OCPBUGS-48791: Add missing CSP directives #2164
Conversation
openshift-ci-robot
added
jira/valid-reference
|
@jhadvig: This pull request references Jira Issue OCPBUGS-48740, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Hello @jhadvig! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/M
|
Have the 4.19 changes hit the payload yet? Can we make sure that the 4.19 bug is verified before we move forward here please |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jhadvig The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@JoelSpeed yes, both PR should be already part of the payload. spinning a 4.19 techpreview cluster for confirmation. |
|
@jhadvig: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Hmm, although the both PRs are merged in the master, I dont see the added |
|
Has the operator had its deps bumped to include the latest version of o/api? |
|
@JoelSpeed checked the API definition on a 4.19 cluster with techPreview enabled and the apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/1186
api.openshift.io/merged-by-featuregates: "true"
capability.openshift.io/name: Console
description: Extension for configuring openshift web console plugins.
displayName: ConsolePlugin
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/feature-set: TechPreviewNoUpgrade
service.beta.openshift.io/inject-cabundle: "true"
creationTimestamp: "2025-03-04T08:26:06Z"
generation: 1
name: consoleplugins.console.openshift.io
ownerReferences:
- apiVersion: config.openshift.io/v1
controller: true
kind: ClusterVersion
name: version
uid: c52a6894-fba3-462d-8a31-56b6f48fc91f
resourceVersion: "22008"
uid: 3d7f8011-7bf2-4971-8e1b-786971e817b0
spec:
conversion:
strategy: None
group: console.openshift.io
names:
kind: ConsolePlugin
listKind: ConsolePluginList
plural: consoleplugins
singular: consoleplugin
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: |-
ConsolePlugin is an extension for customizing OpenShift web console by
dynamically loading code from another service running on the cluster.
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec contains the desired configuration for the console plugin.
properties:
backend:
description: backend holds the configuration of backend which is serving
console's plugin .
properties:
service:
description: |-
service is a Kubernetes Service that exposes the plugin using a
deployment with an HTTP server. The Service must use HTTPS and
Service serving certificate. The console backend will proxy the
plugins assets from the Service using the service CA bundle.
properties:
basePath:
default: /
description: |-
basePath is the path to the plugin's assets. The primary asset it the
manifest file called `plugin-manifest.json`, which is a JSON document
that contains metadata about the plugin and the extensions.
maxLength: 256
minLength: 1
pattern: ^[a-zA-Z0-9.\-_~!$&'()*+,;=:@\/]*$
type: string
name:
description: name of Service that is serving the plugin assets.
maxLength: 128
minLength: 1
type: string
namespace:
description: namespace of Service that is serving the plugin
assets.
maxLength: 128
minLength: 1
type: string
port:
description: port on which the Service that is serving the
plugin is listening to.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
- namespace
- port
type: object
type:
description: |
type is the backend type which servers the console's plugin. Currently only "Service" is supported.
enum:
- Service
type: string
required:
- type
type: object
contentSecurityPolicy:
description: |-
contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin.
....
policy string that is sent to the browser via `Content-Security-Policy` HTTP response header.
Example:
ConsolePlugin A directives:
script-src: https://script1.com/, https://script2.com/
font-src: https://font1.com/
ConsolePlugin B directives:
script-src: https://script2.com/, https://script3.com/
font-src: https://font2.com/
img-src: https://img1.com/
Unified set of CSP directives, passed to the OpenShift web console server:
script-src: https://script1.com/, https://script2.com/, https://script3.com/
font-src: https://font1.com/, https://font2.com/
img-src: https://img1.com/
OpenShift web console server CSP response header:
Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none'
items:
description: ConsolePluginCSP holds configuration for a specific
CSP directive
properties:
directive:
description: |-
directive specifies which Content-Security-Policy directive to configure.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
DefaultSrc directive serves as a fallback for the other CSP fetch directives.
For more information about the DefaultSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
ScriptSrc directive specifies valid sources for JavaScript.
For more information about the ScriptSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
StyleSrc directive specifies valid sources for stylesheets.
For more information about the StyleSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
ImgSrc directive specifies a valid sources of images and favicons.
For more information about the ImgSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
FontSrc directive specifies valid sources for fonts loaded using @font-face.
For more information about the FontSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
For more information about the ConnectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
enum:
- DefaultSrc
- ScriptSrc
- StyleSrc
- ImgSrc
- FontSrc
- ConnectSrc
type: string
values:
description: |-
..... |
jhadvig
changed the title
|
@jhadvig: This pull request references Jira Issue OCPBUGS-48791, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@JoelSpeed: This pull request references Jira Issue OCPBUGS-48791, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jhadvig Could you please sort out the bug chain for this backport, once we can see that the 4.19 version of this is verified we can move forward with the backport to 4.18 |
Manual backport of #2163
/assign @spadgett @JoelSpeed