-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom match criteria #116350
Custom match criteria #116350
Conversation
Hi @maxsmythe. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revert change here?
MatchConditions []MatchCondition `json:"matchConditions" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,5,rep,name=matchConditions"` | ||
} | ||
|
||
var _ cel.ExpressionAccessor = &MatchCondition{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not sit in this file?
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go
Outdated
Show resolved
Hide resolved
Once params is wired in through the matcher this should be able to mostly piggy-back off of webhook matchConditions, so I don't see much to do here. Even wiring in params should be timed carefully to avoid inducing excess rebase pain. Places to consider adding tests while waiting:
For auditAnnotations (which also adds new expressions to ValidationAdmissionPolicy), I believe these were the places I added test cases before writing some full integration tests (which go in |
/triage accepted |
I believe I've addressed all the outstanding comments |
interesting, I can't re-request from both liggitt and tallclair at the same time |
@maxsmythe: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
It looks like some auto-gen stuff failed even though |
Signed-off-by: Max Smythe <smythe@google.com>
Codegen re-ran |
oh, looks like |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cici37, liggitt, maxsmythe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing is merging blocker. LGTM. Thank you!
@@ -520,6 +523,17 @@ func ignoreValidatingWebhookMatchConditions(new, old []admissionregistration.Val | |||
return true | |||
} | |||
|
|||
// ignoreMatchConditions returns true if any new expressions are added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: ignoreValidatingAdmissionPolicyMatchConditions
?
I understand the comment tried to say that we set opt ignoreMatchConditions to true if any new expressions are added while updating but it might not so clear as the func name doesn't match the comment :). Maybe something like ignoreValidatingAdmissionPolicyMatchConditions returns true if both paramsKind and matchConditions remain the same while updating hence the update in ValidatingAdmissionPolicySpec will skip matchConditions.
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the spirit of making comments semantically valuable and avoiding describing logic, how about:
"ignoreValidatingAdmissionPolicyMatchConditions returns true if there have been no updates that could invalidate previously-valid match conditions"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure! 🤗
@@ -501,13 +502,24 @@ func (c *policyController) latestPolicyData() []policyData { | |||
if definitionInfo.lastReconciledValue.Spec.ParamKind != nil { | |||
hasParam = true | |||
} | |||
matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions | |||
matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: do we wanna check the len before construct matchExpressionAccessors
and matchconditions.Matcher
? something like:
matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions
var matcher matchconditions.Matcher = nil
if len(matchConditions) > 0 {
matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions))
for i := range matchConditions {
matchExpressionAccessors[i] = (*matchconditions.MatchCondition)(&matchConditions[i])
}
matcher = matchconditions.NewMatcher(c.filterCompiler.Compile(matchExpressionAccessors, optionalVars, celconfig.PerCallLimit), c.authz, failurePolicy, "validatingadmissionpolicy", definitionInfo.lastReconciledValue.Name)
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that seems a bit clearer, changing.
Signed-off-by: Max Smythe <smythe@google.com>
/lgtm |
LGTM label has been added. Git tree hash: 3207223f1b9306ae73616112359fb37f50019ce8
|
* Add custom match conditions for CEL admission This PR is based off of, and dependent on the following PR: kubernetes#116261 Signed-off-by: Max Smythe <smythe@google.com> * run `make update` Signed-off-by: Max Smythe <smythe@google.com> * Fix unit tests Signed-off-by: Max Smythe <smythe@google.com> * Fix unit tests Signed-off-by: Max Smythe <smythe@google.com> * Update compatibility test data Signed-off-by: Max Smythe <smythe@google.com> * Revert "Update compatibility test data" This reverts commit 312ba7f. * Allow params during validation; make match conditions optional Signed-off-by: Max Smythe <smythe@google.com> * Add conditional ignoring of matcher CEL expression validation on update Signed-off-by: Max Smythe <smythe@google.com> * Run codegen Signed-off-by: Max Smythe <smythe@google.com> * Add more validation tests Signed-off-by: Max Smythe <smythe@google.com> * Short-circuit CEL matcher when no matchers specified Signed-off-by: Max Smythe <smythe@google.com> * Run codegen Signed-off-by: Max Smythe <smythe@google.com> * Address review comments Signed-off-by: Max Smythe <smythe@google.com> --------- Signed-off-by: Max Smythe <smythe@google.com>
Currently blocked/dependent on #116261What type of PR is this?
/kind feature
/kind api-change
What this PR does / why we need it:
This PR adds custom match conditions per this section of the CEL Admission KEP:
https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3488-cel-admission-control#match-conditions
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: