From 6099e4c1aacfe9ae498cb94546830825f0fd4b11 Mon Sep 17 00:00:00 2001 From: Thorsten Klein Date: Mon, 16 Oct 2023 17:39:07 +0200 Subject: [PATCH 1/3] change: also recheck permissions if generation changed but image didn't Signed-off-by: Thorsten Klein --- pkg/controller/permissions/permissions_check.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/controller/permissions/permissions_check.go b/pkg/controller/permissions/permissions_check.go index ab1f52ef4..17a3c6996 100644 --- a/pkg/controller/permissions/permissions_check.go +++ b/pkg/controller/permissions/permissions_check.go @@ -63,8 +63,8 @@ func CheckPermissions(req router.Request, _ router.Response) error { } // Early exit - if app.Status.Staged.AppImage.ID == "" || - app.Status.Staged.AppImage.Digest == app.Status.AppImage.Digest || + if (app.Status.Staged.AppImage.ID == "" || + app.Status.Staged.AppImage.Digest == app.Status.AppImage.Digest) && app.Status.Staged.PermissionsObservedGeneration == app.Generation { // IAR disabled? Allow the Image if we're not re-checking permissions if enabled, err := config.GetFeature(req.Ctx, req.Client, profiles.FeatureImageAllowRules); err != nil { From ce9631201d26e48f2f67182e4fa7c0c02dbe42f9 Mon Sep 17 00:00:00 2001 From: Thorsten Klein Date: Mon, 16 Oct 2023 18:00:10 +0200 Subject: [PATCH 2/3] change: set staged.appScopedPermissions and ultimately status.Permissions where no recheck of perms is needed Signed-off-by: Thorsten Klein --- pkg/controller/appdefinition/parse.go | 8 +++++ .../permissions/permissions_check.go | 32 +++++++++++-------- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/pkg/controller/appdefinition/parse.go b/pkg/controller/appdefinition/parse.go index c53f585fa..bc0411000 100644 --- a/pkg/controller/appdefinition/parse.go +++ b/pkg/controller/appdefinition/parse.go @@ -5,6 +5,7 @@ import ( v1 "github.com/acorn-io/runtime/pkg/apis/internal.acorn.io/v1" "github.com/acorn-io/runtime/pkg/appdefinition" "github.com/acorn-io/runtime/pkg/condition" + "github.com/acorn-io/runtime/pkg/controller/permissions" ) func ParseAppImage(req router.Request, resp router.Response) error { @@ -30,6 +31,13 @@ func ParseAppImage(req router.Request, resp router.Response) error { return nil } + // Migration for AppScopedPermissions + if len(appInstance.Status.Staged.AppScopedPermissions) == 0 && + appInstance.Status.Staged.PermissionsObservedGeneration == appInstance.Generation && + len(appInstance.Status.Staged.ImagePermissionsDenied) == 0 { + appInstance.Status.Staged.AppScopedPermissions = permissions.GetAppScopedPermissions(appInstance, appSpec) + } + appInstance.Status.AppSpec = *appSpec status.Success() return nil diff --git a/pkg/controller/permissions/permissions_check.go b/pkg/controller/permissions/permissions_check.go index 17a3c6996..a91679bec 100644 --- a/pkg/controller/permissions/permissions_check.go +++ b/pkg/controller/permissions/permissions_check.go @@ -114,20 +114,7 @@ func CheckPermissions(req router.Request, _ router.Response) error { details.AppImage.Digest, appImage.Digest) } - // ServiceNames of the current app level (i.e. not nested Acorns/Services) - scvnames := maps.Keys(details.AppSpec.Containers) - scvnames = append(scvnames, maps.Keys(details.AppSpec.Jobs)...) - scvnames = append(scvnames, maps.Keys(details.AppSpec.Services)...) - - // Only consider the scope of the current app level (i.e. not nested Acorns/Services) - grantedPerms := app.Spec.GetGrantedPermissions() - scopedGrantedPerms := []v1.Permissions{} - for i, p := range grantedPerms { - if slices.Contains(scvnames, p.ServiceName) { - scopedGrantedPerms = append(scopedGrantedPerms, grantedPerms[i]) - } - } - + scopedGrantedPerms := GetAppScopedPermissions(app, details.AppSpec) app.Status.Staged.AppScopedPermissions = scopedGrantedPerms // If iraEnabled, check if the Acorn images are authorized to request the defined permissions. @@ -174,3 +161,20 @@ func CheckPermissions(req router.Request, _ router.Response) error { return nil } + +func GetAppScopedPermissions(app *v1.AppInstance, appSpec *v1.AppSpec) []v1.Permissions { + // ServiceNames of the current app level (i.e. not nested Acorns/Services) + scvnames := maps.Keys(appSpec.Containers) + scvnames = append(scvnames, maps.Keys(appSpec.Jobs)...) + scvnames = append(scvnames, maps.Keys(appSpec.Services)...) + + // Only consider the scope of the current app level (i.e. not nested Acorns/Services) + grantedPerms := app.Spec.GetGrantedPermissions() + scopedGrantedPerms := []v1.Permissions{} + for i, p := range grantedPerms { + if slices.Contains(scvnames, p.ServiceName) { + scopedGrantedPerms = append(scopedGrantedPerms, grantedPerms[i]) + } + } + return scopedGrantedPerms +} From 25212a210038ad974b319c817a0255df085601b2 Mon Sep 17 00:00:00 2001 From: Thorsten Klein Date: Mon, 16 Oct 2023 18:11:15 +0200 Subject: [PATCH 3/3] typo Signed-off-by: Thorsten Klein --- pkg/controller/permissions/permissions_check.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/controller/permissions/permissions_check.go b/pkg/controller/permissions/permissions_check.go index a91679bec..54cee0b17 100644 --- a/pkg/controller/permissions/permissions_check.go +++ b/pkg/controller/permissions/permissions_check.go @@ -164,15 +164,15 @@ func CheckPermissions(req router.Request, _ router.Response) error { func GetAppScopedPermissions(app *v1.AppInstance, appSpec *v1.AppSpec) []v1.Permissions { // ServiceNames of the current app level (i.e. not nested Acorns/Services) - scvnames := maps.Keys(appSpec.Containers) - scvnames = append(scvnames, maps.Keys(appSpec.Jobs)...) - scvnames = append(scvnames, maps.Keys(appSpec.Services)...) + svcnames := maps.Keys(appSpec.Containers) + svcnames = append(svcnames, maps.Keys(appSpec.Jobs)...) + svcnames = append(svcnames, maps.Keys(appSpec.Services)...) // Only consider the scope of the current app level (i.e. not nested Acorns/Services) grantedPerms := app.Spec.GetGrantedPermissions() scopedGrantedPerms := []v1.Permissions{} for i, p := range grantedPerms { - if slices.Contains(scvnames, p.ServiceName) { + if slices.Contains(svcnames, p.ServiceName) { scopedGrantedPerms = append(scopedGrantedPerms, grantedPerms[i]) } }