diff --git a/console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml b/console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml index c487d9215d3..847869fabb8 100644 --- a/console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml +++ b/console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml @@ -87,3 +87,189 @@ tests: i18n: loadType: Invalid expectedError: "Unsupported value: \"Invalid\"" + - name: Should be able to create a ConsolePlugin with valid CSP configuration + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - https://script1.com/ + - directive: ImgSrc + values: + - https://img1.com/ + expected: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - https://script1.com/ + - directive: ImgSrc + values: + - https://img1.com/ + - name: Should throw an error for duplicate CSP directive entries + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - https://script1.com/ + - directive: ScriptSrc + values: + - https://script1.com/ + expectedError: "spec.contentSecurityPolicy[1]: Duplicate value: map[string]interface {}{\"directive\":\"ScriptSrc\"}" + - name: Should throw an error for duplicate CSP directive values + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - https://script1.com/ + - https://script1.com/ + expectedError: "spec.contentSecurityPolicy[0].values: Invalid value: \"array\": each CSP directive value must be unique" + - name: Should throw an error for incorrect directive type + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: TestSrc + values: + - https://script1.com/ + expectedError: "spec.contentSecurityPolicy[0].directive: Unsupported value: \"TestSrc\": supported values: \"DefaultSrc\", \"ScriptSrc\", \"StyleSrc\", \"ImgSrc\", \"FontSrc\"" + - name: Should throw an error for invalid CSP directive values, using wildcard + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - "*" + expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot be a wildcard" + - name: Should be able to create a ConsolePlugin with valid CSP value, using domain with wildcard prefix + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - "*.example.com" + expected: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - "*.example.com" + - name: Should throw an error for invalid CSP directive values, starting and ending with quotes + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - "'none'" + expectedError: "\"string\": CSP directive value cannot contain a quote" + - name: Should throw an error for invalid CSP directive values with quote + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - "foo'bar" + expectedError: "\"string\": CSP directive value cannot contain a quote" + - name: Should throw an error for invalid CSP directive values with comma + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - "foo,bar" + expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a comma" + - name: Should throw an error for invalid CSP directive values with semi-colon + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - "foo;bar" + expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a semi-colon" + - name: Should throw an error for invalid CSP directive values with whitespace, using space + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - https://scr ipt1.com/ + expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a whitespace" + - name: Should throw an error for invalid CSP directive values with whitespace, using tab + initial: | + apiVersion: console.openshift.io/v1 + kind: ConsolePlugin + spec: + displayName: foo + backend: + type: Service + contentSecurityPolicy: + - directive: ScriptSrc + values: + - https://scri pt1.com/ + expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a whitespace" diff --git a/console/v1/tests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml b/console/v1/tests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml deleted file mode 100644 index e2d4165cf68..00000000000 --- a/console/v1/tests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml +++ /dev/null @@ -1,194 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "ConsolePlugin" -crdName: consoleplugins.console.openshift.io -featureGates: -- ConsolePluginContentSecurityPolicy -version: v1 -tests: - onCreate: - - name: Should be able to create a ConsolePlugin with valid CSP configuration - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - https://script1.com/ - - directive: ImgSrc - values: - - https://img1.com/ - expected: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - https://script1.com/ - - directive: ImgSrc - values: - - https://img1.com/ - - name: Should throw an error for duplicate CSP directive entries - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - https://script1.com/ - - directive: ScriptSrc - values: - - https://script1.com/ - expectedError: "spec.contentSecurityPolicy[1]: Duplicate value: map[string]interface {}{\"directive\":\"ScriptSrc\"}" - - name: Should throw an error for duplicate CSP directive values - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - https://script1.com/ - - https://script1.com/ - expectedError: "spec.contentSecurityPolicy[0].values: Invalid value: \"array\": each CSP directive value must be unique" - - name: Should throw an error for incorrect directive type - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: TestSrc - values: - - https://script1.com/ - expectedError: "spec.contentSecurityPolicy[0].directive: Unsupported value: \"TestSrc\": supported values: \"DefaultSrc\", \"ScriptSrc\", \"StyleSrc\", \"ImgSrc\", \"FontSrc\"" - - name: Should throw an error for invalid CSP directive values, using wildcard - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - "*" - expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot be a wildcard" - - name: Should be able to create a ConsolePlugin with valid CSP value, using domain with wildcard prefix - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - "*.example.com" - expected: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - "*.example.com" - - name: Should throw an error for invalid CSP directive values, starting and ending with quotes - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - "'none'" - expectedError: "\"string\": CSP directive value cannot contain a quote" - - name: Should throw an error for invalid CSP directive values with quote - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - "foo'bar" - expectedError: "\"string\": CSP directive value cannot contain a quote" - - name: Should throw an error for invalid CSP directive values with comma - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - "foo,bar" - expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a comma" - - name: Should throw an error for invalid CSP directive values with semi-colon - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - "foo;bar" - expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a semi-colon" - - name: Should throw an error for invalid CSP directive values with whitespace, using space - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - https://scr ipt1.com/ - expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a whitespace" - - name: Should throw an error for invalid CSP directive values with whitespace, using tab - initial: | - apiVersion: console.openshift.io/v1 - kind: ConsolePlugin - spec: - displayName: foo - backend: - type: Service - contentSecurityPolicy: - - directive: ScriptSrc - values: - - https://scri pt1.com/ - expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a whitespace" diff --git a/console/v1/types_console_plugin.go b/console/v1/types_console_plugin.go index 0160a4a2428..c63db50d52c 100644 --- a/console/v1/types_console_plugin.go +++ b/console/v1/types_console_plugin.go @@ -90,7 +90,6 @@ type ConsolePluginSpec struct { // OpenShift web console server CSP response header: // Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none' // - // +openshift:enable:FeatureGate=ConsolePluginContentSecurityPolicy // +kubebuilder:validation:MaxItems=5 // +kubebuilder:validation:XValidation:rule="self.map(x, x.values.map(y, y.size()).sum()).sum() < 8192",message="the total combined size of values of all directives must not exceed 8192 (8kb)" // +listType=map diff --git a/console/v1/zz_generated.featuregated-crd-manifests.yaml b/console/v1/zz_generated.featuregated-crd-manifests.yaml index caa676e691c..26524d0a17a 100644 --- a/console/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/console/v1/zz_generated.featuregated-crd-manifests.yaml @@ -137,8 +137,7 @@ consoleplugins.console.openshift.io: CRDName: consoleplugins.console.openshift.io Capability: Console Category: "" - FeatureGates: - - ConsolePluginContentSecurityPolicy + FeatureGates: [] FilenameOperatorName: "" FilenameOperatorOrdering: "90" FilenameRunLevel: "" diff --git a/console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/AAA_ungated.yaml b/console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/AAA_ungated.yaml index 265029be207..7c0e60fd56c 100644 --- a/console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/AAA_ungated.yaml +++ b/console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/AAA_ungated.yaml @@ -101,6 +101,129 @@ spec: required: - type type: object + contentSecurityPolicy: + description: |- + contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin. + Each directive specifies a list of values, appropriate for the given directive type, + for example a list of remote endpoints for fetch directives such as ScriptSrc. + Console web application uses CSP to detect and mitigate certain types of attacks, + such as cross-site scripting (XSS) and data injection attacks. + Dynamic plugins should specify this field if need to load assets from outside + the cluster or if violation reports are observed. Dynamic plugins should always prefer + loading their assets from within the cluster, either by vendoring them, or fetching + from a cluster service. + CSP violation reports can be viewed in the browser's console logs during development and + testing of the plugin in the OpenShift web console. + Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. + Each of the available directives may be defined only once in the list. + The value 'self' is automatically included in all fetch directives by the OpenShift web + console's backend. + For more information about the CSP directives, see: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + + The OpenShift web console server aggregates the CSP directives and values across + its own default values and all enabled ConsolePlugin CRs, merging them into a single + policy string that is sent to the browser via `Content-Security-Policy` HTTP response header. + + Example: + ConsolePlugin A directives: + script-src: https://script1.com/, https://script2.com/ + font-src: https://font1.com/ + + ConsolePlugin B directives: + script-src: https://script2.com/, https://script3.com/ + font-src: https://font2.com/ + img-src: https://img1.com/ + + Unified set of CSP directives, passed to the OpenShift web console server: + script-src: https://script1.com/, https://script2.com/, https://script3.com/ + font-src: https://font1.com/, https://font2.com/ + img-src: https://img1.com/ + + OpenShift web console server CSP response header: + Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none' + items: + description: ConsolePluginCSP holds configuration for a specific + CSP directive + properties: + directive: + description: |- + directive specifies which Content-Security-Policy directive to configure. + Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. + DefaultSrc directive serves as a fallback for the other CSP fetch directives. + For more information about the DefaultSrc directive, see: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src + ScriptSrc directive specifies