-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply cost constraints to ValidatingAdmissionPolicy #115747
Conversation
27c62f8
to
f99fad0
Compare
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
/cc @jpbetz |
/triage accepted |
Changelog suggestion: Added CEL runtime cost calculation into ValidatingAdmissionPolicy. ValidatingAdmissionPolicy will fail if the
runtime cost exceeds the per-call limit for each validation expression or cost of all expressions exceed `runtimeCELBudget`. However, I'd prefer to be more clear:
|
PerCallLimit = 1000000 | ||
|
||
// RuntimeCELCostBudget is the overall cost budget for runtime CEL validation cost per ValidatingAdmissionPolicy or CustomResource | ||
// current RuntimeCELCostBudget gives roughly 1 seconds for the validation | ||
RuntimeCELCostBudget = 10000000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we include a unit into these constant names? Even if it's PerCallLimitFooBars
or PerCallLimitApproximateSeconds
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a little tricky to define the unit.. The cost is the cost of operation defined by cel-go. Open to suggestions on this one :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know if this helps, but I'll make a few statements about cost:
- CEL cost units represent an evaluation of a basic CEL compute operation. CEL cost units do not have a 1:1 correspondence with machine instructions (or CPU cycles), but each can be though of roughly as the compute required for CEL to evaluate simple operations like a integer comparison.
- For any CEL expression and input, the CEL cost will always be exactly the same regardless or platform or system load.
- CEL cost units are tallied during CEL evaluation, but do not directly represent the metering of CPU utilization.
Thanks for the suggestion!
It is the cel-go cost check which prevent us from long running on cel validation. CRD validation rules has this check for quite some time. This PR is to apply the same constraints on ValidatingAdmissionPolicy.
Fail means the admission validation will fail and the FailurePolicy will apply.
This is the number we assigned based on evaluation hence not allow users to specify |
OK, try this release note: Added CEL runtime cost calculation into ValidatingAdmissionPolicy, matching the evaluation cost
restrictions that already apply to CustomResourceDefinition.
If rule evaluation uses more compute than the limit, the API server aborts the evaluation and the
admission check that was being performed is aborted; the `failurePolicy` for the ValidatingAdmissionPolicy
determines the outcome. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approach looks great. The "per binding" approach to the budget was what I was hoping to see here! I added a few minor comments but nothing blocking. LGTM once those are addressed.
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/compiler.go
Outdated
Show resolved
Hide resolved
/test pull-kubernetes-e2e-gce |
} | ||
remainingBudget -= int64(*rtCost) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: here we make the behavior same as the CRD validation rule path, which is whenever issues in retrieving cost, per expression cost exceed or runtime budge exceed, we stop running following expressions and return error.
However, it will make the cost exceed error higher priority than other errors and return only per expression exceed error back even there are another validation failures existing.
Should we treat the per expression cost exceed error same as other errors and save per evaluationResult
? And we could also consider keeping the following validations running. What do you think? @jpbetz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's fine to only return one per expression exceeded error back. Users shouldn't expect to get full information back when the cost system kicks in, since the point of the cost system is to prevent running CEL expressions once the limit is exceeded.
EDIT: What I mean is that I think the code in this PR is correct. Just error out when the limit is hit.
/approve /assign @liggitt for API review approval. The only change here is passing the runtime limit when compiling expressions during API validation (which doesn't actually change anything). |
/approve CI looks unhappy, but the API const relocation and package addition in vendor.txt lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cici37, jpbetz, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
An duplicated imports get in while rebasing. I removed it and CI should be happy now. Thank you! |
still some relevant lint/vet/unit failures, looks like |
/lgtm |
LGTM label has been added. Git tree hash: 15f783c147ded42118aa8d1fdeea53bde5d0f9c7
|
What type of PR is this?
/kind feature
What this PR does / why we need it:
Apply cost constraints to ValidatingAdmissionPolicy
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This change contains:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: