OCPBUGS-33041: Add RoleBinding for BuildConfig Webhooks

[adambkaplan]

Starting in OCP 4.16, the system:webhook ClusterRole will not be granted to anonymous users by default. This will break most systems that use BuildConfig webhooks to trigger builds, since many can't be add an OpenShift auth token to their HTTP headers (ex: GitHub). Only new installations will be impacted; upgrades to 4.16 will continue to support unauthenticated BuildConfig webhooks.

This test update verifies that BuildConfig webhooks can be triggered using a namespace-scoped RoleBinding for the system:unauthenticated group. RoleBindings are preferable to ClusterRoleBindings as they limit unauthenticated API calls to specific namespaces, reducing the potential attack surface.

Use of BuildConfig webhooks should be discouraged in favor of Pipelines as Code, which has more robust mechanisms for securing webhook calls from external systems. It also does not rely on an aggregated apiserver and associated RBAC.

[openshift-ci-robot]

@adambkaplan: This pull request references Jira Issue OCPBUGS-33041, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dpuniaredhat

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Starting in OCP 4.16, the system:webhook ClusterRole will not be granted to anonymous users by default. This will break most systems that use BuildConfig webhooks to trigger builds, since many can't be add an OpenShift auth token to their HTTP headers (ex: GitHub). Only new installations will be impacted; upgrades to 4.16 will continue to support unauthenticated BuildConfig webhooks.

This test update verifies that BuildConfig webhooks can be triggered using a namespace-scoped RoleBinding for the system:unauthenticated group. RoleBindings are preferable to ClusterRoleBindings as they limit unauthenticated API calls to specific namespaces, reducing the potential attack surface.

Use of BuildConfig webhooks should be discouraged in favor of Pipelines as Code, which has more robust mechanisms for securing webhook calls from external systems. It also does not rely on an aggregated apiserver and associated RBAC.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[adambkaplan]

/assign @ibihim

/cc @sanchezl

[openshift-trt-bot]

Job Failure Risk Analysis for sha: 4c03c56

Job Name

Failure Risk

pull-ci-openshift-origin-master-e2e-aws-ovn-single-node

High [sig-builds][Feature:Builds][webhook] TestWebhook [apigroup:build.openshift.io][apigroup:image.openshift.io] [Suite:openshift/conformance/parallel] This test has passed 100.00% of 48 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node'] in the last 14 days. --- [sig-network] can collect pod-to-host poller pod logs This test has passed 100.00% of 48 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node'] in the last 14 days. --- [sig-network] can collect host-to-host poller pod logs This test has passed 100.00% of 48 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node'] in the last 14 days.

[openshift-trt-bot]

Job Failure Risk Analysis for sha: cc972cf

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6	High [sig-builds][Feature:Builds][webhook] TestWebhook [apigroup:build.openshift.io][apigroup:image.openshift.io] [Suite:openshift/conformance/parallel] This test has passed 100.00% of 22 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-metal-ipi-ovn-ipv6'] in the last 14 days.
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-serial	Low [sig-arch] events should not repeat pathologically for ns/openshift-etcd-operator This test has passed 50.00% of 50 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node-serial'] in the last 14 days.

[adambkaplan]

/assign @sayan-biswas

/cc @apoorvajagtap

[sanchezl]

/retest-required

[adambkaplan]

/test e2e-gcp-ovn-builds

Builds had a bad PAT token for private git repo testing. 🤞 it's fixed now.

[adambkaplan]

/retest

[adambkaplan]

/test e2e-gcp-ovn-builds

[sanchezl]

/test e2e-gcp-ovn-builds

[openshift-trt-bot]

Job Failure Risk Analysis for sha: 8507f77

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade	IncompleteTests Tests for this run (25) are below the historical average (2292): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

[openshift-trt-bot]

Job Failure Risk Analysis for sha: 0ae4678

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade	IncompleteTests Tests for this run (20) are below the historical average (2246): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

[sanchezl]

/lgtm

[sanchezl]

consider removing, this is the default

[sjenning]

/approve

[sanchezl]

/hold cancel

[sanchezl]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD ab28660 and 2 for PR HEAD ef7e238 in total

[sayan-biswas]

/retest-required

[openshift-trt-bot]

Job Failure Risk Analysis for sha: ef7e238

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6	High [sig-builds][Feature:Builds][webhook] TestWebhook [apigroup:build.openshift.io][apigroup:image.openshift.io] [Suite:openshift/conformance/parallel] This test has passed 100.00% of 31 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-metal-ipi-ovn-ipv6'] in the last 14 days.

[stbenjam]

The transport needs Proxy: http.ProxyFromEnvironment. Some of our CI jobs (like metal) access the cluster through a proxy. If no proxy environment variables are set, this is a no-op.

[adambkaplan]

fixed!

[adambkaplan]

@stbenjam updated the transport to include the proxy configuration - PTAL.

[stbenjam]

/retest-required

[stbenjam]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, sanchezl, sayan-biswas, sjenning, stbenjam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/extended/builds/OWNERS [sayan-biswas,stbenjam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-trt-bot]

Job Failure Risk Analysis for sha: 43b42d4

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6	IncompleteTests Tests for this run (23) are below the historical average (1300): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 15c3521 and 2 for PR HEAD 43b42d4 in total

[eggfoobar]

/retest-required

[openshift-ci]

@adambkaplan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-csi	43b42d4	link	false	/test e2e-gcp-csi
ci/prow/e2e-gcp-ovn-rt-upgrade	43b42d4	link	false	/test e2e-gcp-ovn-rt-upgrade
ci/prow/e2e-aws-ovn-single-node-upgrade	43b42d4	link	false	/test e2e-aws-ovn-single-node-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@adambkaplan: Jira Issue OCPBUGS-33041: All pull requests linked via external trackers have merged:

• openshift/origin#28750

Jira Issue OCPBUGS-33041 has been moved to the MODIFIED state.

In response to this:

Starting in OCP 4.16, the system:webhook ClusterRole will not be granted to anonymous users by default. This will break most systems that use BuildConfig webhooks to trigger builds, since many can't be add an OpenShift auth token to their HTTP headers (ex: GitHub). Only new installations will be impacted; upgrades to 4.16 will continue to support unauthenticated BuildConfig webhooks.

This test update verifies that BuildConfig webhooks can be triggered using a namespace-scoped RoleBinding for the system:unauthenticated group. RoleBindings are preferable to ClusterRoleBindings as they limit unauthenticated API calls to specific namespaces, reducing the potential attack surface.

Use of BuildConfig webhooks should be discouraged in favor of Pipelines as Code, which has more robust mechanisms for securing webhook calls from external systems. It also does not rely on an aggregated apiserver and associated RBAC.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.16.0-0.nightly-2024-05-08-222442