Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wasm: add restrictions #2797

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Conversation

kyessenov
Copy link
Contributor

Signed-off-by: Kuat Yessenov <[email protected]>
@kyessenov kyessenov requested a review from a team as a code owner May 25, 2023 19:29
@istio-policy-bot
Copy link

🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test?

Courtesy of your friendly test nag.

@istio-testing istio-testing added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 25, 2023
Signed-off-by: Kuat Yessenov <[email protected]>
@istio-testing
Copy link
Collaborator

@kyessenov: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
release-notes_api bbdb217 link false /test release-notes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

// The following ABI calls are permitted:
// * logging;
// * property read.
DEFAULT = 0;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a bit worried about making the default a reduced set. I get we are in alpha so technically we can make breaking changes here, but I worry this is actually used pretty heavily in production given we have been telling users to stop using EnvoyFilter in favor of WasmPlugin.

My assumption here is most WASM plugin users would break upon upgrade to 1.19 if we do this. Is that accurate?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I share the concern.

I don't think we have that many users, and the longer we wait, the harder it is to add restrictions. Wasm ABI is not stable, and in fact, a new version is coming which is likely to create transition problems for users regardless.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, the default should be unrestricted, at least initially.

Perhaps add a warning for a few releases (so that people have time to configure for their needs) and then change it to something more restrictive?

I believe that some Istio providers force update their customers, in which case this would break Istio deployments with Wasm in a pretty bad way.

Copy link

@bleggett bleggett May 31, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we change the default to default-secure and document how people can change the default if they need to, that strikes me as reasonable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning is hard to enforce. Maybe we need some auditing mechanism at runtime that would warn without breaking. I'm only considering this option because it's an alpha API and that's the whole purpose of alpha is to make it better before beta.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough. Perhaps istioctl could check for WasmPlugin and EnvoyFilter with Wasm extensions CRDs and warn about it?

Copy link

@bleggett bleggett Jun 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not necessarily advocating that we don't warn, but WasmFilters are an Alpha feature, which literally states "may be removed or changed without notice" - we don't owe anyone a warning outside of release notes if we change the defaults to something more secure.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, although it's been alpha for a long time and there is number of customers (including big deployments) that are using it.

Copy link

@bleggett bleggett Jun 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get that - but that is the cost they agreed to bear when they adopted an alpha API. If we know them, notify them as a favor, and change it.

The feature status coin we keep talking about has two sides - if we want to be stricter about moving things up or out, we also need to be stricter about alpha meaning what our public-facing docs say it means - that is, not stable, no compat guarantees, breaks and changes without notice.

If that causes disruption for someone because they weren't checking release notes, then we have a discussion with them as interested parties about how to move the feature to a stability status they are comfortable with.

}

// Capability restriction enforces limits on the Wasm ABI calls.
message CapabilityRestriction {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this look like on Envoy side? Do they have the same concept?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a proxy-wasm concept - https://github.com/proxy-wasm/proxy-wasm-cpp-host/blob/master/include/proxy-wasm/wasm.h#L46, and it's exposed through xDS.

@kyessenov
Copy link
Contributor Author

@PiotrSikora you probably have some thoughts on making Wasm modules more portable.

@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Jun 2, 2023
@istio-testing
Copy link
Collaborator

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Copy link

@PiotrSikora PiotrSikora left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @mpwarres @martijneken to see if they have any comments based on their experience with limiting ABI surface.

Comment on lines +360 to +370
// Event restrictions enforces limits on the callback to the Wasm module.
message EventRestriction {
// Trigger Wasm execution on receiving the request headers.
bool OnRequestHeaders = 1;
// Trigger Wasm execution on receiving the request body.
bool OnRequestBody = 2;
// Trigger Wasm execution on receiving the response headers.
bool OnResponseHeaders = 3;
// Trigger Wasm execution on receiving the response body.
bool OnResponseBody = 4;
}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add HTTP trailers and TCP events.

Also, I cannot tell from the description whether setting value to true allows given event to happen or forces it to be ignored (restricted).

// The following ABI calls are permitted:
// * logging;
// * property read.
DEFAULT = 0;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, the default should be unrestricted, at least initially.

Perhaps add a warning for a few releases (so that people have time to configure for their needs) and then change it to something more restrictive?

I believe that some Istio providers force update their customers, in which case this would break Istio deployments with Wasm in a pretty bad way.

@hzxuzhonghu
Copy link
Member

I think this capability is necessary, but not sure whether it should be in WasmPlugin. If a user can create wasmplugin, he could also set any capability set, how could it really restrict malicious user.

If this could be enforce to per proxy or mesh globally, it can really restrict.

@howardjohn
Copy link
Member

howardjohn commented Jun 12, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-rebase Indicates a PR needs to be rebased before being merged size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Wasm capability restrictions
7 participants