Add resource size validator #2781

timuthy · 2020-08-26T14:59:19Z

How to categorize this PR?

/area security
/kind enhancement
/priority normal

What this PR does / why we need it:
This PR adds the Resource Size Validator which is a webook for GCM and can be used to restrict the size of resources applied by end users. Please consult the enclosed documentation docs/concepts/controller-manager.md for more details.

Which issue(s) this PR fixes:
Fixes parts of #1650

Release note:

The Gardener Controller Manager is now equipped with a validation handler which checks incoming resource requests against configured quota configurations. It especially enables operators to restrict the maximum size of a single resource (e.g. shoot, plant, secret, ...) users apply to the Garden cluster and is at the same time a measure against DoS attacks. Please consult the documentation `docs/concepts/controller-manager.md#Resource-Size-Validator` for more details.

rfranzke

/assign
Love it - very clean, easy-to-follow and easy-to-read PR, thanks a lot.

docs/concepts/controller-manager.md

pkg/controllermanager/apis/config/v1alpha1/types.go

pkg/controllermanager/apis/config/validation/ControllerManagerConfiguration.go

pkg/controllermanager/server/handlers/webhooks/validate_resource_size.go

...gardener/controlplane/charts/application/templates/validatingwebhook-controller-manager.yaml

docs/concepts/controller-manager.md

pkg/controllermanager/apis/config/types.go

pkg/controllermanager/apis/config/validation/ControllerManagerConfiguration.go

docs/concepts/controller-manager.md

timuthy · 2020-09-02T11:05:44Z

Thanks for your rewiews @rfranzke @ialidzhikov. I already addressed your comments but as discussed in our internal meeting, I'll continue to move out the webhooks to a dedicated component so that we have:

multiple replicas for this dedicated component
a clear separation

timuthy · 2020-09-11T15:44:40Z

PR has been rebased on #2832. Please consider a98e6ee for review.
/hold

rfranzke · 2020-09-14T08:37:37Z

Please update the PR now that #2832 is merged :)

charts/gardener/controlplane/values.yaml

docs/concepts/admission-controller.md

pkg/admissioncontroller/apis/config/validation/controllerManagerConfiguration.go

pkg/admissioncontroller/apis/config/validation/controllerManagerConfiguration_test.go

pkg/admissioncontroller/apis/config/validation/validation_suite_test.go

pkg/admissioncontroller/server/handlers/webhooks/webhooks_suite_test.go

timuthy · 2020-09-14T16:15:49Z

/unhold
I addressed the feedback in 87272f1. PTAL.

docs/concepts/admission-controller.md

pkg/admissioncontroller/apis/config/validation/admissionControllerConfiguration.go

pkg/admissioncontroller/apis/config/validation/admissionControllerConfiguration_test.go

rfranzke

/lgtm

timuthy · 2020-09-15T08:33:28Z

Thanks @rfranzke, I force pushed again to squash the commits.

pkg/admissioncontroller/server/handlers/webhooks/validate_resource_size.go

pkg/admissioncontroller/apis/config/types.go

pkg/admissioncontroller/server/handlers/webhooks/utils.go

pkg/admissioncontroller/server/handlers/webhooks/utils_test.go

timuthy · 2020-09-15T10:10:37Z

Thanks @ialidzhikov for the feedback. PTAL.

ialidzhikov

/lgtm

timuthy requested a review from a team as a code owner August 26, 2020 14:59

gardener-robot added area/security Security related kind/enhancement Enhancement, improvement, extension priority/normal labels Aug 26, 2020

gardener-robot-ci-1 added the reviewed/ok-to-test label Aug 26, 2020

gardener-robot-ci-2 added needs/ok-to-test and removed reviewed/ok-to-test labels Aug 26, 2020

