admission: wire through validating-only admission #54484
Conversation
k8s-ci-robot
added
size/XL
sttts
force-pushed
the
sttts-split-psp
branch
from
6f750c4 to
daf8666
Compare
sttts
added
release-note-none
sttts
force-pushed
the
sttts-split-psp
branch
from
daf8666 to
4266322
Compare
|
/assign caesarxuchao |
|
@sttts: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. One of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
sttts
force-pushed
the
sttts-split-psp
branch
from
85a34c0 to
52de214
Compare
| @@ -73,15 +73,15 @@ func (s *storage) GetStatefulSet(ctx genericapirequest.Context, statefulSetID st | |||
| } | |||
|
|
|||
| func (s *storage) CreateStatefulSet(ctx genericapirequest.Context, statefulSet *apps.StatefulSet) (*apps.StatefulSet, error) { | |||
| obj, err := s.Create(ctx, statefulSet, false) | |||
| obj, err := s.Create(ctx, statefulSet, rest.ValidateAllObjectFunc, false) | |||
There was a problem hiding this comment.
So I've been reading through this code. I think it is a mistake to make this intermediate registry for use by the scale client. It makes what is happening far less obvious. Your choice here is safe, but only because of how this is used.
Please open an issue.
There was a problem hiding this comment.
It's boilerplate code essentially doing a type cast, not more. I agree this complicates more than it helps.
There was a problem hiding this comment.
Following the old behaviour, I wired the validation functions through now from the subresource registries via the intermediate registries to the storage.
| @@ -56,12 +56,12 @@ func (s *storage) ListCSRs(ctx genericapirequest.Context, options *metainternalv | |||
| } | |||
|
|
|||
| func (s *storage) CreateCSR(ctx genericapirequest.Context, csr *certificates.CertificateSigningRequest) error { | |||
There was a problem hiding this comment.
file looks dead. please delete instead.
There was a problem hiding this comment.
We have plenty of these which are not called. This will be fixed in a follow-up via #54693.
| @@ -69,7 +69,7 @@ func (s *storage) GetConfigMap(ctx genericapirequest.Context, name string, optio | |||
| } | |||
|
|
|||
| func (s *storage) CreateConfigMap(ctx genericapirequest.Context, cfg *api.ConfigMap) (*api.ConfigMap, error) { | |||
There was a problem hiding this comment.
looks dead, please delete instead.
| @@ -66,7 +66,7 @@ func (s *storage) GetEndpoints(ctx genericapirequest.Context, name string, optio | |||
| } | |||
|
|
|||
| func (s *storage) UpdateEndpoints(ctx genericapirequest.Context, endpoints *api.Endpoints) error { | |||
| _, _, err := s.Update(ctx, endpoints.Name, rest.DefaultUpdatedObjectInfo(endpoints)) | |||
| _, _, err := s.Update(ctx, endpoints.Name, rest.DefaultUpdatedObjectInfo(endpoints), rest.ValidateAllObjectFunc, rest.ValidateAllObjectUpdateFunc) | |||
There was a problem hiding this comment.
only safe because of how it is called. Needs a comment.
| @@ -67,12 +67,12 @@ func (s *storage) GetNamespace(ctx genericapirequest.Context, namespaceName stri | |||
| } | |||
|
|
|||
| func (s *storage) CreateNamespace(ctx genericapirequest.Context, namespace *api.Namespace) error { | |||
There was a problem hiding this comment.
appears dead. please delete instead.
pkg/registry/core/node/registry.go
Outdated
| @@ -56,12 +56,12 @@ func (s *storage) ListNodes(ctx genericapirequest.Context, options *metainternal | |||
| } | |||
|
|
|||
| func (s *storage) CreateNode(ctx genericapirequest.Context, node *api.Node) error { | |||
There was a problem hiding this comment.
appears dead. please delete instead
| @@ -74,15 +74,15 @@ func (s *storage) GetController(ctx genericapirequest.Context, controllerID stri | |||
| } | |||
|
|
|||
| func (s *storage) CreateController(ctx genericapirequest.Context, controller *api.ReplicationController) (*api.ReplicationController, error) { | |||
There was a problem hiding this comment.
same comment about scale here. Needs a big warning and a followup issue.
pkg/registry/core/secret/registry.go
Outdated
| @@ -67,12 +67,12 @@ func (s *storage) GetSecret(ctx genericapirequest.Context, name string, options | |||
| } | |||
|
|
|||
| func (s *storage) CreateSecret(ctx genericapirequest.Context, secret *api.Secret) (*api.Secret, error) { | |||
There was a problem hiding this comment.
comment that its only safe due to usage and that we need to move to a loopback connection for SA token authentication.
There was a problem hiding this comment.
issue for the loopback thing.
There was a problem hiding this comment.
Also dead code fixed via #54693
| @@ -58,7 +58,7 @@ func (s *storage) ListServices(ctx genericapirequest.Context, options *metainter | |||
| } | |||
|
|
|||
| func (s *storage) CreateService(ctx genericapirequest.Context, svc *api.Service) (*api.Service, error) { | |||
There was a problem hiding this comment.
only safe due to usage. Issue to move this one to point of use.
There was a problem hiding this comment.
This is actually used. Wired through the createValidation from service REST Create.
| @@ -67,12 +67,12 @@ func (s *storage) GetServiceAccount(ctx genericapirequest.Context, name string, | |||
| } | |||
|
|
|||
| func (s *storage) CreateServiceAccount(ctx genericapirequest.Context, serviceAccount *api.ServiceAccount) error { | |||
There was a problem hiding this comment.
only safe due to usage. This one should be removed in favor of loopback too.
There was a problem hiding this comment.
Also dead code fixed via #54693
| @@ -225,6 +225,7 @@ func (r *ScaleREST) Update(ctx genericapirequest.Context, name string, objInfo r | |||
| return nil, false, err | |||
| } | |||
|
|
|||
| // TODO: should we pass admission here? | |||
There was a problem hiding this comment.
Yes, but you should do it by eliminating the use of the registry or changing the registry signature to accept the validation functions.
There was a problem hiding this comment.
Are the validation/update validation functions passed into this function going to be about Deployments or Scale types? I would naively expect the latter, in which case this code probably needs some drastic revision. (file an issue "scale (all?) subresources evade admission checking") rather than fix it in this PR.
There was a problem hiding this comment.
I would naively expect the former. As a webhook author, should I care about the way a user changes the replicas value? I would naively add an admission step for the full resource.
There was a problem hiding this comment.
lavalamp 20 hours ago
Are the validation/update validation functions passed into this function going to be about Deployments or Scale types? I would naively expect the latter, in which case this code probably needs some drastic revision. (file an issue "scale (all?) subresources evade admission checking") rather than fix it in this PR.sttts 2 hours ago
I would naively expect the former. As a webhook author, should I care about the way a user changes the replicas value? I would naively add an admission step for the full resource.
In our code today, the same admission chain is called for subresources as is called for normal resources. This gives admission plugins the flexibility to decide if they care about subresource modifications (not all will), but if they do, it gives the full before/after context.
I think for now we should preserve the existing behavior (which I called out in a comment). I'm open to discussing a change in behavior, but I'd like to do it outside the context of this pull. @lavalamp I think you agree based on "(file an issue "scale (all?) subresources evade admission checking") rather than fix it in this PR."
There was a problem hiding this comment.
Comment is outdated. Will remove the TODO.
k8s-github-robot
added
the
approved
|
/retest Review the full test history for this PR. |
2 similar comments
|
/retest Review the full test history for this PR. |
|
/retest Review the full test history for this PR. |
sttts
force-pushed
the
sttts-split-psp
branch
from
b8fac4e to
1bb2cb2
Compare
k8s-github-robot
removed
the
lgtm
sttts
force-pushed
the
sttts-split-psp
branch
from
1bb2cb2 to
35bb682
Compare
sttts
added
the
lgtm
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of #54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain.
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Automatic merge from submit-queue (batch tested with PRs 55331, 55272, 55228, 49763, 55242). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: add validating admission tests Follow-up of kubernetes/kubernetes#54484 This includes tests - in endpoint tests, - in generic registry, - in patch handler, - in admission chain. Kubernetes-commit: ee7f1b6e74fab4ed77592f29264575c634e4f2c1
Based on #54232.
This is important and required for beta because it affects the shape of the webhook admission plugins that are going to be produced and is needed to make sure that our existing chain continues to properly verify and protect the API objects based on their final state after webhook admission mutators run.
We discussed this in the October 11 API machinery call with @erictune and @caesarxuchao and we agreed to do this as a requirement for beta. See this part of the recording: https://www.youtube.com/watch?v=mrgDPHyr4VY#t=325 .