Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package polaris for openSUSE:Factory checked in at 2023-06-23 21:53:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/polaris (Old) and /work/SRC/openSUSE:Factory/.polaris.new.15902 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polaris" Fri Jun 23 21:53:09 2023 rev:19 rq:1094827 version:8.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/polaris/polaris.changes 2023-06-22 23:26:44.794051334 +0200 +++ /work/SRC/openSUSE:Factory/.polaris.new.15902/polaris.changes 2023-06-23 21:53:17.242849690 +0200 @@ -1,0 +2,6 @@ +Fri Jun 23 07:12:40 UTC 2023 - ka...@b1-systems.de + +- Update to version 8.2.4: + * Fix nil pointer issue with webhook (#966) + +------------------------------------------------------------------- Old: ---- polaris-8.2.3.obscpio New: ---- polaris-8.2.4.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polaris.spec ++++++ --- /var/tmp/diff_new_pack.Re6Fx3/_old 2023-06-23 21:53:18.162854962 +0200 +++ /var/tmp/diff_new_pack.Re6Fx3/_new 2023-06-23 21:53:18.166854985 +0200 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: polaris -Version: 8.2.3 +Version: 8.2.4 Release: 0 Summary: Validation of best practices in your Kubernetes clusters License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Re6Fx3/_old 2023-06-23 21:53:18.198855168 +0200 +++ /var/tmp/diff_new_pack.Re6Fx3/_new 2023-06-23 21:53:18.202855191 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/FairwindsOps/polaris</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">8.2.3</param> + <param name="revision">8.2.4</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Re6Fx3/_old 2023-06-23 21:53:18.218855283 +0200 +++ /var/tmp/diff_new_pack.Re6Fx3/_new 2023-06-23 21:53:18.222855306 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/FairwindsOps/polaris</param> - <param name="changesrevision">4b1d6635e06a52fbaf5d8e4746d94ec6b9313493</param></service></servicedata> + <param name="changesrevision">4ca4c8f0f536fd5055a9cfa65144bc306ddcbde2</param></service></servicedata> (No newline at EOF) ++++++ polaris-8.2.3.obscpio -> polaris-8.2.4.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/.circleci/config.yml new/polaris-8.2.4/.circleci/config.yml --- old/polaris-8.2.3/.circleci/config.yml 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/.circleci/config.yml 2023-06-22 19:22:19.000000000 +0200 @@ -114,6 +114,7 @@ executor: vm steps: - checkout + - *set_environment_variables - *install_k8s - *test_k8s @@ -161,8 +162,6 @@ only: /.*/ - build_and_push: context: org-global - requires: - - test filters: branches: ignore: /pull\/[0-9]+/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/cmd/polaris/webhook.go new/polaris-8.2.4/cmd/polaris/webhook.go --- old/polaris-8.2.3/cmd/polaris/webhook.go 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/cmd/polaris/webhook.go 2023-06-22 19:22:19.000000000 +0200 @@ -53,7 +53,8 @@ CertDir: certDir, Port: webhookPort, WebhookServer: webhook.NewServer(webhook.Options{ - CertDir: certDir, + CertDir: certDir, + Port: webhookPort, CertName: "tls.crt", KeyName: "tls.key", }), @@ -74,10 +75,10 @@ } if enableValidations { - fwebhook.NewValidateWebhook(mgr, fwebhook.Validator{Config: config, Client: mgr.GetClient()}) + fwebhook.NewValidateWebhook(mgr, config) } if enableMutations { - fwebhook.NewMutateWebhook(mgr, fwebhook.Mutator{Config: config, Client: mgr.GetClient()}) + fwebhook.NewMutateWebhook(mgr, config) } logrus.Infof("Polaris webhook server listening on port %d", webhookPort) if err := mgr.Start(signals.SetupSignalHandler()); err != nil { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/pkg/kube/resources_test.go new/polaris-8.2.4/pkg/kube/resources_test.go --- old/polaris-8.2.3/pkg/kube/resources_test.go 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/pkg/kube/resources_test.go 2023-06-22 19:22:19.000000000 +0200 @@ -16,8 +16,8 @@ import ( "bytes" - "fmt" "context" + "fmt" "os" "testing" "time" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/pkg/webhook/mutate.go new/polaris-8.2.4/pkg/webhook/mutate.go --- old/polaris-8.2.3/pkg/webhook/mutate.go 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/pkg/webhook/mutate.go 2023-06-22 19:22:19.000000000 +0200 @@ -21,6 +21,7 @@ "github.com/fairwindsops/polaris/pkg/mutation" "github.com/sirupsen/logrus" "gomodules.xyz/jsonpatch/v2" + "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -35,41 +36,66 @@ decoder *admission.Decoder } -var _ admission.Handler = &Mutator{} - // NewMutateWebhook creates a mutating admission webhook for the apiType. -func NewMutateWebhook(mgr manager.Manager, mutator Mutator) { +func NewMutateWebhook(mgr manager.Manager, c config.Configuration) { path := "/mutate" + mutator := Mutator{ + Client: mgr.GetClient(), + decoder: admission.NewDecoder(runtime.NewScheme()), + Config: c, + } mgr.GetWebhookServer().Register(path, &webhook.Admission{Handler: &mutator}) } func (m *Mutator) mutate(req admission.Request) ([]jsonpatch.Operation, error) { results, kubeResources, err := GetValidatedResults(req.AdmissionRequest.Kind.Kind, m.decoder, req, m.Config) if err != nil { + logrus.Errorf("Error while validating resource: %v", err) return nil, err } + if results == nil { + logrus.Infof("Not mutating owned pod") + return nil, nil + } patches := mutation.GetMutationsFromResult(results) originalYaml, err := yaml.JSONToYAML(kubeResources.OriginalObjectJSON) if err != nil { + logrus.Errorf("Failed to convert JSON to YAML: %v", err) return nil, err } mutatedYamlStr, err := mutation.ApplyAllMutations(string(originalYaml), patches) if err != nil { + logrus.Errorf("Failed to apply mutations: %v", err) + return nil, err + } + + mutatedJson, err := yaml.YAMLToJSON([]byte(mutatedYamlStr)) + if err != nil { + logrus.Errorf("Failed to convert YAML to JSON: %v", err) + return nil, err + } + + ops, err := jsonpatch.CreatePatch(kubeResources.OriginalObjectJSON, mutatedJson) + if err != nil { + logrus.Errorf("Failed to create patch from mutation: %v", err) return nil, err } - return jsonpatch.CreatePatch(originalYaml, []byte(mutatedYamlStr)) + return ops, nil } // Handle for Validator to run validation checks. func (m *Mutator) Handle(ctx context.Context, req admission.Request) admission.Response { - logrus.Info("Starting request") + logrus.Info("Starting mutation request") patches, err := m.mutate(req) if err != nil { + logrus.Errorf("Error while getting mutations: %v", err) return admission.Errored(403, err) } if patches == nil { + logrus.Infof("No patches generated") return admission.Allowed("Allowed") } + logrus.Infof("Generated %d patches", len(patches)) return admission.Patched("", patches...) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/pkg/webhook/webhook.go new/polaris-8.2.4/pkg/webhook/webhook.go --- old/polaris-8.2.3/pkg/webhook/webhook.go 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/pkg/webhook/webhook.go 2023-06-22 19:22:19.000000000 +0200 @@ -25,6 +25,7 @@ "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -38,19 +39,14 @@ Config config.Configuration } -// InjectDecoder injects the decoder. -func (v *Validator) InjectDecoder(d *admission.Decoder) error { - logrus.Info("Injecting decoder") - v.decoder = d - return nil -} - -var _ admission.Handler = &Validator{} - // NewValidateWebhook creates a validating admission webhook for the apiType. -func NewValidateWebhook(mgr manager.Manager, validator Validator) { +func NewValidateWebhook(mgr manager.Manager, c config.Configuration) { path := "/validate" - + validator := Validator{ + Client: mgr.GetClient(), + decoder: admission.NewDecoder(runtime.NewScheme()), + Config: c, + } mgr.GetWebhookServer().Register(path, &webhook.Admission{Handler: &validator}) } @@ -60,35 +56,40 @@ // GetValidatedResults returns the validated results. func GetValidatedResults(kind string, decoder *admission.Decoder, req admission.Request, config config.Configuration) (*validator.Result, kube.GenericResource, error) { - var controller kube.GenericResource + var resource kube.GenericResource var err error if kind == "Pod" { + if decoder == nil { + panic("Decoder is nil!") + } pod := corev1.Pod{} err := decoder.Decode(req, &pod) if err != nil { - return nil, controller, err + logrus.Errorf("Failed to decode pod: %v", err) + return nil, resource, err } if len(pod.ObjectMeta.OwnerReferences) > 0 { logrus.Infof("Allowing owned pod %s/%s to pass through webhook", pod.ObjectMeta.Namespace, pod.ObjectMeta.Name) - return nil, controller, nil + return nil, resource, nil } - controller, err = kube.NewGenericResourceFromPod(pod, pod) + resource, err = kube.NewGenericResourceFromPod(pod, pod) } else { - controller, err = kube.NewGenericResourceFromBytes(req.Object.Raw) + resource, err = kube.NewGenericResourceFromBytes(req.Object.Raw) } if err != nil { - return nil, controller, err + logrus.Errorf("Failed to create resource: %v", err) + return nil, resource, err } - controllerResult, err := validator.ApplyAllSchemaChecks(&config, nil, controller) + resourceResult, err := validator.ApplyAllSchemaChecks(&config, nil, resource) if err != nil { - return nil, controller, err + return nil, resource, err } - return &controllerResult, controller, nil + return &resourceResult, resource, nil } // Handle for Validator to run validation checks. func (v *Validator) Handle(ctx context.Context, req admission.Request) admission.Response { - logrus.Info("Starting request") + logrus.Info("Starting admission request") result, _, err := v.handleInternal(req) if err != nil { logrus.Errorf("Error validating request: %v", err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/test/webhook_cases/failing_test.pod.yaml new/polaris-8.2.4/test/webhook_cases/failing_test.pod.yaml --- old/polaris-8.2.3/test/webhook_cases/failing_test.pod.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-8.2.4/test/webhook_cases/failing_test.pod.yaml 2023-06-22 19:22:19.000000000 +0200 @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-2 +spec: + containers: + - name: nginx + image: nginx:latest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/test/webhook_cases/passing_test.deployment.yaml new/polaris-8.2.4/test/webhook_cases/passing_test.deployment.yaml --- old/polaris-8.2.3/test/webhook_cases/passing_test.deployment.yaml 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/test/webhook_cases/passing_test.deployment.yaml 2023-06-22 19:22:19.000000000 +0200 @@ -17,6 +17,7 @@ containers: - name: nginx image: nginx:1.7.9 + imagePullPolicy: IfNotPresent ports: - containerPort: 80 securityContext: @@ -26,4 +27,4 @@ runAsNonRoot: true capabilities: drop: - - ALL \ No newline at end of file + - ALL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/test/webhook_cases/passing_test.pod.yaml new/polaris-8.2.4/test/webhook_cases/passing_test.pod.yaml --- old/polaris-8.2.3/test/webhook_cases/passing_test.pod.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-8.2.4/test/webhook_cases/passing_test.pod.yaml 2023-06-22 19:22:19.000000000 +0200 @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-2 +spec: + containers: + - name: nginx + image: nginx:1.7.9 + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/test/webhook_cases/pod.yaml new/polaris-8.2.4/test/webhook_cases/pod.yaml --- old/polaris-8.2.3/test/webhook_cases/pod.yaml 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/test/webhook_cases/pod.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: nginx-2 -spec: - containers: - - name: nginx - image: nginx:latest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-8.2.3/test/webhook_test.sh new/polaris-8.2.4/test/webhook_test.sh --- old/polaris-8.2.3/test/webhook_test.sh 2023-06-21 18:25:44.000000000 +0200 +++ new/polaris-8.2.4/test/webhook_test.sh 2023-06-22 19:22:19.000000000 +0200 @@ -60,7 +60,7 @@ echo "Uninstalling webhook and webhook config" kubectl delete validatingwebhookconfigurations polaris-webhook --wait=false || true kubectl delete validatingwebhookconfigurations polaris-validate-webhook --wait=false || true - kubectl delete validatingwebhookconfigurations polaris-mutate-webhook --wait=false || true + kubectl delete mutatingwebhookconfigurations polaris-mutate-webhook --wait=false || true kubectl -n polaris delete deploy -l app=polaris --wait=false || true echo -e "\n\nDone cleaning up\n\n" } @@ -82,11 +82,12 @@ echo "Installing a bad deployment" kubectl apply -n scale-test -f ./test/webhook_cases/failing_test.deployment.yaml -echo "Installing the webhook" +echo "Installing the webhook at version $CI_SHA1" helm repo add fairwinds-stable https://charts.fairwinds.com/stable helm install polaris fairwinds-stable/polaris --namespace polaris --create-namespace \ --set dashboard.enable=false \ --set webhook.enable=true \ + --set webhook.mutate=true \ --set image.tag=$CI_SHA1 echo "Waiting for the webhook to come online" @@ -105,6 +106,7 @@ if ! kubectl apply -n tests -f $filename; then ALL_TESTS_PASSED=0 echo -e "${RED}****Test Failed: Polaris prevented a resource with no configuration issues****${NC}" + kubectl logs -n polaris deploy/polaris-webhook else echo -e "${GREEN}****Test Passed: Polaris correctly allowed this resource****${NC}" fi @@ -118,7 +120,7 @@ if kubectl apply -n tests -f $filename; then ALL_TESTS_PASSED=0 echo -e "${RED}****Test Failed: Polaris should have prevented this resource due to configuration issues.****${NC}" - kubectl logs -n polaris $(kubectl get po -oname -n polaris | grep webhook) + kubectl logs -n polaris deploy/polaris-webhook else echo -e "${GREEN}****Test Passed: Polaris correctly prevented this resource****${NC}" fi ++++++ polaris.obsinfo ++++++ --- /var/tmp/diff_new_pack.Re6Fx3/_old 2023-06-23 21:53:18.518857002 +0200 +++ /var/tmp/diff_new_pack.Re6Fx3/_new 2023-06-23 21:53:18.522857025 +0200 @@ -1,5 +1,5 @@ name: polaris -version: 8.2.3 -mtime: 1687364744 -commit: 4b1d6635e06a52fbaf5d8e4746d94ec6b9313493 +version: 8.2.4 +mtime: 1687454539 +commit: 4ca4c8f0f536fd5055a9cfa65144bc306ddcbde2 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/polaris/vendor.tar.gz /work/SRC/openSUSE:Factory/.polaris.new.15902/vendor.tar.gz differ: char 5, line 1