Load cron scripts from multiple sources #1326
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aimichelle
reviewed
May 11, 2023
m25n
force-pushed
the
query-broker-config-map
branch
6 times, most recently
from
34b5d88 to
fe23504
Compare
aimichelle
reviewed
May 17, 2023
src/vizier/services/query_broker/script_runner/script_source.go
Outdated
Show resolved
Hide resolved
m25n
force-pushed
the
query-broker-config-map
branch
2 times, most recently
from
bbba133 to
40001d9
Compare
aimichelle
reviewed
May 24, 2023
m25n
force-pushed
the
query-broker-config-map
branch
from
40001d9 to
a0fe1cb
Compare
aimichelle
reviewed
May 25, 2023
src/vizier/services/query_broker/script_runner/config_map_source.go
Outdated
Show resolved
Hide resolved
aimichelle
reviewed
May 31, 2023
src/vizier/services/query_broker/script_runner/config_map_source.go
Outdated
Show resolved
Hide resolved
m25n
force-pushed
the
query-broker-config-map
branch
from
6191ec6 to
2c80e5d
Compare
vihangm
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
vihangm
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
Summary: For our usage of Pixie, it's convenient to exclude Pixie's dependency on the control plane. This commit allows the query broker: 1. to load cron scripts from config maps in the same namespace 2. to turn on and off loading cron scripts from the cloud or config maps Type of change: /kind feature Changes: This commit implements the functionality described above. * added a `scriptrunner.Source` type that encapsulates how cron scripts are initialized/updated. * moved existing logic for fetching cron scripts to `scriptrunner.CloudSource` * added `scriptrunner.ConfigMapSource` * Modified `scriptrunner.ScriptRunner` to use `scriptrunner.Source`s. * Added a configuration flag (`--cron_script_sources` or or `PL_CRON_SCRIPT_SOURCES`) that allows a customer to choose which sources cron scripts can be loaded from. By default, it only loads cron scripts from the control plane. If you wanted to use both, for example, you could set `PL_CRON_SCRIPT_SOURCES="cloud configmaps"`. * Moved many of the fakes/mocks/test helpers to `helper_test.go` Test Plan: All of these changes have been tested at the unit level in addition to manual testing in all relevant configurations. We did our manual testing on GKE, EKS, and Kind with Kubernetes version 1.25. We don't anticipate other Kubernetes platforms or versions to be a problem since the config map API is stable and consistent across those dimensions. Moving the logic to load scripts from the control plane was probably the riskiest change and might warrant some extra attention. Co-authored-by: Devon Warshaw <warshawd@vmware.com> Signed-off-by: Matthew Conger-Eldeen <matthewco@vmware.com>
Co-authored-by: Joe Gee <jgee@vmware.com> Co-authored-by: Glenn Oppegard <oppegard@vmware.com> Co-authored-by: Devon Warshaw <warshawd@vmware.com> Signed-off-by: Matthew Conger-Eldeen <matthewco@vmware.com>
Co-authored-by: Devon Warshaw <warshawd@vmware.com> Signed-off-by: Matthew Conger-Eldeen <matthewco@vmware.com>
Co-authored-by: Devon Warshaw <warshawd@vmware.com> Signed-off-by: Matthew Conger-Eldeen <matthewco@vmware.com>
Signed-off-by: Matthew Conger-Eldeen <matthewco@vmware.com>
aimichelle
force-pushed
the
query-broker-config-map
branch
from
9b6ec03 to
5694ca5
Compare
aimichelle
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
aimichelle
approved these changes
Jun 8, 2023
Member
|
The lint in the checks is timing out, but I pulled the PR manually and ran the linter myself. Lint seems fine. |
vihangm
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
2 tasks
aimichelle
pushed a commit
that referenced
this pull request
Jan 10, 2025
