Gate

[davidhadas]

This PR finalizes the guard-gate

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidhadas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [davidhadas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Merging #57 (68080b9) into main (11ee095) will increase coverage by 2.10%.
The diff coverage is 84.46%.

❗ Current head 68080b9 differs from pull request most recent head 098db68. Consider uploading reports for the commit 098db68 to get more accurate results

@@            Coverage Diff             @@
##             main      #57      +/-   ##
==========================================
+ Coverage   79.03%   81.13%   +2.10%     
==========================================
  Files          32       35       +3     
  Lines        2599     2931     +332     
==========================================
+ Hits         2054     2378     +324     
  Misses        433      433              
- Partials      112      120       +8     

Impacted Files	Coverage Δ
cmd/guard-service/services.go	87.50% <0.00%> (+4.16%)	⬆️
pkg/guard-gate/client.go	66.97% <33.33%> (-0.31%)	⬇️
cmd/guard-service/main.go	72.03% <70.45%> (+72.03%)	⬆️
pkg/guard-gate/gate.go	88.54% <88.54%> (ø)
pkg/guard-gate/session.go	93.26% <93.26%> (ø)
pkg/guard-gate/state.go	94.00% <100.00%> (ø)
pkg/guard-utils/santize.go	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[davidhadas]

/retest all

[knative-prow]

@davidhadas: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

• /test build-tests
• /test integration-tests
• /test unit-tests

Use /test all to run all jobs.

In response to this:

/retest all

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[davidhadas]

/test all

[davidhadas]

/hold
update #58 first to make this PR simpler

[davidhadas]

/unhold

[psschwei]

ideally we could pick this dynamically rather than having to hardcore (and have to remember to update on each release)... pretty sure we do this elsewhere in knative, let me find an example...

[davidhadas]

It seems for executables there is a way todo that using ldflags - from outside during the build of a new release
go build -ldflags="-X 'main.Version=v1.0.0'"

I don't know for packages - or if it makes sense.

[psschwei]

Think I was thinking of a combination of knative/pkg#2548 and knative-extensions/kn-plugin-quickstart#327

Still wonder if there's a better way to get this info (maybe similar to what we do in serving to add the version as a label), but it isn't blocking

[psschwei]

Are the various "Log entries created from user input" warnings something we should address?

[psschwei]

Need to double-check that this doesn't overwrite the existing config-deployment... might be better to just have the setup-guard-service script patch the existing configmap with the current QP image...

[davidhadas]

I tested by adding a test: boom parameter to config.deployment - this parameter remains when doing security-guard ko apply -Rf ./config while the image changes - note that the _example is removed after such a change.

after ko apply -Rf config/core at serving

data:
  _example: |-
    ################################
    #                              #
    #    EXAMPLE CONFIGURATION     #
    #                              #
    ################################

    # This block is not actually functional configuration,
    ...
    # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE
    concurrency-state-endpoint: ""
  queueSidecarImage: us.icr.io/knat/queue-39be6f1d08a095bd076a71d288d295b6@sha256:086b8a7d8bc2104672609a1918274f2e4b075076f52c0fbbc4c3f044b64eb5fe
  test: boom

after ko apply -Rf ./config at security-guard

data:
  queue-sidecar-image: us.icr.io/knat/queue-958f2fa0da7e00e1e412a537ecf9d1cc@sha256:021e6438111346ea5d5aff064d6c3ad2cea6c3a92cc7e7708f644f8a1fc34a1e
  test: boom

[psschwei]

Think I was thinking of a combination of knative/pkg#2548 and knative-extensions/kn-plugin-quickstart#327

Still wonder if there's a better way to get this info (maybe similar to what we do in serving to add the version as a label), but it isn't blocking

[davidhadas]

Are the various "Log entries created from user input" warnings something we should address?

This seems like a false positive - the data is sanitized in place, maybe this is why the alert is issued.

[psschwei]

Are the various "Log entries created from user input" warnings something we should address?

This seems like a false positive - the data is sanitized in place, maybe this is why the alert is issued.

They aren't being triggered anymore after the most recent commits

[psschwei]

/lgtm