valid sources for JavaScript. + For more information about the ScriptSrc directive, see: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src + StyleSrc directive specifies valid sources for stylesheets. + For more information about the StyleSrc directive, see: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src + ImgSrc directive specifies a valid sources of images and favicons. + For more information about the ImgSrc directive, see: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src + FontSrc directive specifies valid sources for fonts loaded using @font-face. + For more information about the FontSrc directive, see: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src + ConnectSrc directive restricts the URLs which can be loaded using script interfaces. + For more information about the ConnectSrc directive, see: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src + enum: + - DefaultSrc + - ScriptSrc + - StyleSrc + - ImgSrc + - FontSrc + - ConnectSrc + type: string + values: + description: |- + values defines an array of values to append to the console defaults for this directive. + Each ConsolePlugin may define their own directives with their values. These will be set + by the OpenShift web console's backend, as part of its Content-Security-Policy header. + The array can contain at most 16 values. Each directive value must have a maximum length + of 1024 characters and must not contain whitespace, commas (,), semicolons (;) or single + quotes ('). The value '*' is not permitted. + Each value in the array must be unique. + items: + description: |- + CSPDirectiveValue is single value for a Content-Security-Policy directive. + Each directive value must have a maximum length of 1024 characters and must not contain + whitespace, commas (,), semicolons (;) or single quotes ('). The value '*' is not permitted. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: CSP directive value cannot contain a quote + rule: '!self.contains("''")' + - message: CSP directive value cannot contain a whitespace + rule: '!self.matches(''\\s'')' + - message: CSP directive value cannot contain a comma + rule: '!self.contains('','')' + - message: CSP directive value cannot contain a semi-colon + rule: '!self.contains('';'')' + - message: CSP directive value cannot be a wildcard + rule: self != '*' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: each CSP directive value must be unique + rule: self.all(x, self.exists_one(y, x == y)) + required: + - directive + - values + type: object + maxItems: 5 + type: array + x-kubernetes-list-map-keys: + - directive + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: the total combined size of values of all directives must + not exceed 8192 (8kb) + rule: self.map(x, x.values.map(y, y.size()).sum()).sum() < 8192 displayName: description: |- displayName is the display name of the plugin. diff --git a/console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml b/console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml deleted file mode 100644 index 1cfda17e2d7..00000000000 --- a/console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml +++ /dev/null @@ -1,353 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1186 - api.openshift.io/filename-ordering: "90" - capability.openshift.io/name: Console - description: Extension for configuring openshift web console plugins. - displayName: ConsolePlugin - feature-gate.release.openshift.io/ConsolePluginContentSecurityPolicy: "true" - service.beta.openshift.io/inject-cabundle: "true" - name: consoleplugins.console.openshift.io -spec: - group: console.openshift.io - names: - kind: ConsolePlugin - listKind: ConsolePluginList - plural: consoleplugins - singular: consoleplugin - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - ConsolePlugin is an extension for customizing OpenShift web console by - dynamically loading code from another service running on the cluster. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the desired configuration for the console plugin. - properties: - backend: - description: backend holds the configuration of backend which is serving - console's plugin . - properties: - service: - description: |- - service is a Kubernetes Service that exposes the plugin using a - deployment with an HTTP server. The Service must use HTTPS and - Service serving certificate. The console backend will proxy the - plugins assets from the Service using the service CA bundle. - properties: - basePath: - default: / - description: |- - basePath is the path to the plugin's assets. The primary asset it the - manifest file called `plugin-manifest.json`, which is a JSON document - that contains metadata about the plugin and the extensions. - maxLength: 256 - minLength: 1 - pattern: ^[a-zA-Z0-9.\-_~!$&'()*+,;=:@\/]*$ - type: string - name: - description: name of Service that is serving the plugin assets. - maxLength: 128 - minLength: 1 - type: string - namespace: - description: namespace of Service that is serving the plugin - assets. - maxLength: 128 - minLength: 1 - type: string - port: - description: port on which the Service that is serving the - plugin is listening to. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - - namespace - - port - type: object - type: - description: | - type is the backend type which servers the console's plugin. Currently only "Service" is supported. - enum: - - Service - type: string - required: - - type - type: object - contentSecurityPolicy: - description: |- - contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin. - Each directive specifies a list of values, appropriate for the given directive type, - for example a list of remote endpoints for fetch directives such as ScriptSrc. - Console web application uses CSP to detect and mitigate certain types of attacks, - such as cross-site scripting (XSS) and data injection attacks. - Dynamic plugins should specify this field if need to load assets from outside - the cluster or if violation reports are observed. Dynamic plugins should always prefer - loading their assets from within the cluster, either by vendoring them, or fetching - from a cluster service. - CSP violation reports can be viewed in the browser's console logs during development and - testing of the plugin in the OpenShift web console. - Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. - Each of the available directives may be defined only once in the list. - The value 'self' is automatically included in all fetch directives by the OpenShift web - console's backend. - For more information about the CSP directives, see: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - - The OpenShift web console server aggregates the CSP directives and values across - its own default values and all enabled ConsolePlugin CRs, merging them into a single - policy string that is sent to the browser via `Content-Security-Policy` HTTP response header. - - Example: - ConsolePlugin A directives: - script-src: https://script1.com/, https://script2.com/ - font-src: https://font1.com/ - - ConsolePlugin B directives: - script-src: https://script2.com/, https://script3.com/ - font-src: https://font2.com/ - img-src: https://img1.com/ - - Unified set of CSP directives, passed to the OpenShift web console server: - script-src: https://script1.com/, https://script2.com/, https://script3.com/ - font-src: https://font1.com/, https://font2.com/ - img-src: https://img1.com/ - - OpenShift web console server CSP response header: - Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none' - items: - description: ConsolePluginCSP holds configuration for a specific - CSP directive - properties: - directive: - description: |- - directive specifies which Content-Security-Policy directive to configure. - Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc. - DefaultSrc directive serves as a fallback for the other CSP fetch directives. - For more information about the DefaultSrc directive, see: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src - ScriptSrc directive specifies valid sources for JavaScript. - For more information about the ScriptSrc directive, see: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src - StyleSrc directive specifies valid sources for stylesheets. - For more information about the StyleSrc directive, see: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src - ImgSrc directive specifies a valid sources of images and favicons. - For more information about the ImgSrc directive, see: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src - FontSrc directive specifies valid sources for fonts loaded using @font-face. - For more information about the FontSrc directive, see: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src - ConnectSrc directive restricts the URLs which can be loaded using script interfaces. - For more information about the ConnectSrc directive, see: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src - enum: - - DefaultSrc - - ScriptSrc - - StyleSrc - - ImgSrc - - FontSrc - - ConnectSrc - type: string - values: - description: |- - values defines an array of values to append to the console defaults for this directive. - Each ConsolePlugin may define their own directives with their values. These will be set - by the OpenShift web console's backend, as part of its Content-Security-Policy header. - The array can contain at most 16 values. Each directive value must have a maximum length - of 1024 characters and must not contain whitespace, commas (,), semicolons (;) or single - quotes ('). The value '*' is not permitted. - Each value in the array must be unique. - items: - description: |- - CSPDirectiveValue is single value for a Content-Security-Policy directive. - Each directive value must have a maximum length of 1024 characters and must not contain - whitespace, commas (,), semicolons (;) or single quotes ('). The value '*' is not permitted. - maxLength: 1024 - minLength: 1 - type: string - x-kubernetes-validations: - - message: CSP directive value cannot contain a quote - rule: '!self.contains("''")' - - message: CSP directive value cannot contain a whitespace - rule: '!self.matches(''\\s'')' - - message: CSP directive value cannot contain a comma - rule: '!self.contains('','')' - - message: CSP directive value cannot contain a semi-colon - rule: '!self.contains('';'')' - - message: CSP directive value cannot be a wildcard - rule: self != '*' - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: each CSP directive value must be unique - rule: self.all(x, self.exists_one(y, x == y)) - required: - - directive - - values - type: object - maxItems: 5 - type: array - x-kubernetes-list-map-keys: - - directive - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: the total combined size of values of all directives must - not exceed 8192 (8kb) - rule: self.map(x, x.values.map(y, y.size()).sum()).sum() < 8192 - displayName: - description: |- - displayName is the display name of the plugin. - The dispalyName should be between 1 and 128 characters. - maxLength: 128 - minLength: 1 - type: string - i18n: - description: i18n is the configuration of plugin's localization resources. - properties: - loadType: - description: |- - loadType indicates how the plugin's localization resource should be loaded. - Valid values are Preload, Lazy and the empty string. - When set to Preload, all localization resources are fetched when the plugin is loaded. - When set to Lazy, localization resources are lazily loaded as and when they are required by the console. - When omitted or set to the empty string, the behaviour is equivalent to Lazy type. - enum: - - Preload - - Lazy - - "" - type: string - required: - - loadType - type: object - proxy: - description: |- - proxy is a list of proxies that describe various service type - to