Apply cost constraints to ValidatingAdmissionPolicy #115747
Conversation
k8s-ci-robot
added
release-note
cici37
force-pushed
the
rc
branch
3 times, most recently
from
27c62f8
to
f99fad0
Compare
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
|
/cc @jpbetz |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
Changelog suggestion: Added CEL runtime cost calculation into ValidatingAdmissionPolicy. ValidatingAdmissionPolicy will fail if the
runtime cost exceeds the per-call limit for each validation expression or cost of all expressions exceed `runtimeCELBudget`.However, I'd prefer to be more clear:
|
| PerCallLimit = 1000000 | ||
|
|
||
| // RuntimeCELCostBudget is the overall cost budget for runtime CEL validation cost per ValidatingAdmissionPolicy or CustomResource | ||
| // current RuntimeCELCostBudget gives roughly 1 seconds for the validation | ||
| RuntimeCELCostBudget = 10000000 |
There was a problem hiding this comment.
Can we include a unit into these constant names? Even if it's PerCallLimitFooBars or PerCallLimitApproximateSeconds.
There was a problem hiding this comment.
It is a little tricky to define the unit.. The cost is the cost of operation defined by cel-go. Open to suggestions on this one :)
There was a problem hiding this comment.
I don't know if this helps, but I'll make a few statements about cost:
- CEL cost units represent an evaluation of a basic CEL compute operation. CEL cost units do not have a 1:1 correspondence with machine instructions (or CPU cycles), but each can be though of roughly as the compute required for CEL to evaluate simple operations like a integer comparison.
- For any CEL expression and input, the CEL cost will always be exactly the same regardless or platform or system load.
- CEL cost units are tallied during CEL evaluation, but do not directly represent the metering of CPU utilization.
|
Thanks for the suggestion!
It is the cel-go cost check which prevent us from long running on cel validation. CRD validation rules has this check for quite some time. This PR is to apply the same constraints on ValidatingAdmissionPolicy.
Fail means the admission validation will fail and the FailurePolicy will apply.
This is the number we assigned based on evaluation hence not allow users to specify |
|
OK, try this release note: Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching the evaluation cost
restrictions that already apply to CustomResourceDefinition.
If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the
admission check that was being performed is aborted; the `failurePolicy` for the ValidatingAdmissionPolicy
determines the outcome. |
liggitt
added
the
api-review
|
/retest |
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/compiler.go
Outdated
Show resolved
Hide resolved
|
/test pull-kubernetes-e2e-gce |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
| } | ||
| remainingBudget -= int64(*rtCost) | ||
| } | ||
| } |
There was a problem hiding this comment.
Note: here we make the behavior same as the CRD validation rule path, which is whenever issues in retrieving cost, per expression cost exceed or runtime budge exceed, we stop running following expressions and return error.
However, it will make the cost exceed error higher priority than other errors and return only per expression exceed error back even there are another validation failures existing.
Should we treat the per expression cost exceed error same as other errors and save per evaluationResult? And we could also consider keeping the following validations running. What do you think? @jpbetz
There was a problem hiding this comment.
I think it's fine to only return one per expression exceeded error back. Users shouldn't expect to get full information back when the cost system kicks in, since the point of the cost system is to prevent running CEL expressions once the limit is exceeded.
EDIT: What I mean is that I think the code in this PR is correct. Just error out when the limit is hit.
|
/approve /assign @liggitt for API review approval. The only change here is passing the runtime limit when compiling expressions during API validation (which doesn't actually change anything). |
|
/approve CI looks unhappy, but the API const relocation and package addition in vendor.txt lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cici37, jpbetz, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
An duplicated imports get in while rebasing. I removed it and CI should be happy now. Thank you! |
|
still some relevant lint/vet/unit failures, looks like |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 15f783c147ded42118aa8d1fdeea53bde5d0f9c7
|
What type of PR is this?
/kind feature
What this PR does / why we need it:
Apply cost constraints to ValidatingAdmissionPolicy
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This change contains:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: