Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject NAB CR creation calls for orphaned Velero Backup objects #84

Open
shubham-pampattiwar opened this issue Sep 24, 2024 · 5 comments
Open

Reject NAB CR creation calls for orphaned Velero Backup objects #84

shubham-pampattiwar opened this issue Sep 24, 2024 · 5 comments
Assignees
@mpryc @mateusoliveira43
Labels
priority-high

Comments

@shubham-pampattiwar
Copy link
Member

Scenario:

  • User creates NAB CR
  • Velero Backup gets created
  • User deletes NAB CR (via OC CLI)
  • Velero Backup remains orphaned in cluster without any NAB CR mapping
  • Now user creates another NAB CR with the same name (In the window of time where NAB-sync-controller does not get the chance to create the NAB CR in-cluster which was deleted by user)
  • The user created NAB CR should be blocked from creation

Solution approach:

  • Implement a Validating Admission Web-hook to reject the NAB create call from user using the data by setting the informer on Velero Backup objects.
@mpryc
Copy link
Collaborator

mpryc commented Sep 24, 2024

Would it make sense to add the validation webhook in OADP rather than non admin part ? This could allow such webhook to reject NAB objects when NAB controller is not installed in the cluster (something @shawn-hurley requested in the past).

@mateusoliveira43
Copy link
Contributor

Issue origin #73 (review)

We are still waiting to check how Velero handles this case to apply the same solution, right?

@mpryc
Copy link
Collaborator

mpryc commented Sep 24, 2024

My opinion is that we don't have to have the NonAdminBackup <-> Backup interaction to be exactly same as Velero Backup. The NonAdminBackup is user facing interface which we provide, so we should make it in a way it won't surprise users.

@mateusoliveira43
Copy link
Contributor

Do not forget about sync controller when implementing this

Discussion https://redhat-internal.slack.com/archives/C064QSN2YR3/p1728312889734609

@shubham-pampattiwar
Copy link
Member Author

Summarizing the slack discussion thread:
In the scenario described in the issue if the actor/user is NAB sync controller then in that case we want the NAB create request to bypass the Validating Admission Webhook. So in order to that we need a way to identify wether the create NAB object request is from the user or the NAB sync controller. The proposed solution here is that we rely on 2 things:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mpryc mpryc

@mateusoliveira43 mateusoliveira43

Labels
priority-high
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mpryc @shubham-pampattiwar @mateusoliveira43