Kuadrant Policies Status conditions/states #9
Conversation
didierofrivia
force-pushed
the
rfc/policy-state
branch
2 times, most recently
from
8d8d139
to
decdbbd
Compare
didierofrivia
changed the title
didierofrivia
force-pushed
the
rfc/policy-state
branch
3 times, most recently
from
e65d8d1
to
a29d166
Compare
didierofrivia
force-pushed
the
rfc/policy-state
branch
from
a29d166
to
d13a930
Compare
rfcs/0000-rlp-status.md
Outdated
|
|
||
| | Type | Status | Reason | Message | | ||
| |-------------|--------|-----------------------------|------------------------------------------------------------| | ||
| | Progressing | True | "PolicyCreated" | "RateLimitPolicy created" | |
There was a problem hiding this comment.
I like this simpler model. From this doc I feel it would read better.
Food for thought. I wondered if instead we need two types only
protected and unprotected ?
rfcs/0000-rlp-status.md
Outdated
| # Unresolved questions | ||
| [unresolved-questions]: #unresolved-questions | ||
|
|
||
| - Should this proposal extend to the KAP as well? |
There was a problem hiding this comment.
I think where possible if we can align the APIs it would make sense from a user exp point of view. Also interesting to think about KAP in the context of protected unprotected
|
I also wonder if perhaps this should be rolled into RLP v2? @guicassolato |
We discussed this in last week's planning meeting, we need to do a "update" pass on this one. Make sure all is still in alignment with the v2 policy efforts… |
didierofrivia
force-pushed
the
rfc/policy-state
branch
from
d13a930
to
769b297
Compare
rfcs/0000-rlp-status.md
Outdated
|
|
||
| States rationale: | ||
|
|
||
| * `Created`: The initial state. It announces that the policy has successfully being created, the operator acknowledges it. |
There was a problem hiding this comment.
have we considered using the same types as Gateway API
Accepted , Programmed for these states?
There was a problem hiding this comment.
There was a problem hiding this comment.
It's definitely worth considering, I'll update the RFC adding the Gateway Status like alternative
rfcs/0000-rlp-status.md
Outdated
|
|
||
| All conditions are top-level. | ||
|
|
||
| | Type | Status | Reason | Message | |
There was a problem hiding this comment.
I think less types would help and it is a good idea to align with K8s or as mentioned above the gateway conditions
didierofrivia
changed the title
rfcs/0000-rlp-status.md
Outdated
| reconciliation and healthiness with its Operator managed services, mainly in this case the Rate Limit service `Limitador`, and | ||
| the Auth service `Authorino`. | ||
|
|
||
| As a consequence, only misleading information is shared causing unexpected errors and flawed assumptions. |
There was a problem hiding this comment.
I guess this is me just agreeing with the motivation of this PR...
Current implementation is definitely limited (if not entirely misleading), in the sense that it provides the perspective of the policy controller only, i.e., no more than one level deep.
Would you say the current term "Protected" should be interpreted as closer to "Reconciled" (from stage 1) or "Applied" (stage 0)?
There was a problem hiding this comment.
It's closer to Applied, since the controller can go only that far
rfcs/0000-rlp-status.md
Outdated
| | Created | True | "PolicyCreated" | "KuadrantPolicy created" | No | | ||
| | Updated | True | "PolicyUpdated" | "KuadrantPolicy has been updated" | No | | ||
| | Applied | True | "PolicyApplied" | "KuadrantPolicy has been successfully applied | Yes | | ||
| | | False | "PolicyNotApplied" | "KuadrantPolicy is invalid" | | | ||
| | Reconciled | True | "PolicyReconciled" | "KuadrantPolicy has been successfully reconciled" | Yes | | ||
| | | False | "PolicyNotReconciled" | "KuadrantPolicy failed reconciliation" | | | ||
| | Enforced | True | "PolicyEnforced" | "KuadrantPolicy has been successfully enforced" | Yes | | ||
| | | False | "PolicyPartiallyEnforced" | "KuadrantPolicy has encountered some issues and has been partially applied" | | | ||
| | | False | "PolicyNotEnforced" | "KuadrantPolicy has encountered an error and can't be applied" | | |
There was a problem hiding this comment.
The reasons here don't seem to add much on top of the Status boolean value. I personally prefer the other option proposed further below.
rfcs/0000-rlp-status.md
Outdated
|
|
||
| **Conditions** | ||
|
|
||
| | Type | Status | Reason | Message | Top Level | |
There was a problem hiding this comment.
Is "Top Level" the same as "Final state"?
rfcs/0000-rlp-status.md
Outdated
| as states, which in the [Reference-level explanation](#reference-level-explanation) will be translated to the actual Status Conditions. | ||
|
|
||
| ## Stage 1 | ||
| **The state is defined by the application and validation of the Policy CR** |
There was a problem hiding this comment.
When you say validation, do you mean at controller level? It may sound an implementation details at first, but I believe this differentiation can add nuances to some aspects of the proposal.
There are maybe 4 ways (4 levels) of validation of Kubernetes custom resources.:
- Basic API spec validation (OAS validation)
- Kubernetes (v1.25+) validation rules
- Admission control (validating webhook service)
- Reconciliation loop
In the end, it’s going to be a combination of all the above, I imagine. Of course, policies that don’t pass in the first 3 levels of validation at the time they are first requested to be created will be rejected altogether.
Fair to say then that “Validation” here is essentially about level-4 validation (whose rules, BTW, often overlap a bit with the kind of think that is validated at level-3)?
There was a problem hiding this comment.
