45
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven marked this pull request as ready for review July 9, 2025 12:46
@openshift-ci openshift-ci bot requested review from benluddy and deads2k July 9, 2025 12:47
@everettraven everettraven force-pushed the feature/oidc-cel-admission-plugin branch from ec4738b to 9b472e3 Compare July 9, 2025 15:20
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jul 9, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-940 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

What this PR does / why we need it:

Updates the OpenShift-specific admission plugin for admission time validation of the authentications.config.openshift.io resource to add validation for CEL expressions that can be specified in claim mappings as of openshift/api#2234 in TPNU clusters.

This changes makes it so that we can reject, at admission time, CEL expressions that will not successfully compile.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@everettraven
Copy link
Author

/retest-required

liouk
liouk suggested changes Jul 10, 2025
View reviewed changes
...-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go Outdated

if spec.Type == configv1.AuthenticationTypeOIDC {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might make sense to split the validations of this func into two sub-funcs, one for OAuth and one for OIDC, as it's currently mixed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you thinking along the lines of having something like:

switch spec.Type {
    case configv1.AuthenticationTypeOIDC:
        validateOIDC(...)
    case ...:
        ...
}

?

I considered doing something like that, but wasn't sold on it being worth the potential scope creep. If you think it would be useful to do that though I can make some changes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I would prefer it, but no strong opinion. You could maybe at least separate the respective validations (i.e. put the oidc validation after the oauth metadata) and add some comments to section them out; that'd be fine as well.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I went to change towards a switch-based approach I noticed that there are not any other admission validations that ensure that the oauthMetadata field is only set when a particular type is set. Nor do we have a guarantee for the oidcProviders field on a type requirement.

For now, I'll section with comments, but I'd like to avoid any changes in this PR that might change how this validation has worked historically

@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven force-pushed the feature/oidc-cel-admission-plugin branch from f0026aa to f92c8e7 Compare July 14, 2025 15:33
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@everettraven everettraven changed the title WIP: CNTRLPLANE-940: Add CEL expression compile validation for Authentication admission CNTRLPLANE-940: Add CEL expression compile validation for Authentication admission Jul 14, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 14, 2025
@everettraven
Copy link
Author

Should not merge until after kube 1.33 rebase is complete.

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 14, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 14, 2025

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn f92c8e7 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-runc f92c8e7 link true /test e2e-aws-ovn-runc
ci/prow/e2e-aws-ovn-serial f92c8e7 link true /test e2e-aws-ovn-serial
ci/prow/e2e-aws-ovn-techpreview f92c8e7 link false /test e2e-aws-ovn-techpreview
ci/prow/e2e-aws-ovn-fips f92c8e7 link true /test e2e-aws-ovn-fips
ci/prow/e2e-aws-csi f92c8e7 link false /test e2e-aws-csi
ci/prow/e2e-aws-ovn-crun f92c8e7 link true /test e2e-aws-ovn-crun
ci/prow/k8s-e2e-conformance-aws f92c8e7 link true /test k8s-e2e-conformance-aws
ci/prow/e2e-agnostic-ovn-cmd f92c8e7 link false /test e2e-agnostic-ovn-cmd
ci/prow/e2e-gcp f92c8e7 link true /test e2e-gcp
ci/prow/e2e-aws-crun-wasm f92c8e7 link true /test e2e-aws-crun-wasm
ci/prow/e2e-aws-ovn-techpreview-serial f92c8e7 link false /test e2e-aws-ovn-techpreview-serial
ci/prow/k8s-e2e-aws-ovn-serial f92c8e7 link false /test k8s-e2e-aws-ovn-serial
ci/prow/e2e-aws-ovn-cgroupsv2 f92c8e7 link true /test e2e-aws-ovn-cgroupsv2

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@liouk
Copy link
Member

liouk commented Jul 16, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 16, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 16, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everettraven, liouk
Once this PR has been reviewed and has the lgtm label, please assign jerpeter1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@everettraven everettraven force-pushed the feature/oidc-cel-admission-plugin branch from f92c8e7 to e35f60e Compare July 16, 2025 14:18
@openshift-ci-robot
Copy link

@everettraven: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 16, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 16, 2025

New changes are detected. LGTM label has been removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liouk liouk liouk requested changes

@benluddy benluddy Awaiting requested review from benluddy

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@liouk liouk

Labels
backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. vendor-update Touching vendor dir or related files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@everettraven @openshift-ci-robot @liouk