This commit fixes a security vulnerability where the ManifestWork
validating webhook was not passing the UserInfo.Extra field when
constructing SubjectAccessReview (SAR) requests. This omission could
lead to authorization bypass when external authorization policies
rely on Extra fields (e.g., OIDC claims, department attributes).
The fix adds Extra field conversion logic consistent with the
ManagedCluster webhook implementation and includes comprehensive
test coverage to verify the Extra field is properly propagated.
Fixes#1425🤖 Assisted by Claude Code
Signed-off-by: zhujian <jiazhu@redhat.com>
Co-authored-by: zhujian <jiazhu@redhat.com>
When a ManifestWorkReplicaSet's placementRef was changed, the
ManifestWorks created for the old placement were not deleted,
causing orphaned resources.
The deployReconciler only processed placements currently in the spec
and never cleaned up ManifestWorks from removed placements.
This commit adds cleanup logic that:
- Builds a set of current placement names from the spec
- Lists all ManifestWorks belonging to the ManifestWorkReplicaSet
- Deletes any ManifestWorks with placement labels not in current spec
Also adds comprehensive tests:
- Integration test verifying placement change cleanup
- Unit tests for single and multiple placement change scenarios
Fixes#1203🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Jian Qiu <jqiu@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Scorecard supply-chain security / Scorecard analysis (push) Failing after 50s
Post / coverage (push) Failing after 55s
Post / images (amd64, addon-manager) (push) Failing after 36s
Post / images (amd64, placement) (push) Failing after 40s
Post / images (amd64, registration) (push) Failing after 28s
Post / images (amd64, registration-operator) (push) Failing after 20s
Post / images (amd64, work) (push) Failing after 29s
Post / images (arm64, addon-manager) (push) Failing after 33s
Post / images (arm64, placement) (push) Failing after 32s
Post / images (arm64, registration) (push) Failing after 25s
Post / images (arm64, registration-operator) (push) Failing after 33s
Post / images (arm64, work) (push) Failing after 29s
Post / image manifest (addon-manager) (push) Has been skipped
Post / image manifest (placement) (push) Has been skipped
Post / image manifest (registration) (push) Has been skipped
Post / image manifest (registration-operator) (push) Has been skipped
Post / image manifest (work) (push) Has been skipped
Post / trigger clusteradm e2e (push) Has been skipped
* 🧹 Remove resolved TODO comments
- Remove TODO comment about confirming subject in CustomSignerConfigurations
- Remove TODO comment about namespace value in manifestwork validating webhook
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
* Ensure addon namespace and image pull secret sync
- Remove outdated TODO comment about addon deployment in Hosted mode
- Namespace creation is responsibility of addon developers
- Image pull secrets are synced to namespaces with addon.open-cluster-management.io/namespace label by the AddonPullImageSecretController
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
---------
Signed-off-by: zhujian <jiazhu@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Scorecard supply-chain security / Scorecard analysis (push) Failing after 1m58s
Post / coverage (push) Failing after 36m24s
Post / images (amd64) (push) Failing after 9m7s
Post / images (arm64) (push) Failing after 8m30s
Post / image manifest (push) Has been skipped
Post / trigger clusteradm e2e (push) Has been skipped
Close stale issues and PRs / stale (push) Successful in 57s
* Skip manifests in work reconcile that are marked Complete
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Aggregate Complete condition to work from manifests
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Delete work that is complete and satisfies configured TTL
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* tests
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* lint
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* go.mod
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Helper funcs for conditions
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Generic condition aggregation
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Support integration test args
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Remove work deletion from spoke, will be moved to hub GC
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Cleanup
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* update api
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Wait for NS to exist before testing
Signed-off-by: Ben Perry <bhperry94@gmail.com>
---------
Signed-off-by: Ben Perry <bhperry94@gmail.com>
Scorecard supply-chain security / Scorecard analysis (push) Failing after 1m40s
Post / coverage (push) Failing after 35m43s
Post / images (amd64) (push) Failing after 8m36s
Post / images (arm64) (push) Failing after 8m8s
Post / image manifest (push) Has been skipped
Post / trigger clusteradm e2e (push) Has been skipped
Close stale issues and PRs / stale (push) Successful in 48s
* Import OCM API changes for workload conditions
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Implement condition rule evaluator
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Evaluate manifest condition rules after apply
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* note to self
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Cleanup
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Return config option if rules are set
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* update api
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Always return an error to inform user about the state of their condition rule
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Condition rule errors should not result in retrying apply
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Test condition rule reconciliation
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Return condition status Unknown when an internal CEL error occurs
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update api
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Switch to common CEL lib
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update to simplified celExpressions format
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Formatting
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* tidy
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update ocm api
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update sdk-go
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Switch to sdk-go ConditionLib
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update API
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Switch to WellKnownConditions with required Condition field
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Support CEL evaluation budget
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update sdk-go
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update API
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* lint
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update go.mod
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Tests and comments
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Move condition reader to status controller for more frequent updates
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Ignore missing WellKnownCondition
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Fix test
Signed-off-by: Ben Perry <bhperry94@gmail.com>
* Update condition tests
Signed-off-by: Ben Perry <bhperry94@gmail.com>
---------
Signed-off-by: Ben Perry <bhperry94@gmail.com>
Post / trigger clusteradm e2e (push) Has been skipped
Scorecard supply-chain security / Scorecard analysis (push) Failing after 1m9s
Close stale issues and PRs / stale (push) Successful in 40s
Instead of requeue all each resyncInterval, we requeue
for each item separately with a jitter to avoud bursty request
Signed-off-by: Jian Qiu <jqiu@redhat.com>
* Fix manifestwork and appliedmanifestwork unsync issue
merge the two controller as reconcilers for one controller
Signed-off-by: Jian Qiu <jqiu@redhat.com>
* Add an integration test
Signed-off-by: Jian Qiu <jqiu@redhat.com>
---------
Signed-off-by: Jian Qiu <jqiu@redhat.com>
* only read the first item when RawFeedbackJsonString is disabled
This is to ensure the backward compatible when the feature gate
is disabled
Signed-off-by: Jian Qiu <jqiu@redhat.com>
* Add a test for backward compatible
Signed-off-by: Jian Qiu <jqiu@redhat.com>
---------
Signed-off-by: Jian Qiu <jqiu@redhat.com>
* upgrade sdk to support Kafka as a cloudevents driver
Signed-off-by: clyang82 <chuyang@redhat.com>
* fix format issue
Signed-off-by: clyang82 <chuyang@redhat.com>
---------
Signed-off-by: clyang82 <chuyang@redhat.com>