Yes, it basically is about the number 4 you mention above. I didn't mind anything below the admission control stage, but if we're gonna have our own set of rules for admission control, it might reflect this in the state
rfcs/0000-rlp-status.md
Outdated
| This first stage is a simple version where the operator only relies on itself, not checking the healthiness of its services | ||
| and just validating the Spec. | ||
|
|
||
|  |
There was a problem hiding this comment.
I guess "Spec changed" only means policy "Updated" if the spec in the matter is the policy spec.
Other events that can affect the state of the policy include:
- changes related to targeted resource (direct and indirect)
- other (override) policies created
There was a problem hiding this comment.
That is correct and more clear now with Policy V2, regarding the indirect changes
rfcs/0000-rlp-status.md
Outdated
| | | True | "PolicyServiceError" | "KuadrantPolicy has encountered has failed to enforce" | | ||
| | | False | "PolicyEnforced" | "KuadrantPolicy has been successfully enforced" | | ||
|
|
||
|
|
There was a problem hiding this comment.
Worth including here a status field to provide further details about things as:
- Routes / route rules protected by the policy (and by which policy rules) vs selectors that failed to attach to any route / route rule
...?
There was a problem hiding this comment.
This is definitely a good thing for a dashboard or an aggregated data resource that provides more insight about the Kuadrant policies overall state. Implementation wise, I can't foresee how possible it is to implement it per policy state, however, we could include some kind of brief informative summary or list of conflicting policies, network resources affected, etc...
rfcs/0000-rlp-status.md
Outdated
| | | False | "PolicyError" | "KuadrantPolicy has encountered an error" | | ||
| | Enforced | True | "PolicyEnforced" | "KuadrantPolicy has been successfully enforced" | | ||
| | | False | "PolicyPartiallyEnforced" | "KuadrantPolicy has encountered some issues and has been partially applied" | | ||
| | | False | "PolicyNotEnforced" | "KuadrantPolicy has encountered an error and can't be applied" | |
There was a problem hiding this comment.
Is there an overlap between Enforced: False (PolicyNotEnforced) and Failed: True (PolicyReconciliationError) maybe?
What about specifying a more specific reason why the policy is not enforced? E.g.
| | | False | "PolicyNotEnforced" | "KuadrantPolicy has encountered an error and can't be applied" | | |
| | | False | "PolicyOverridden" | "KuadrantPolicy overridden by KuadrantPolicy policy-ns/policy-name" | |
rfcs/0000-rlp-status.md
Outdated
| | Failed | True | "PolicyValidationError" | "KuadrantPolicy has failed to validate" | | ||
| | | True | "PolicyReconciliationError" | "KuadrantPolicy has encountered a reconciliation error" | | ||
| | | True | "PolicyServiceError" | "KuadrantPolicy has encountered has failed to enforce" | | ||
| | | False | "PolicyEnforced" | "KuadrantPolicy has been successfully enforced" | |
There was a problem hiding this comment.
Is the policy being overridden by another policy to be considered a fail? If it's not a fail, then we may need another reason here.
|
@didierofrivia this section of the policy attachment gep may be relevant https://gateway-api.sigs.k8s.io/geps/gep-713/#conditions |
There was a problem hiding this comment.
Although I'm not sure if we can model those exact state transitions depicted in the diagrams of the 3 stages, or if they serve rather as a guide to explain the general lifecycle of a policy (i.e., at documentation level only), I am quite happy with Option 3 proposed, and would love to move forward with that.
Another thing to watch in relation to this is how Gateway API's proposal for a PolicyBinding resource will evolve (and how we can contribute to that process!) Reflecting everything that may have happened only in the policy status sub-resource may end up simply not being feasible. Hence, if an alternative such as a policy binding resource (or kubectl plugin, or CLI tool, etc) exists, the policy conditions and reasons can be kept simple and high level, much along the lines of what's proposed here.
Nice job, @didierofrivia!
didierofrivia
force-pushed
the
rfc/policy-state
branch
from
4cec970
to
3307e4d
Compare
didierofrivia
force-pushed
the
rfc/policy-state
branch
2 times, most recently
from
40ba732
to
261a982
Compare
* Fixing overlapping states in option 2
didierofrivia
force-pushed
the
rfc/policy-state
branch
from
261a982
to
4cade19
Compare
rfcs/0000-rlp-status.md
Outdated
| | | False | "Invalid" | "KuadrantPolicy is invalid" | | ||
| | | False | "TargetNotFound" | "KuadrantPolicy target [resource-name] was not found" | | ||
| | Enforced | True | "Enforced" | "KuadrantPolicy has been successfully enforced" | | ||
| | | False | "PartiallyEnforced" | "KuadrantPolicy has encountered some issues and has been partially applied" | |
There was a problem hiding this comment.
Not sure I like partially enforced. might be tempted to group that under reason Unknown this is similar then to how the gateways themselves reflect transient or uncertain state.
There was a problem hiding this comment.
Since we can see the information of partially enforced within the PolicyAffected type, let's change this one to Unknown
There was a problem hiding this comment.
I think we should focus around option 2 that reflects the GEP status concepts. @didierofrivia does it makes sense to update this with a "ruled out" section to keep a record of the other options but simplify the overall doc?
This RFC presents 2 options and each one could be applied/develop in order and would reflect valuable and accurate information with different degrees of acuity.
Given the feedback so far, it seems Option 2 is the winner:
Option 2
Based on GEP-713. In this case, besides the proposed Accepted PolicyType, the Enforced PolicyType would be added to reflect the final state of the policy, which means that the policy is showing the synced actual state of the Kuadrant services. The missing Failed PolicyType would be implicitly represented by the TargetNotFound and Invalid PolicyTypeReason.