Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add timeout to policy evaluation #254

Closed
3 tasks done
jvanz opened this issue May 17, 2022 · 5 comments · Fixed by #389, kubewarden/policy-evaluator#224 or #399
Closed
3 tasks done

Add timeout to policy evaluation #254

jvanz opened this issue May 17, 2022 · 5 comments · Fixed by #389, kubewarden/policy-evaluator#224 or #399
Assignees
@flavio
Labels
kind/enhancement kind/epic kind/rfc

Comments

@jvanz
Copy link
Member

jvanz commented May 17, 2022
edited by flavio
Loading

To help the mitigation of the threat #2 of the threat model, the policy server should allow the operator define a timeout for the policy evaluation. If a policy takes more then the defined timeout, the request is rejected.

NOTE: This is an issue created from RFC discussing the admission control threat model. It's created to allow the Kubewarden team discuss the proposed mitigation further and start to work on each actionable item when possible

Actions
@jvanz jvanz mentioned this issue May 17, 2022
Merged
@jvanz jvanz self-assigned this Aug 3, 2022
@flavio flavio unassigned jvanz Aug 4, 2022
@flavio
Copy link
Member

flavio commented Aug 10, 2022

I think there are basically two options:

  • Implement a timer
  • Try to use something fancy like the fuel concept built into wasmtime

@flavio flavio added kind/rfc and removed kind/rfc labels Aug 10, 2022
@flavio flavio self-assigned this Sep 8, 2022
@flavio flavio mentioned this issue Sep 23, 2022
Merged
flavio added a commit to flavio/policy-evaluator that referenced this issue Dec 19, 2022
@flavio
feat!: expose epoch deadline feature
860351e 
Epoch deadline is a feature of wasmtime that allows the execution of a
wasm module after some time has elapsed.

This is needed to implement kubewarden/policy-server#254

Signed-off-by: Flavio Castelli <[email protected]>
flavio added a commit to flavio/policy-server that referenced this issue Dec 19, 2022
@flavio
feat: introduce timeout protection
3538b31 
Ensure a policy cannot run more than a given amount of time.

This is required to fix kubewarden#254

Signed-off-by: Flavio Castelli <[email protected]>
@flavio flavio mentioned this issue Dec 19, 2022
Merged
flavio added a commit to flavio/policy-server that referenced this issue Dec 19, 2022
@flavio
feat: introduce timeout protection
69818f4 
Ensure a policy cannot run more than a given amount of time.

This is required to fix kubewarden#254

Signed-off-by: Flavio Castelli <[email protected]>
@flavio
Copy link
Member

flavio commented Dec 20, 2022

I wonder if "timeout protection" is a good name for this feature 🤔

I think we should think about another one, because this is a bit confusing

@jvanz jvanz mentioned this issue Dec 22, 2022
Merged
flavio added a commit to flavio/policy-server that referenced this issue Dec 22, 2022
@flavio
feat: introduce timeout protection
d0e0654 
Ensure a policy cannot run more than a given amount of time.

This is required to fix kubewarden#254

Signed-off-by: Flavio Castelli <[email protected]>
@viccuad
Copy link
Member

viccuad commented Jan 2, 2023

I'm having trouble finding a better wording for "if policy timeout reached, reject request".
Ideas: rejection by timeout, timeout exclusion.
I still prefer timeout protection.

@jvanz jvanz closed this as completed in #389 Jan 5, 2023
jvanz pushed a commit that referenced this issue Jan 5, 2023
@flavio @jvanz
feat: introduce timeout protection
b8ae645 
Ensure a policy cannot run more than a given amount of time.

This is required to fix #254

Signed-off-by: Flavio Castelli <[email protected]>
@viccuad
Copy link
Member

viccuad commented Jan 5, 2023

#389 got prematurely merged, #396 reverted it.

Re-opening card again. We would need to create a new PR analogous to #389.

@viccuad viccuad reopened this Jan 5, 2023
@flavio flavio mentioned this issue Jan 9, 2023
Merged
flavio added a commit to flavio/policy-evaluator that referenced this issue Jan 9, 2023
@flavio
feat!: expose epoch deadline feature
9516b75 
Epoch deadline is a feature of wasmtime that allows the execution of a
wasm module after some time has elapsed.

This is needed to implement kubewarden/policy-server#254

Signed-off-by: Flavio Castelli <[email protected]>
flavio added a commit to flavio/policy-server that referenced this issue Jan 10, 2023
@flavio
feat: introduce timeout protection
1758a9a 
Ensure a policy cannot run more than a given amount of time.

This is required to fix kubewarden#254

Signed-off-by: Flavio Castelli <[email protected]>
@flavio
Copy link
Member

flavio commented Jan 11, 2023

reopening, there are other tasks that have to be done

@flavio flavio reopened this Jan 11, 2023
@flavio flavio closed this as completed Jan 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flavio flavio

Labels
kind/enhancement kind/epic kind/rfc
Projects
None yet
Milestone
No milestone
3 participants
@flavio @jvanz @viccuad