Allow storage migration of CTB without attest authorization

Signed-off-by: Monis Khan <mok@microsoft.com>
2025-07-24 04:06:03 +00:00 · 2023-09-20 12:26:11 -04:00 · 2023-09-20 12:26:11 -04:00 · e00551fe5d
commit e00551fe5d
parent 7dcb412675
2 changed files with 53 additions and 0 deletions
--- a/plugin/pkg/admission/certificates/ctbattest/admission.go
+++ b/plugin/pkg/admission/certificates/ctbattest/admission.go
@ -27,7 +27,9 @@ import (
 	"k8s.io/component-base/featuregate"
 	"k8s.io/klog/v2"
 	api "k8s.io/kubernetes/pkg/apis/certificates"
+	kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/registry/rbac"
 	"k8s.io/kubernetes/plugin/pkg/admission/certificates"
 )

@ -109,6 +111,11 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, _ admissi
 		return nil
 	}

+	// Skip the attest check when the semantics of the bundle are unchanged to support storage migration and GC workflows
+	if a.GetOperation() == admission.Update && rbac.IsOnlyMutatingGCFields(a.GetObject(), a.GetOldObject(), kapihelper.Semantic) {
+		return nil
+	}
+
 	if !certificates.IsAuthorizedForSignerName(ctx, p.authz, a.GetUserInfo(), "attest", newBundle.Spec.SignerName) {
 		klog.V(4).Infof("user not permitted to attest ClusterTrustBundle %q with signerName %q", newBundle.Name, newBundle.Spec.SignerName)
 		return admission.NewForbidden(a, fmt.Errorf("user not permitted to attest for signerName %q", newBundle.Spec.SignerName))
--- a/plugin/pkg/admission/certificates/ctbattest/admission_test.go
+++ b/plugin/pkg/admission/certificates/ctbattest/admission_test.go
@ -22,6 +22,7 @@ import (
 	"fmt"
 	"testing"

+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
@ -206,6 +207,51 @@ func TestPluginValidate(t *testing.T) {
 			},
 			allowed: false,
 		},
+		{
+			description:                      "should always allow no-op update",
+			clusterTrustBundleFeatureEnabled: true,
+			authzErr:                         errors.New("broken"),
+			attributes: &testAttributes{
+				resource: certificatesapi.Resource("clustertrustbundles"),
+				oldObj: &certificatesapi.ClusterTrustBundle{
+					Spec: certificatesapi.ClusterTrustBundleSpec{
+						SignerName: "panda.com/foo",
+					},
+				},
+				obj: &certificatesapi.ClusterTrustBundle{
+					Spec: certificatesapi.ClusterTrustBundleSpec{
+						SignerName: "panda.com/foo",
+					},
+				},
+				operation: admission.Update,
+			},
+			allowed: true,
+		},
+		{
+			description:                      "should always allow finalizer update",
+			clusterTrustBundleFeatureEnabled: true,
+			authzErr:                         errors.New("broken"),
+			attributes: &testAttributes{
+				resource: certificatesapi.Resource("clustertrustbundles"),
+				oldObj: &certificatesapi.ClusterTrustBundle{
+					Spec: certificatesapi.ClusterTrustBundleSpec{
+						SignerName: "panda.com/foo",
+					},
+				},
+				obj: &certificatesapi.ClusterTrustBundle{
+					ObjectMeta: metav1.ObjectMeta{
+						OwnerReferences: []metav1.OwnerReference{
+							{APIVersion: "something"},
+						},
+					},
+					Spec: certificatesapi.ClusterTrustBundleSpec{
+						SignerName: "panda.com/foo",
+					},
+				},
+				operation: admission.Update,
+			},
+			allowed: true,
+		},
 	}

 	for _, tc := range tests {