Custom match criteria#116350
Conversation
|
Hi @maxsmythe. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
This should not sit in this file?
|
Once params is wired in through the matcher this should be able to mostly piggy-back off of webhook matchConditions, so I don't see much to do here. Even wiring in params should be timed carefully to avoid inducing excess rebase pain. Places to consider adding tests while waiting:
For auditAnnotations (which also adds new expressions to ValidationAdmissionPolicy), I believe these were the places I added test cases before writing some full integration tests (which go in |
|
/triage accepted |
| } | ||
| } | ||
| for i, matchCondition := range spec.MatchConditions { | ||
| allErrors = append(allErrors, validateMatchCondition(&matchCondition, fldPath.Child("matchConditions").Index(i))...) |
There was a problem hiding this comment.
validateMatchCondition is currently set to validate for webhook admission, so sets HasParams: false,
are conditions expected to have access to the params var in CEL admission conditions for policies which set params? Do we need to plumb a conditional true to validateMatchCondition for that?
There was a problem hiding this comment.
We do expect parameters for validation. I'll need to add some plumbing.
There was a problem hiding this comment.
that'll make the API doc on the MatchCondition expression field interesting to write
There was a problem hiding this comment.
Yeah, maybe for now only document it in matchConditions since that is bound directly to VAP types.
There was a problem hiding this comment.
Is there a reason you used the singular validateMatchCondition here rather than validateMatchConditions? This is missing the name uniqueness & max-64 conditions checks.
Also, should we reuse the opts.IgnoreMatchConditions setting for this?
There was a problem hiding this comment.
reason for using singular: I don't think the plural version existed when I wrote this, sorry for missing the add.
re: opts:
Happy to re-use the opts programming model for this, though I wouldn't re-use the specific option, since it is a different feature with different gating
There was a problem hiding this comment.
The boolean just controls whether to validate the matchConditions field or not.
For webhooks, that is populated based on whether or not they have changed in an update. You don't have to wire it to a feature gate at all
There was a problem hiding this comment.
Oh, I think I misunderstood the match conditions bit, you want to save on the compute if nothing has changed... gotcha. Will add.
There was a problem hiding this comment.
you want to save on the compute if nothing has changed
It also makes it much easier to change validation constraints in the future (e.g. if we relaxed the max number of matchConditions).
| // MatchCondition represents a condition which must be fulfilled for a request to be sent to a webhook. | ||
| type MatchCondition struct { |
There was a problem hiding this comment.
we already know where we're going with this type since we have it present in the v1 API package as well. Should we type alias this to v1.MatchCondition like we did for Rule and ScopeType?
There was a problem hiding this comment.
no objection to type aliasing
|
I'll update PR after Gatekeeper community meeting. |
| } | ||
| } | ||
| for i, matchCondition := range spec.MatchConditions { | ||
| allErrors = append(allErrors, validateMatchCondition(&matchCondition, fldPath.Child("matchConditions").Index(i))...) |
There was a problem hiding this comment.
Is there a reason you used the singular validateMatchCondition here rather than validateMatchConditions? This is missing the name uniqueness & max-64 conditions checks.
Also, should we reuse the opts.IgnoreMatchConditions setting for this?
This reverts commit 312ba7f.
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
| }, | ||
| }, | ||
| expectedError: `spec.matchConditions[0].name: Required value`, | ||
| }, |
There was a problem hiding this comment.
A couple other test cases that would be good to add:
- condition w/ params, both valid & invalid variants
- don't ignore conditions if ParamKind changes
| // There are a maximum of 64 match conditions allowed. | ||
| // | ||
| // If a parameter object is provided, it can be accessed via the `params` handle in the same | ||
| // manner as validation expressions. |
There was a problem hiding this comment.
When this graduates (to beta? stable?) we should probably add this to the expression docs comment directly (noting that it doesn't apply to webhooks). Not sure if we want to do that while CEL admission is still alpha though.
