rancher: [BUG] Steve does not pass through the warning HTTP response header for Pod creation requests

To support PSAs in the UI, we want to be able to show the warnings when a pod is created that violates a policy (when the policy is set to warn). The warning in the case is returned in the HTTP response Warning header.

e.g. using kubectl:

I1026 10:17:33.559293   68477 request.go:1154] Request Body: {"apiVersion":"v1","kind":"Pod","metadata":{"name":"nginx","namespace":"test"},"spec":{"containers":[{"image":"nginx","name":"nginx","ports":[{"containerPort":80}]}]}}
I1026 10:17:33.559567   68477 round_trippers.go:463] POST https://127.0.0.1:42239/api/v1/namespaces/test/pods?fieldManager=kubectl-create&fieldValidation=Strict
I1026 10:17:33.559595   68477 round_trippers.go:469] Request Headers:
I1026 10:17:33.559610   68477 round_trippers.go:473]     Accept: application/json
I1026 10:17:33.559694   68477 round_trippers.go:473]     Content-Type: application/json
I1026 10:17:33.559715   68477 round_trippers.go:473]     User-Agent: kubectl/v1.25.3 (linux/amd64) kubernetes/434bfd8
I1026 10:17:33.569440   68477 round_trippers.go:574] Response Status: 201 Created in 9 milliseconds
I1026 10:17:33.569608   68477 round_trippers.go:577] Response Headers:
I1026 10:17:33.569812   68477 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: 44a18f9b-30fb-4b1e-903a-2aeaf0766cf2
I1026 10:17:33.569897   68477 round_trippers.go:580]     Content-Length: 2064
I1026 10:17:33.569968   68477 round_trippers.go:580]     Date: Wed, 26 Oct 2022 10:17:33 GMT
I1026 10:17:33.570032   68477 round_trippers.go:580]     Audit-Id: 5df0e610-a410-46c2-87bf-4138f4ff5699
I1026 10:17:33.570100   68477 round_trippers.go:580]     Cache-Control: no-cache, private
I1026 10:17:33.570145   68477 round_trippers.go:580]     Content-Type: application/json
I1026 10:17:33.570266   68477 round_trippers.go:580]     Warning: 299 - "would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"nginx\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"nginx\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"nginx\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"nginx\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
I1026 10:17:33.570332   68477 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 1169dc7f-5866-4db7-bbb2-83411fb968a1
I1026 10:17:33.570641   68477 request.go:1154] Response Body: {"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx","namespace":"test","uid":"4bdacd71-2a1f-4a34-90c6-51bba51fde33","resourceVersion":"23369","creationTimestamp":"2022-10-26T10:17:33Z","managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2022-10-26T10:17:33Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:containers":{"k:{\"name\":\"nginx\"}":{".":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":80,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}]},"spec":{"volumes":[{"name":"kube-api-access-4kqfk","projected":{"sources":[{"serviceAccountToken":{"expirationSeconds":3607,"path":"token"}},{"configMap":{"name":"kube-root-ca.crt","items":[{"key":"ca.crt","path":"ca.crt"}]}},{"dow [truncated 1040 chars]
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

When we use the Steve API to create a pod by POSTing to /v1/pods, we do not get the warning header returned in the response.

The warning header needs to be passed through the Steve requests.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 29 (20 by maintainers)

Most upvoted comments

Also, I think that version is one commit before steve was updated in rancher. The latest should have the updated steve in it.

+1
crobby on Jan 12, 2023

When you first create the pod, add the port. Not sure you can modify it on the fly.

+1
crobby on Jan 12, 2023
Read more comments on GitHub
← rancher: [BUG] RKE2 Downstream Clusters Not Coming Up After Rancher Migration
rancher: [BUG] tigera-operator fails due to rancher-webhook denying access →