) Summary: [cloud] Provide ability to disable executing modified pxl scripts Certain security conscious users are hesitant to use Pixie because without RBAC anyone with Pixie UI access can write arbitrary BPF code (bpftrace integration), access or export arbitrary data (modifying pxl scripts, writing export scripts). This change aims to address this concern with a global setting to prevent the ability to execute modified scripts. When an adhoc script is executed, the cloud will hash the contents of the script and check it against the scripts known to the scriptmgr service. If it is contained in the scriptmgr service, the script will be allowed to execute. Note: this does not prevent users from writing new export scripts. Since the query broker can source its scripts from a configmap as of #1326, this is deemed as an appropriate mitigation for cluster admins and I'll follow up with UI support to reflect that a vizier is in "configmap mode". Relevant Issues: N/A Type of change: /kind feature Test Plan: The following checks were performed - [x] New tests verify the scriptmgr and api service changes work - [x] Skaffold'ed to a testing cluster and verified script modification is blocked and unmodified scripts are allowed to run. In addition to this, the code editor in the UI is made read only and shows an explanation <details><summary>Screenshots</summary>    </details> Changelog Message: Pixie Cloud can now disable executing modified pxl scripts via the `PL_SCRIPT_MODIFICATION_DISABLED` key in the `pl-script-bundle-config` ConfigMap. See reference manifests for more details. --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
ddelnano
added a commit
to ddelnano/pixie
that referenced
this pull request
Aug 6, 2025
…xie-io#2062) Summary: [cloud] Provide ability to disable executing modified pxl scripts Certain security conscious users are hesitant to use Pixie because without RBAC anyone with Pixie UI access can write arbitrary BPF code (bpftrace integration), access or export arbitrary data (modifying pxl scripts, writing export scripts). This change aims to address this concern with a global setting to prevent the ability to execute modified scripts. When an adhoc script is executed, the cloud will hash the contents of the script and check it against the scripts known to the scriptmgr service. If it is contained in the scriptmgr service, the script will be allowed to execute. Note: this does not prevent users from writing new export scripts. Since the query broker can source its scripts from a configmap as of pixie-io#1326, this is deemed as an appropriate mitigation for cluster admins and I'll follow up with UI support to reflect that a vizier is in "configmap mode". Relevant Issues: N/A Type of change: /kind feature Test Plan: The following checks were performed - [x] New tests verify the scriptmgr and api service changes work - [x] Skaffold'ed to a testing cluster and verified script modification is blocked and unmodified scripts are allowed to run. In addition to this, the code editor in the UI is made read only and shows an explanation <details><summary>Screenshots</summary>    </details> Changelog Message: Pixie Cloud can now disable executing modified pxl scripts via the `PL_SCRIPT_MODIFICATION_DISABLED` key in the `pl-script-bundle-config` ConfigMap. See reference manifests for more details. --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com> GitOrigin-RevId: d12b805
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary: For our usage of Pixie, it's convenient to exclude Pixie's dependency on the control plane. This commit allows the query broker:
Type of change: /kind feature
Changes: This commit implements the functionality described above.
scriptrunner.Sourcetype that encapsulates how cron scripts are initialized/updated.scriptrunner.CloudSourcescriptrunner.ConfigMapSourcescriptrunner.ScriptRunnerto usescriptrunner.Sources.--cron_script_sourcesor orPL_CRON_SCRIPT_SOURCES) that allows a customer to choose which sources cron scripts can be loaded from. By default, it only loads cron scripts from the control plane. If you wanted to use both, for example, you could setPL_CRON_SCRIPT_SOURCES="cloud configmaps".helper_test.goTest Plan: All of these changes have been tested at the unit level in addition to manual testing in all relevant configurations. We did our manual testing on GKE, EKS, and Kind with Kubernetes version 1.25. We don't anticipate other Kubernetes platforms or versions to be a problem since the config map API is stable and consistent across those dimensions. Moving the logic to load scripts from the control plane was probably the riskiest change and might warrant some extra attention.