fix: prevent memoization accessing wrong config-maps #11225
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ensure that config-maps used for memoization aren't actually important for other uses. Config-maps created for memoization would have the label `workflows.argoproj.io/configmap-type: Cache`, but this was not validated. This commit changes that, and both load and saving to an existing config-map will require that label to be present, or else the workflow will error with a hopefully helpful message indicating the problem. All existing config-maps which were created by memoization will have this label already. The only concern is where a config-map existed prior to the first save by memoization. Before this change the config-map could still be used, and now workflows will error instead. This improves security and prevents writing to the `workflow-controller-configmap` by memoization. I considered alternative paths for excluding workflow-controller-configmap, such as a hardcoded list or a configurable list, but this seems like the best longer term solution, and requires zero configuration. fixes: argoproj#5538 Signed-off-by: Alan Clucas <alan@clucas.org>
JPZ13
pushed a commit
to pipekit/argo-workflows
that referenced
this pull request
Jul 4, 2023
Signed-off-by: Alan Clucas <alan@clucas.org>
jeremyhager
pushed a commit
to jeremyhager/argo-workflows
that referenced
this pull request
Jul 7, 2023
Signed-off-by: Alan Clucas <alan@clucas.org> Signed-off-by: Jeremy Hager <47301461+jeremyhager@users.noreply.github.com>
61 tasks
terrytangyuan
pushed a commit
that referenced
this pull request
Jul 19, 2023
Signed-off-by: Alan Clucas <alan@clucas.org>
6 tasks
6 tasks
dpadhiar
pushed a commit
to dpadhiar/argo-workflows
that referenced
this pull request
May 9, 2024
Signed-off-by: Alan Clucas <alan@clucas.org> Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ensure that config-maps used for memoization aren't actually important for other uses. Config-maps created for memoization would have the label
workflows.argoproj.io/configmap-type: Cache, but this was not validated.This commit changes that, and both load and saving to an existing config-map will require that label to be present, or else the workflow will error with a hopefully helpful message indicating the problem.
All existing config-maps which were created by memoization will have this label already. The only concern is where a config-map existed prior to the first save by memoization. Before this change the config-map could still be used, and now workflows will error instead.
This improves security and prevents writing to the
workflow-controller-configmapby memoization.I considered alternative paths for excluding
workflow-controller-configmap, such as a hardcoded list or a configurable list, but this seems like the best longer term solution, and requires zero configuration.
fixes: #5538
Verification
Tested locally by attempting to memoize using workflow-controller-configmap which I could do before this change, but afterwards was prevented from doing.
Existing tests updated to add labels to config-maps which show that it works as intended as they fail without the changes, and a new test for the failing case added by attempting to use an existing un-labelled configmap.