rfranzke requested changes Aug 28, 2020

View reviewed changes

gardener-robot assigned rfranzke Aug 28, 2020

ialidzhikov reviewed Aug 31, 2020

View reviewed changes

gardener-robot-ci-2 added the reviewed/ok-to-test label Sep 2, 2020

timuthy force-pushed the feature.size-validator branch from dfc325b to 579fa5c Compare September 2, 2020 10:59

gardener-robot-ci-1 removed the reviewed/ok-to-test label Sep 2, 2020

timuthy marked this pull request as draft September 2, 2020 11:07

timuthy mentioned this pull request Sep 9, 2020

Move GCM webhooks to dedicated Admission Controller #2832

Merged

timuthy force-pushed the feature.size-validator branch from 579fa5c to a98e6ee Compare September 11, 2020 15:40

gardener-robot-ci-3 added reviewed/ok-to-test and removed reviewed/ok-to-test labels Sep 11, 2020

timuthy marked this pull request as ready for review September 11, 2020 15:43

gardener-robot added the reviewed/do-not-merge label Sep 11, 2020

rfranzke requested changes Sep 14, 2020

View reviewed changes

timuthy force-pushed the feature.size-validator branch from a98e6ee to 87272f1 Compare September 14, 2020 16:13

gardener-robot-ci-1 added the reviewed/ok-to-test label Sep 14, 2020

gardener-robot-ci-1 removed the reviewed/ok-to-test label Sep 14, 2020

gardener-robot removed the reviewed/do-not-merge label Sep 14, 2020

rfranzke requested changes Sep 15, 2020

View reviewed changes

gardener-robot-ci-1 added reviewed/ok-to-test and removed reviewed/ok-to-test labels Sep 15, 2020

rfranzke previously approved these changes Sep 15, 2020

View reviewed changes

gardener-robot added the reviewed/lgtm label Sep 15, 2020

rfranzke requested a review from ialidzhikov September 15, 2020 08:23

timuthy dismissed rfranzke’s stale review via a616688 September 15, 2020 08:31

timuthy force-pushed the feature.size-validator branch from cfc47a7 to a616688 Compare September 15, 2020 08:31

gardener-robot-ci-3 added the reviewed/ok-to-test label Sep 15, 2020

Add resource size validator

42709f9

timuthy force-pushed the feature.size-validator branch from a616688 to 42709f9 Compare September 15, 2020 08:33

gardener-robot-ci-3 removed the reviewed/ok-to-test label Sep 15, 2020

ialidzhikov reviewed Sep 15, 2020

View reviewed changes

Default resource admission config

d512329

gardener-robot-ci-2 added the reviewed/ok-to-test label Sep 15, 2020

gardener-robot-ci-1 removed the reviewed/ok-to-test label Sep 15, 2020

ialidzhikov approved these changes Sep 15, 2020

View reviewed changes

rfranzke merged commit 0106379 into gardener:master Sep 15, 2020

timuthy deleted the feature.size-validator branch September 15, 2020 14:32

timuthy mentioned this pull request Oct 16, 2020

Add unit tests for admission handlers #2957

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add resource size validator #2781

Add resource size validator #2781

timuthy commented Aug 26, 2020 •

edited

rfranzke left a comment

timuthy commented Sep 2, 2020

timuthy commented Sep 11, 2020

rfranzke commented Sep 14, 2020

timuthy commented Sep 14, 2020

rfranzke left a comment

timuthy commented Sep 15, 2020

timuthy commented Sep 15, 2020

ialidzhikov left a comment

Add resource size validator #2781

Add resource size validator #2781

Conversation

timuthy commented Aug 26, 2020 • edited

rfranzke left a comment

Choose a reason for hiding this comment

timuthy commented Sep 2, 2020

timuthy commented Sep 11, 2020

rfranzke commented Sep 14, 2020

timuthy commented Sep 14, 2020

rfranzke left a comment

Choose a reason for hiding this comment

timuthy commented Sep 15, 2020

timuthy commented Sep 15, 2020

ialidzhikov left a comment

Choose a reason for hiding this comment

timuthy commented Aug 26, 2020 •

edited