Skip to content

Fix PREVENT_METADATA_ACCESS is not effact #8336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 25, 2022
Merged

Fix PREVENT_METADATA_ACCESS is not effact #8336

merged 1 commit into from
Feb 25, 2022

Conversation

iQQBot
Copy link
Contributor

@iQQBot iQQBot commented Feb 21, 2022
edited
Loading

Description

rename THEIA_PREVENT_METADATA_ACCESS to GITPOD_PREVENT_METADATA_ACCESS
and fix is not effect in coredev
also fix workspace nodeAffinity in core-dev maybe it can improve stable for core-dev

Related Issue(s)

Relate https://github.com/gitpod-io/ops/pull/1246/files

How to test

  1. start workspace
  2. you will get shutdown immediately
  3. and you can find metadata access is possible log in GCP

image

Release Notes

NONE

Documentation

@iQQBot iQQBot requested a review from a team February 21, 2022 02:35
@codecov
Copy link

codecov bot commented Feb 21, 2022
edited
Loading

Codecov Report

Merging #8336 (81c22a7) into main (f41c652) will decrease coverage by 21.83%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff             @@
##             main    #8336       +/-   ##
===========================================
- Coverage   33.00%   11.17%   -21.84%     
===========================================
  Files          33       18       -15     
  Lines        4735      993     -3742     
===========================================
- Hits         1563      111     -1452     
+ Misses       3054      880     -2174     
+ Partials      118        2      -116
Flag Coverage Δ
components-gitpod-cli-app 11.17% <ø> (ø)
components-local-app-app-darwin-amd64 ?
components-local-app-app-darwin-arm64 ?
components-local-app-app-linux-amd64 ?
components-local-app-app-linux-arm64 ?
components-local-app-app-windows-386 ?
components-local-app-app-windows-arm64 ?
components-ws-manager-app ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
components/ws-manager/pkg/manager/manager.go
components/ws-manager/pkg/manager/status.go
...-manager/pkg/manager/internal/workpool/workpool.go
components/ws-manager/pkg/manager/monitor.go
components/local-app/pkg/auth/auth.go
components/local-app/pkg/auth/pkce.go
components/ws-manager/pkg/manager/metrics.go
...s/ws-manager/pkg/manager/internal/grpcpool/pool.go
components/ws-manager/pkg/manager/probe.go
components/ws-manager/pkg/manager/create.go
... and 5 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f41c652...81c22a7. Read the comment docs.

@iQQBot iQQBot force-pushed the pd/fix-prevent-metadata branch from 4f7821e to a1548ae Compare February 21, 2022 02:48
@akosyakov
Copy link
Member

akosyakov commented Feb 21, 2022
edited
Loading

@iQQBot I'm trying to test, but workspaces don't get shutdown
Screenshot 2022-02-21 at 08 15 23

@akosyakov
Copy link
Member

I cannot find GITPOD_PREVENT_METADATA_ACCESS on workspace container in GCP either. Maybe I'm looking at wrong place though.

@iQQBot iQQBot marked this pull request as draft February 21, 2022 07:24
@iQQBot iQQBot force-pushed the pd/fix-prevent-metadata branch from a1548ae to 175624d Compare February 21, 2022 07:32
@iQQBot iQQBot force-pushed the pd/fix-prevent-metadata branch 4 times, most recently from 9103ea8 to f471b66 Compare February 24, 2022 16:52
@iQQBot iQQBot force-pushed the pd/fix-prevent-metadata branch from f471b66 to 81c22a7 Compare February 24, 2022 17:04
@iQQBot iQQBot marked this pull request as ready for review February 24, 2022 17:15
@kylos101
Copy link
Contributor

kylos101 commented Feb 25, 2022
edited
Loading

Hey @iQQBot , this definitely works as advertised, I cannot start workspaces in core-dev in this namespace. How did you make them fail? I assume you altered workspace-default networkpolicy. Was there anything else you changed or restarted? I ask because I want to test both ways.

@iQQBot
Copy link
Contributor Author

iQQBot commented Feb 25, 2022

GITPOD_PREVENT_METADATA_ACCESS env variable control this behavior, if this env variable is set true, supervisor will try to access gcp endpoint, if it can access,supervisor will close itself

This PR change all workspace's default env variable, set GITPOD_PREVENT_METADATA_ACCESS to true

And this is is base on "fix" before, you can see commit history

akosyakov
akosyakov approved these changes Feb 25, 2022
View reviewed changes
Copy link
Member

@akosyakov akosyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, works as advertised now

@roboquat roboquat merged commit 234d579 into main Feb 25, 2022
@roboquat roboquat deleted the pd/fix-prevent-metadata branch February 25, 2022 07:47
@roboquat roboquat added deployed: IDE IDE change is running in production deployed Change is completely running in production labels Feb 28, 2022
@iQQBot iQQBot mentioned this pull request Mar 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akosyakov akosyakov akosyakov approved these changes

Assignees

@iQQBot iQQBot

Labels
deployed: IDE IDE change is running in production deployed Change is completely running in production release-note-none size/XS team: IDE
Projects
🚀 IDE Team
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@iQQBot @akosyakov @kylos101 @roboquat