which the plugin needs to connect to. - items: - description: |- - ConsolePluginProxy holds information on various service types - to which console's backend will proxy the plugin's requests. - properties: - alias: - description: |- - alias is a proxy name that identifies the plugin's proxy. An alias name - should be unique per plugin. The console backend exposes following - proxy endpoint: - - /api/proxy/plugin///? - - Request example path: - - /api/proxy/plugin/acm/search/pods?namespace=openshift-apiserver - maxLength: 128 - minLength: 1 - pattern: ^[A-Za-z0-9-_]+$ - type: string - authorization: - default: None - description: |- - authorization provides information about authorization type, - which the proxied request should contain - enum: - - UserToken - - None - type: string - caCertificate: - description: |- - caCertificate provides the cert authority certificate contents, - in case the proxied Service is using custom service CA. - By default, the service CA bundle provided by the service-ca operator is used. - pattern: ^-----BEGIN CERTIFICATE-----([\s\S]*)-----END CERTIFICATE-----\s?$ - type: string - endpoint: - description: endpoint provides information about endpoint to - which the request is proxied to. - properties: - service: - description: |- - service is an in-cluster Service that the plugin will connect to. - The Service must use HTTPS. The console backend exposes an endpoint - in order to proxy communication between the plugin and the Service. - Note: service field is required for now, since currently only "Service" - type is supported. - properties: - name: - description: name of Service that the plugin needs to - connect to. - maxLength: 128 - minLength: 1 - type: string - namespace: - description: namespace of Service that the plugin needs - to connect to - maxLength: 128 - minLength: 1 - type: string - port: - description: |- - port on which the Service that the plugin needs to connect to - is listening on. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - - namespace - - port - type: object - type: - description: | - type is the type of the console plugin's proxy. Currently only "Service" is supported. - enum: - - Service - type: string - required: - - type - type: object - required: - - alias - - endpoint - type: object - type: array - x-kubernetes-list-type: atomic - required: - - backend - - displayName - type: object - required: - - metadata - - spec - type: object - served: true - storage: true diff --git a/features.md b/features.md index afa64782571..a03849132e9 100644 --- a/features.md +++ b/features.md @@ -84,7 +84,6 @@ | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | CPMSMachineNamePrefix| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| ConsolePluginContentSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDC| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDCWithUIDAndExtraClaimMappings| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/features/features.go b/features/features.go index 187edb0e164..312e8738e18 100644 --- a/features/features.go +++ b/features/features.go @@ -36,14 +36,6 @@ func AllFeatureSets() map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGat var ( allFeatureGates = map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled{} - FeatureGateConsolePluginCSP = newFeatureGate("ConsolePluginContentSecurityPolicy"). - reportProblemsToJiraComponent("Management Console"). - contactPerson("jhadvig"). - productScope(ocpSpecific). - enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - enhancementPR("https://github.com/openshift/enhancements/pull/1706"). - mustRegister() - FeatureGateServiceAccountTokenNodeBinding = newFeatureGate("ServiceAccountTokenNodeBinding"). reportProblemsToJiraComponent("apiserver-auth"). contactPerson("ibihim"). diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml index 326d875acd8..1b5bbdef9a8 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml @@ -263,9 +263,6 @@ { "name": "CPMSMachineNamePrefix" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "ExternalOIDC" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml index 1897be7b3c5..87ffa73b7fb 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml @@ -142,9 +142,6 @@ { "name": "ConfigurablePKI" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "DNSNameResolver" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml index 91f2cd1e720..d332c0d6eb4 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml @@ -265,9 +265,6 @@ { "name": "CPMSMachineNamePrefix" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "ExternalOIDC" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml index 5853607c02b..611334972c7 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml @@ -160,9 +160,6 @@ { "name": "ConfigurablePKI" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "DNSNameResolver" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml index 43c5affe7e2..0ab32567aaa 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml @@ -257,9 +257,6 @@ { "name": "CPMSMachineNamePrefix" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "ExternalOIDC" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml index e9d704c6a35..d9a12fbe671 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml @@ -124,9 +124,6 @@ { "name": "ConfigurablePKI" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "DNSNameResolver" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml index 9c72a8df94f..4d643e2f6dd 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml @@ -259,9 +259,6 @@ { "name": "CPMSMachineNamePrefix" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "ExternalOIDC" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml index f3a7e2c225a..9efcb6b3fe6 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml @@ -142,9 +142,6 @@ { "name": "ConfigurablePKI" }, - { - "name": "ConsolePluginContentSecurityPolicy" - }, { "name": "DNSNameResolver" },