Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(controller): podSpecPatch updates override the ref template in Secure mode #13909

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

chengjoey
Copy link
Contributor

@chengjoey chengjoey commented Nov 16, 2024

Fixes #13871

Motivation

podSpecPatch seems not to be set when referencing wf template and in Secure mode

Modifications

Verification

wf:

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: workflow-template-hello-world
spec:
  workflowTemplateRef:
    name: workflow-template-print-message
  podSpecPatch: |
    containers:
      - name: main
        image: alpine
        command: [echo]
        args: ["hello world"]

kubectl get wf

NAME                            STATUS   AGE   MESSAGE
workflow-template-hello-world   Error    6s    PodSpecPatch may not be setted during execution when the controller is set `templateReferencing: Secure`

@chengjoey chengjoey marked this pull request as draft November 16, 2024 05:51
@@ -4023,6 +4023,9 @@ func (woc *wfOperationCtx) setStoredWfSpec(ctx context.Context) error {
wfutil.JoinWorkflowMetaData(&woc.wf.ObjectMeta, &wfDefault.ObjectMeta)
workflowTemplateSpec = wftHolder.GetWorkflowSpec()
}
if len(woc.execWf.Spec.PodSpecPatch) > 0 && woc.controller.Config.WorkflowRestrictions.MustNotChangeSpec() {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also applies to Strict mode right? MustUseReference is more suitable perhaps

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think templateReferencing: Secure has prohibited changes, maybe podSpecPatch can also exist in strict mode.

@shuangkun shuangkun added the area/controller Controller issues, panics label Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/controller Controller issues, panics
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Using podSpecPatch with templateReferencing: Secure mode can still override container image and command
3 participants