Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic in authorino pod when defining a k8s SAR rule without the user field #494

Open
roivaz opened this issue Oct 10, 2024 · 0 comments
Open
Labels
kind/bug Something isn't working

Comments

@roivaz
Copy link

roivaz commented Oct 10, 2024

Describe the bug

The authorino process panics when the user field in a k8s SAR authorization rule is not defined.

Help us Reproduce it

  1. Create the following Kuadrant AuthPolicy
apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  name: sar-protected-api
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: some-route
  routeSelectors:
    - matches:
        - path:
            type: PathPrefix
            value: /some-path
  rules:
    authentication:
      "service-accounts":
        kubernetesTokenReview:
          audiences:
            - "https://example.com"
    authorization:
      "k8s-rbac":
        kubernetesSubjectAccessReview:
          groups:
            - "some-group"
  1. Check the logs of the authorino pod to see the following panic
{"level":"info","ts":"2024-10-10T14:30:50Z","logger":"authorino","msg":"Observed a panic in reconciler: runtime error: invalid memory address or nil pointer dereference","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","AuthConfig":{"name":"ap-3scale-saas-backend-internal-api","namespace":"3scale-saas"},"namespace":"3scale-saas","name":"ap-3scale-saas-backend-internal-api","reconcileID":"23813405-f48b-4cda-a0f9-ef21c5d6aa8c"}
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1b5cd9c]
goroutine 180 [running]:
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:116 +0x1e5
panic({0x1de0b00?, 0x36d5b30?})
/usr/lib/golang/src/runtime/panic.go:914 +0x21f
github.com/kuadrant/authorino/controllers.(*AuthConfigReconciler).translateAuthConfig(0xc00067e680, {0x25020a8, 0xc000c40db0}, 0xc00027f4a0)
/usr/src/authorino/controllers/auth_config_controller.go:424 +0x1bdc
github.com/kuadrant/authorino/controllers.(*AuthConfigReconciler).Reconcile(0xc00067e680, {0x25020a8, 0xc000afdf80}, {{{0xc0003edaa0?, 0x5?}, {0xc00043ae70?, 0xc000736d08?}}})
/usr/src/authorino/controllers/auth_config_controller.go:114 +0x4ee
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x2507490?, {0x25020a8?, 0xc000afdf80?}, {{{0xc0003edaa0?, 0xb?}, {0xc00043ae70?, 0x0?}}})
/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:119 +0xb7
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0007c14a0, {0x25020e0, 0xc0007b1270}, {0x1ebbba0?, 0xc0000a87a0?})
/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316 +0x3cc
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0007c14a0, {0x25020e0, 0xc0007b1270})
/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266 +0x1af
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227 +0x79
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 in goroutine 93
/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:223 +0x565

Expected behavior

Don't panic and report the error somehow (logs, conditions or even reject the AuthPolicy/AuthConfig).

Environment (please complete the following information):

  • Openshift 4.16
  • kuadrant v0.11.0 & authorino-operator v0.13.0

Additional context

Slack conversation https://kubernetes.slack.com/archives/C05J0D0V525/p1728554107621359

@guicassolato guicassolato added the kind/bug Something isn't working label Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working
Projects
Status: No status
Development

No branches or pull requests

2 participants