Lockdown /tekton/step folders to their own steps. #4352
Conversation
tekton-robot
added
release-note
tekton-robot
added
the
size/XL
wlynch
changed the title
wlynch
force-pushed
the
step-isolation
branch
from
d7821cc
to
808897a
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
wlynch
force-pushed
the
step-isolation
branch
from
808897a
to
24a646b
Compare
|
The following is the coverage report on the affected files.
|
wlynch
force-pushed
the
step-isolation
branch
from
24a646b
to
cd4de82
Compare
|
The following is the coverage report on the affected files.
|
|
/test pull-tekton-pipeline-alpha-integration-tests |
docs/developers/README.md
Outdated
| ### `/tekton/steps` | ||
|
|
||
| `/tekton/steps` contains Step information that is intended to be used by user | ||
| steps (and is therefore covered by the Tekton API compatibility policy). |
There was a problem hiding this comment.
I'm wondering:
- intended to be used by user steps in what way?
- this is currently not included in our compat policy, maybe we need to update it - our compatibility policy currently mentions "the structure of the directories created in executing containers by Tekton" (https://github.com/tektoncd/pipeline/blob/main/api_compatibility_policy.md#what-is-the-api) and links to https://github.com/tektoncd/pipeline/blob/main/docs/tasks.md#reserved-directories which indicates everything other than /workspace and /tekton/results is considered an implementation detail
There was a problem hiding this comment.
i think im generally not understanding why we want both steps and run to exist - i think i understand that "steps" is intended to be used by the contents of the steps themselves (the user specified steps) but i dont understand why - and also if run is readonly anyway (except for the current step) im not sure why we need the 2 dirs
There was a problem hiding this comment.
We have conflicting documentation -
pipeline/docs/developers/README.md
Lines 195 to 200 in 5dcd434
If it's not in scope, I'm more than happy to remove the /steps directory altogether. :D The symlink shenanigans are purely to preserve the /tekton/steps file structure for backwards compatibility.
There was a problem hiding this comment.
/cc @pritidesai who wrote the original documentation in 92746a2
There was a problem hiding this comment.
ah yikes! some scope creep but if we could fix this so that we are only attempting to list the folders in the compat policy in one place that would be ideal 🙏 (pretty good chance adding 2 sources was my doing...)
Looking at TEP-0040 and the origin of the change, it's not clear to me if that folder needs to be part of the API spec or not (https://github.com/tektoncd/community/blob/main/teps/0040-ignore-step-errors.md#proposal), since we provide $(steps.<step-name>.exitCode.path) that does give us some freedom to potentially change the location of the directory. The TEP even says:
If you would like to use the tekton internal path, you can access the exit code by reading the file (it is not recommended though)
i.e. the path is referred to as "internal" several times in the TEP
so basically I have mixed feelings - if @pritidesai and/or others feel strongly the path should remain part of our API, no objections from me - but if possible I'd rather consider that an implementation detail and reply on variable replacement insteaed
There was a problem hiding this comment.
thanks @wlynch and @bobcatfish for bringing my attention to this!
TEP-0040 proposed using the path variable $(steps.<step-name>.exitCode.path) and avoid using the tekton internal path.
At the same time, we had a vision of having the debug feature utilizing the /steps directory structure (not yet implemented) and the symlinks will make it easier to invoke the debug scripts.
tektoncd/community#463 (comment)
Just based on TEP-0040, I would avoid specifying it as covered by the Tekton API compatibility policy.
There was a problem hiding this comment.
SGTM! I'll make these changes in another PR so it's clear why we're making the change.
There was a problem hiding this comment.
Done in #4395. To limit the scope of this PR, I'm keeping the /tekton/steps folder (since I'm not sure what else is depending on it and how intrusive of a change it would be to remove). We can look into removing this in another PR.
There was a problem hiding this comment.
Tiny nit to close the loop here: remove the remaining parenthetical in this commit describing /tekton/steps as covered ("and is therefore covered by the Tekton API compatibility policy").
|
Part of #4227 |
wlynch
force-pushed
the
step-isolation
branch
from
cd4de82
to
8267dd1
Compare
|
The following is the coverage report on the affected files.
|
tekton-robot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
Previously the developer docs listed that /tekton/steps was in scope for the API compatibility policy, where-as the [user docs](docs/tasks.md#reserved-directories) did not say it was in scope. After discussion in [PR tektoncd#4352](tektoncd#4352 (comment)), we have come to agreement that this is **not** in scope. While this change in itself is not a breaking change, this opens the door for breaking changes (such as tektoncd#4352). Our stance is that users should use the [`$(steps.step-<step-name>.exitCode.path)` syntax](docs/tasks.md#accessing-steps-exitcode-in-subsequent-steps) to avoid breaking changes.
Previously the developer docs listed that /tekton/steps was in scope for the API compatibility policy, where-as the [user docs](https://github.com/tektoncd/pipeline/blob/aceb5880f009884be14f9a7409f428cc84157a75/docs/tasks.md#reserved-directories) did not say it was in scope. After discussion in [PR tektoncd#4352](tektoncd#4352 (comment)), we have come to agreement that this is **not** in scope. While this change in itself is not a breaking change, this opens the door for breaking changes (such as tektoncd#4352). Our stance is that users should use the [`$(steps.step-<step-name>.exitCode.path)` syntax](https://github.com/tektoncd/pipeline/blob/aceb5880f009884be14f9a7409f428cc84157a75/docs/tasks.md#accessing-steps-exitcode-in-subsequent-steps) to avoid breaking changes.
Previously the developer docs listed that /tekton/steps was in scope for the API compatibility policy, where-as the [user docs](https://github.com/tektoncd/pipeline/blob/aceb5880f009884be14f9a7409f428cc84157a75/docs/tasks.md#reserved-directories) did not say it was in scope. After discussion in [PR #4352](#4352 (comment)), we have come to agreement that this is **not** in scope. While this change in itself is not a breaking change, this opens the door for breaking changes (such as #4352). Our stance is that users should use the [`$(steps.step-<step-name>.exitCode.path)` syntax](https://github.com/tektoncd/pipeline/blob/aceb5880f009884be14f9a7409f428cc84157a75/docs/tasks.md#accessing-steps-exitcode-in-subsequent-steps) to avoid breaking changes.
There was a problem hiding this comment.
Thank you for this! It's great to see security oriented patches to the core bits of Tekton!
This will need a rebase (because of the a document change 😅 ) - so perhaps you could add one more unit tests to step_init to cover the new functionality added there to create the root folder.
Otherwise this looks good to me
| @@ -45,8 +45,7 @@ var ( | |||
| breakpointOnFailure = flag.Bool("breakpoint_on_failure", false, "If specified, expect steps to not skip on failure") | |||
| onError = flag.String("on_error", "", "Set to \"continue\" to ignore an error and continue when a container terminates with a non-zero exit code."+ | |||
| " Set to \"stopAndFail\" to declare a failure with a step error and stop executing the rest of the steps.") | |||
| stepMetadataDir = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/") | |||
| stepMetadataDirLink = flag.String("step_metadata_dir_link", "", "creates a symbolic link to the specified step_metadata_dir e.g. /tekton/steps/<step-index>/") | |||
| stepMetadataDir = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/") | |||
There was a problem hiding this comment.
NIT: it looks like the "=" lost its alignment?
There was a problem hiding this comment.
🤷 gofmt is doing this, so I'm not going to fight it. My guess is the string concat above is resetting the alignment, and stepMetadataDirLink just happened to be the right length to align this block with the flags above.
|
|
||
| // Create directory if it doesn't already exist | ||
| if err := os.MkdirAll(filepath.Dir(file), os.ModePerm); err != nil { | ||
| log.Fatalf("Error creating parent directory of %q: %v", file, err) | ||
| } | ||
|
|
There was a problem hiding this comment.
Could you add tests for this new behaviour?
I tried removing this and unit tests in cmd/entrypoint/post_writer_test.go still work fine.
wlynch
force-pushed
the
step-isolation
branch
from
8267dd1
to
95cd6c4
Compare
tekton-robot
removed
the
needs-rebase
|
The following is the coverage report on the affected files.
|
wlynch
force-pushed
the
step-isolation
branch
from
74f0fce
to
342dff6
Compare
|
The following is the coverage report on the affected files.
|
wlynch
force-pushed
the
step-isolation
branch
from
342dff6
to
af7caed
Compare
|
The following is the coverage report on the affected files.
|
ghost
mentioned this pull request
|
/test check-pr-has-kind-label |
docs/developers/README.md
Outdated
| ### `/tekton/steps` | ||
|
|
||
| `/tekton/steps` contains Step information that is intended to be used by user | ||
| steps (and is therefore covered by the Tekton API compatibility policy). |
There was a problem hiding this comment.
Tiny nit to close the loop here: remove the remaining parenthetical in this commit describing /tekton/steps as covered ("and is therefore covered by the Tekton API compatibility policy").
This change symlinks /tekton/step folders to a step's corresponding /tekton/run folder. This is an incremental change to lock down the /tekton folder to prevent tampering of exitCode files from other steps. Note: this does not completely protect against a step from tampering from its own output - more work will needed in a future PR to fully lock this down, but this is a step in the right direction (and a complete fix will likely require a more involved design). While /tekton/steps is now considered an implementation detail and could potentially be removed, the folder is preserved for now to limit the scope of this PR. - Moves `exitCode` output to `/tekton/run/<step #>/status` - Symlinks `/tekton/steps/<step #>` and `/tekton/steps/<step name>` to `/tekton/run/<step #>/status`. - Creates new `tekton-init` entrypoint subcommand to initialize the Tekton step directory. - Removes `-step_metadata_dir_link` flag from the main entrypoint binary (this behavior is now handled by the initcontainer). Co-authored-by: Lee Bernick <leebernick@google.com>
wlynch
force-pushed
the
step-isolation
branch
from
af7caed
to
e9ea7ec
Compare
|
The following is the coverage report on the affected files.
|
|
/lgtm |
|
/remove-kind cleanup |
tekton-robot
removed
the
kind/cleanup
|
/kind feature |
tekton-robot
added
the
kind/feature
dlorenc
removed
the
kind/feature
|
/kind feature |
tekton-robot
added
the
kind/feature
|
/test pull-tekton-pipeline-alpha-integration-tests |
Changes
This change symlinks /tekton/step folders to a step's corresponding /tekton/run folder.
This is an incremental change to lock down the /tekton folder to prevent tampering
of exitCode files from other steps.
Note: this does not completely protect against a step from tampering from its own
output - more work will needed in a future PR to fully lock this down, but this
is a step in the right direction (and a complete fix will likely require a more
involved design).
exitCodeoutput to/tekton/run/<step #>/status/tekton/steps/<step #>and/tekton/steps/<step name>to/tekton/run/<step #>/status.tekton-initentrypoint subcommand to initialize theTekton step directory.
-step_metadata_dir_linkflag from the main entrypoint binary(this behavior is now handled by the initcontainer).
Co-authored-by: Lee Bernick leebernick@google.com
/kind cleanup
Things to bikeshed:
/tekton/run/0/statusas the run directory name for user facing data?Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes