Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom match criteria #116350

Merged
merged 13 commits into from
Mar 16, 2023
Merged

Custom match criteria #116350

merged 13 commits into from
Mar 16, 2023

Conversation

maxsmythe
Copy link
Contributor

@maxsmythe maxsmythe commented Mar 8, 2023
edited by liggitt

Currently blocked/dependent on #116261

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

This PR adds custom match conditions per this section of the CEL Admission KEP:

https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3488-cel-admission-control#match-conditions

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added matchConditions field to ValidatingAdmissionPolicy, enabled support for CEL based custom match criteria.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/tree/e80ad39a21e6f1be90e2d514fb33df34fd496814/keps/sig-api-machinery/3488-cel-admission-control#match-conditions

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API labels Mar 8, 2023
@maxsmythe maxsmythe marked this pull request as draft March 8, 2023 01:21
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/apiserver labels Mar 8, 2023
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/code-generation do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. area/test needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Mar 8, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @maxsmythe. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added sig/testing Categorizes an issue or PR as relevant to SIG Testing. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 8, 2023
cici37
cici37 reviewed Mar 8, 2023
View reviewed changes
pkg/apis/admissionregistration/util.go Outdated
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert change here?

staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go Outdated
MatchConditions []MatchCondition `json:"matchConditions" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,5,rep,name=matchConditions"`
}

var _ cel.ExpressionAccessor = &MatchCondition{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not sit in this file?

staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go Outdated Show resolved Hide resolved
@jpbetz
Copy link
Contributor

jpbetz commented Mar 9, 2023
edited

Once params is wired in through the matcher this should be able to mostly piggy-back off of webhook matchConditions, so I don't see much to do here. Even wiring in params should be timed carefully to avoid inducing excess rebase pain.

Places to consider adding tests while waiting:

  • pkg/apis/admissionregistration/validation/validation_test.go - Just a sanity test that matchConditions validation doesn't get broken in the future
  • staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator_test.go - Maaaybe add a test to make sure the failurePolicy settings are respected in the case of error
  • staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission_test.go - This is a mini-integration test that covers quite a bit of the code path from controller actuation to validation.

For auditAnnotations (which also adds new expressions to ValidationAdmissionPolicy), I believe these were the places I added test cases before writing some full integration tests (which go in test/integration/apiserver/cel/validatingadmissionpolicy_test.go when you get to that step).

@cici37
Copy link
Contributor

cici37 commented Mar 9, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 9, 2023
@maxsmythe
Copy link
Contributor Author

I believe I've addressed all the outstanding comments

@maxsmythe maxsmythe requested review from liggitt and tallclair and removed request for liggitt and tallclair March 15, 2023 21:14
@maxsmythe
Copy link
Contributor Author

interesting, I can't re-request from both liggitt and tallclair at the same time

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 15, 2023
edited

@maxsmythe: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-e2e-gce-cos-alpha-features 509501a378d3feb948059259d844dd52c603d2aa link false /test pull-kubernetes-e2e-gce-cos-alpha-features
check-dependency-stats 509501a378d3feb948059259d844dd52c603d2aa link false /test check-dependency-stats
pull-kubernetes-conformance-kind-ipv6-parallel 509501a378d3feb948059259d844dd52c603d2aa link false /test pull-kubernetes-conformance-kind-ipv6-parallel

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@maxsmythe
Copy link
Contributor Author

It looks like some auto-gen stuff failed even though update-codegen.sh yielded no results, re-running full make update

@maxsmythe
Run codegen
5984b5e 
Signed-off-by: Max Smythe <smythe@google.com>
@maxsmythe
Copy link
Contributor Author

Codegen re-ran

@liggitt
Copy link
Member

liggitt commented Mar 15, 2023

It looks like some auto-gen stuff failed even though update-codegen.sh yielded no results, re-running full make update

oh, looks like update-openapi-spec isn't included in update-codegen

@liggitt
Copy link
Member

liggitt commented Mar 15, 2023

/approve
API and validation lgtm
squash at will
@tallclair has lgtm

@liggitt liggitt moved this from Changes requested to API review completed, 1.27 in API Reviews Mar 15, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cici37, liggitt, maxsmythe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 15, 2023
cici37
cici37 reviewed Mar 15, 2023
View reviewed changes
Copy link
Contributor

@cici37 cici37 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing is merging blocker. LGTM. Thank you!

pkg/apis/admissionregistration/validation/validation.go Outdated
@@ -520,6 +523,17 @@ func ignoreValidatingWebhookMatchConditions(new, old []admissionregistration.Val
return true
}

// ignoreMatchConditions returns true if any new expressions are added
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: ignoreValidatingAdmissionPolicyMatchConditions?
I understand the comment tried to say that we set opt ignoreMatchConditions to true if any new expressions are added while updating but it might not so clear as the func name doesn't match the comment :). Maybe something like ignoreValidatingAdmissionPolicyMatchConditions returns true if both paramsKind and matchConditions remain the same while updating hence the update in ValidatingAdmissionPolicySpec will skip matchConditions. ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the spirit of making comments semantically valuable and avoiding describing logic, how about:

"ignoreValidatingAdmissionPolicyMatchConditions returns true if there have been no updates that could invalidate previously-valid match conditions"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! 🤗

.../src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go Outdated
@@ -501,13 +502,24 @@ func (c *policyController) latestPolicyData() []policyData {
if definitionInfo.lastReconciledValue.Spec.ParamKind != nil {
hasParam = true
}
matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions
matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: do we wanna check the len before construct matchExpressionAccessors and matchconditions.Matcher? something like:

matchConditions := definitionInfo.lastReconciledValue.Spec.MatchConditions
var matcher matchconditions.Matcher = nil
if len(matchConditions) > 0 {
    matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions))
    for i := range matchConditions {
					matchExpressionAccessors[i] = (*matchconditions.MatchCondition)(&matchConditions[i])
	}
	matcher = matchconditions.NewMatcher(c.filterCompiler.Compile(matchExpressionAccessors, optionalVars, celconfig.PerCallLimit), c.authz, failurePolicy, "validatingadmissionpolicy", definitionInfo.lastReconciledValue.Name)
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that seems a bit clearer, changing.

@maxsmythe
Address review comments
83f62ff 
Signed-off-by: Max Smythe <smythe@google.com>
@tallclair
Copy link
Member

/lgtm
/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Mar 15, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 3207223f1b9306ae73616112359fb37f50019ce8

@k8s-ci-robot k8s-ci-robot merged commit e5fd204 into kubernetes:master Mar 16, 2023
SIG Node CI/Test Board automation moved this from Triage to Done Mar 16, 2023
SIG Node PR Triage automation moved this from Triage to Done Mar 16, 2023
@cici37 cici37 mentioned this pull request Mar 16, 2023
Open
16 tasks
@alexzielenski alexzielenski mentioned this pull request Jul 20, 2023
Merged
43 tasks
rayowang pushed a commit to rayowang/kubernetes that referenced this pull request Feb 9, 2024
@maxsmythe
Custom match criteria (kubernetes#116350)
b2ac627 
* Add custom match conditions for CEL admission

This PR is based off of, and dependent on the following PR:

kubernetes#116261

Signed-off-by: Max Smythe <smythe@google.com>

* run `make update`

Signed-off-by: Max Smythe <smythe@google.com>

* Fix unit tests

Signed-off-by: Max Smythe <smythe@google.com>

* Fix unit tests

Signed-off-by: Max Smythe <smythe@google.com>

* Update compatibility test data

Signed-off-by: Max Smythe <smythe@google.com>

* Revert "Update compatibility test data"

This reverts commit 312ba7f.

* Allow params during validation; make match conditions optional

Signed-off-by: Max Smythe <smythe@google.com>

* Add conditional ignoring of matcher CEL expression validation on update

Signed-off-by: Max Smythe <smythe@google.com>

* Run codegen

Signed-off-by: Max Smythe <smythe@google.com>

* Add more validation tests

Signed-off-by: Max Smythe <smythe@google.com>

* Short-circuit CEL matcher when no matchers specified

Signed-off-by: Max Smythe <smythe@google.com>

* Run codegen

Signed-off-by: Max Smythe <smythe@google.com>

* Address review comments

Signed-off-by: Max Smythe <smythe@google.com>

---------

Signed-off-by: Max Smythe <smythe@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpbetz jpbetz jpbetz left review comments

@cici37 cici37 cici37 left review comments

@tallclair tallclair tallclair left review comments

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

@cici37 cici37

@tallclair tallclair

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/code-generation area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
API Reviews
Status: API review completed, 1.27
SIG Auth
Archived in project
SIG Node CI/Test Board
Done
SIG Node CI/Test Board
Archived in project
SIG Node PR Triage
Archived in project
[sig-release] Bug Triage
Archived in project
[sig-windows] PR tracking
Status: Done
SIG Node PR Triage
Done
Milestone
v1.27
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@maxsmythe @k8s-ci-robot @jpbetz @cici37 @valaparthvi @liggitt @tallclair