[OCPBUGS-33378] Builds TestWebhook failed on step testing unauthenticated forbidden on upgrade

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.16.0
Affects Version/s: 4.16
Component/s: Build
Labels:
None

Severity:
Important
Regression:
No
Story Points:
2
Sprint:
Builds Sprint #3
sprint_count:
1
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Previously, clusters that updated from earlier versions to 4.16 continued to allow builds to be triggered by unauthenticated webhooks. With this release, new clusters require build webhooks to be authenticated. Builds are not triggered by unauthenticated webhooks unless a cluster admin allows unauthenticated wehbooks in the namespace or cluster.

Show
Previously, clusters that updated from earlier versions to 4.16 continued to allow builds to be triggered by unauthenticated webhooks. With this release, new clusters require build webhooks to be authenticated. Builds are not triggered by unauthenticated webhooks unless a cluster admin allows unauthenticated wehbooks in the namespace or cluster.
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.16.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

During jobs that upgrade to 4.16 from 4.15, the testing of unauthenticated build webhook invocation fails (I suspect due to the existing rolebindings from 4.15 surviving the upgrade).

[sig-builds][Feature:Builds][webhook] TestWebhook [apigroup:build.openshift.io][apigroup:image.openshift.io] [Suite:openshift/conformance/parallel] 
.
.
.
    STEP: testing unauthenticated forbidden webhooks @ 05/07/24 20:03:20.024
    STEP: executing the webhook to get the build object @ 05/07/24 20:03:20.024
    [FAILED] in [It] - github.com/openshift/origin/test/extended/builds/webhook.go:36 @ 05/07/24 20:03:20.148

blocks

AUTH-509 Investigate reducing permissions for unauthenticated users for apiserver access

Release Pending

OCPBUGS-33041 Anonymous Users Cannot Trigger BuildConfig Webhooks

Closed

is cloned by

TRT-1656 Payloads Blocked on TestWebhook test failure

Closed

links to

openshift/origin#28783: OCPBUGS-33378: Verify Build Webhooks on Upgrade

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Errata Tool added a comment - 2024/06/27 11:47 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Critical: OpenShift Container Platform 4.16.0 bug fix and security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:0041

Errata Tool added a comment - 2024/06/27 11:47 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Critical: OpenShift Container Platform 4.16.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:0041

OpenShift Jira Bot added a comment - 2024/05/11 3:47 PM

Hi adkaplan@redhat.com,

Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

OpenShift Jira Bot added a comment - 2024/05/11 3:47 PM Hi adkaplan@redhat.com , Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

Devan Goodwin added a comment - 2024/05/08 11:27 AM

Blocking payloads, elevating priority.

Devan Goodwin added a comment - 2024/05/08 11:27 AM Blocking payloads, elevating priority.

Adam Kaplan added a comment - 2024/05/08 3:53 AM

(I suspect due to the existing rolebindings from 4.15 surviving the upgrade).

That would be my assumption - in which case this is not a test framework bug. This is a fundamental issue with the underlying feature (~~AUTH-509~~). In its current state, we have no reliable, observable mechanism to determine if inbound build webhooks should require OpenShift auth tokens or not. "Inspect the bootstrap cluster roles" is not something that will scale across the thousands of clusters we manage.

At this point I am going to advocate that ~~AUTH-509~~ be reverted.

Adam Kaplan added a comment - 2024/05/08 3:53 AM (I suspect due to the existing rolebindings from 4.15 surviving the upgrade). That would be my assumption - in which case this is not a test framework bug. This is a fundamental issue with the underlying feature ( AUTH-509 ). In its current state, we have no reliable, observable mechanism to determine if inbound build webhooks should require OpenShift auth tokens or not. "Inspect the bootstrap cluster roles" is not something that will scale across the thousands of clusters we manage. At this point I am going to advocate that AUTH-509 be reverted.

Assignee:: Adam Kaplan

Reporter:: Luis Sanchez

QA Contact:: Sayan Biswas

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/05/08 1:35 AM

Updated:: 2024/06/27 11:47 AM

Resolved:: 2024/06/27 11:47 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2024/06/27 11:47 AM

Expand comment: Errata Tool added a comment - 2024/06/27 11:47 AM

Collapse comment: OpenShift Jira Bot added a comment - 2024/05/11 3:47 PM

Expand comment: OpenShift Jira Bot added a comment - 2024/05/11 3:47 PM

Collapse comment: Devan Goodwin added a comment - 2024/05/08 11:27 AM

Expand comment: Devan Goodwin added a comment - 2024/05/08 11:27 AM

Collapse comment: Adam Kaplan added a comment - 2024/05/08 3:53 AM

Expand comment: Adam Kaplan added a comment - 2024/05/08 3:53 AM

People

Dates