There was a problem hiding this comment.
ack, leaving this as-is for now
|
Left a couple nits, but this basically LGTM. Ping me when the comments are addressed, and I'll give it the lgtm. |
| failurePolicy := convertv1alpha1FailurePolicyTypeTov1FailurePolicyType(definitionInfo.lastReconciledValue.Spec.FailurePolicy) | ||
| bindingInfo.validator = c.newValidator( | ||
| c.filterCompiler.Compile(convertv1alpha1Validations(definitionInfo.lastReconciledValue.Spec.Validations), optionalVars, celconfig.PerCallLimit), | ||
| matchconditions.NewMatcher(c.filterCompiler.Compile(matchExpressionAccessors, optionalVars, celconfig.PerCallLimit), c.authz, failurePolicy, "validatingadmissionpolicy", definitionInfo.lastReconciledValue.Name), |
There was a problem hiding this comment.
does c.filterCompiler.Compile or NewMatcher or the Match() impl do appreciable work even if we have no conditions? should we only pass in a matcher if we actually have conditions to match, and skip the Match() call if that's nil?
There was a problem hiding this comment.
Per below, I think this will save on evaluation in the near term (long term we should cache operations like casting the input object as unstructured).
There was a problem hiding this comment.
If we don't have any matchConditions, skipping the matcher construction here and tolerating nil below is easy to understand for now. I'd probably recommend that
| f = *v.failPolicy | ||
| } | ||
|
|
||
| matchResults := v.celMatcher.Match(ctx, versionedAttr, versionedParams) |
There was a problem hiding this comment.
related to the above question, is celMatcher always non-nil? should it be nil and should we skip this if we have no matchConditions?
There was a problem hiding this comment.
Currently celMatcher is always non-nil, it delegates it's non-trivial logic to filter, which does do some casting of parameters. Matcher, followed by ForInput below:
kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter.go
Lines 122 to 222 in 2ae7bc3
Ideally a lot of this would be lazily evaluated and cached (since these processes would be needed for evaluating CEL expressions anyway), but I think toggling will add some performance in the short term.
|
|
||
| type validationOptions struct { | ||
| ignoreMatchConditions bool | ||
| matchConditionsHasParameters bool |
There was a problem hiding this comment.
nit: allowParamsInMatchConditions might be clearer. it's hard to tell if this means matchConditions are using a params field or if matchConditions are allowed to use a params var.
|
looks like |
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
|
I believe I've addressed all the outstanding comments |
|
interesting, I can't re-request from both liggitt and tallclair at the same time |
|
@maxsmythe: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
It looks like some auto-gen stuff failed even though |
Signed-off-by: Max Smythe <smythe@google.com>
|
Codegen re-ran |
oh, looks like |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cici37, liggitt, maxsmythe The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cici37
left a comment
There was a problem hiding this comment.
Nothing is merging blocker. LGTM. Thank you!
| return true | ||
| } | ||
|
|
||
| // ignoreMatchConditions returns true if any new expressions are added |
There was a problem hiding this comment.
nit: ignoreValidatingAdmissionPolicyMatchConditions?
I understand the comment tried to say that we set opt ignoreMatchConditions to true if any new expressions are added while updating but it might not so clear as the func name doesn't match the comment :). Maybe something like ignoreValidatingAdmissionPolicyMatchConditions returns true if both paramsKind and matchConditions remain the same while updating hence the update in ValidatingAdmissionPolicySpec will skip matchConditions. ?
There was a problem hiding this comment.
In the spirit of making comments semantically valuable and avoiding describing logic, how about:
"ignoreValidatingAdmissionPolicyMatchConditions returns true if there have been no updates that could invalidate previously-valid match conditions"?
| hasParam = true | ||
| } | ||
| matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions | ||
| matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions)) |
There was a problem hiding this comment.
nit: do we wanna check the len before construct matchExpressionAccessors and matchconditions.Matcher? something like:
matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions
var matcher matchconditions.Matcher = nil
if len(matchConditions) > 0 {
matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions))
for i := range matchConditions {
matchExpressionAccessors[i] = (*matchconditions.MatchCondition)(&matchConditions[i])
}
matcher = matchconditions.NewMatcher(c.filterCompiler.Compile(matchExpressionAccessors, optionalVars, celconfig.PerCallLimit), c.authz, failurePolicy, "validatingadmissionpolicy", definitionInfo.lastReconciledValue.Name)
}
There was a problem hiding this comment.
Yeah, that seems a bit clearer, changing.
Signed-off-by: Max Smythe <smythe@google.com>
|
/lgtm |
|
LGTM label has been added. DetailsGit tree hash: 3207223f1b9306ae73616112359fb37f50019ce8 |
Currently blocked/dependent on #116261What type of PR is this?
/kind feature
/kind api-change
What this PR does / why we need it:
This PR adds custom match conditions per this section of the CEL Admission KEP:
https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3488-cel-admission-control#match-conditions
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: