Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8s: Decouple CNP embedding inside CCNP #14557

Merged
merged 4 commits into from
Jan 14, 2021
Merged

k8s: Decouple CNP embedding inside CCNP #14557

merged 4 commits into from
Jan 14, 2021

Conversation

christarazi
Copy link
Member

@christarazi christarazi commented Jan 7, 2021
edited
Loading

See commit msgs.

Fixes: #14526

Fix bug where CCNPs are not validated properly in preflight

@christarazi christarazi requested a review from a team as a code owner January 7, 2021 20:52
@christarazi christarazi requested a review from a team January 7, 2021 20:52
@christarazi christarazi requested a review from a team as a code owner January 7, 2021 20:52
@christarazi christarazi requested review from a team and nathanjsweet January 7, 2021 20:52
@christarazi christarazi added sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. kind/bug This is a bug in the Cilium logic. kind/cleanup This includes no functional changes. needs-backport/1.9 release-note/bug This PR fixes an issue in a previous release of Cilium. labels Jan 7, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jan 7, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.10.0 Jan 7, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.9.2 Jan 7, 2021
@christarazi christarazi requested a review from aanm January 7, 2021 20:53
@christarazi
Copy link
Member Author

test-me-please

@christarazi christarazi force-pushed the pr/christarazi/decouple-ccnp-from-cnp branch from 93ffc20 to ba83b6c Compare January 8, 2021 01:18
@christarazi
Copy link
Member Author

test-me-please

@christarazi christarazi mentioned this pull request Jan 8, 2021
Closed
aanm
aanm approved these changes Jan 8, 2021
View reviewed changes
pkg/k8s/apis/cilium.io/v2/cnp_types.go Outdated Show resolved Hide resolved
@aanm aanm removed their assignment Jan 8, 2021
fristonio
fristonio requested changes Jan 8, 2021
View reviewed changes
Copy link
Member

@fristonio fristonio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes looks good to me. Thanks for the Pull Request 🙏 🚀
There is some documentation around ClusterwideNetworkPolicies that needs an update. For example here - https://github.com/cilium/cilium/blob/master/Documentation/concepts/kubernetes/policy.rst#ciliumclusterwidenetworkpolicy

@christarazi christarazi requested a review from a team as a code owner January 8, 2021 18:33
@christarazi
validator: Expand tests to include full CNP & CCNP
4714c02 
Due to cilium#14526, we should test
against full YAMLs representing CNPs and CCNPs for more realistic
results.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi
k8s: Decouple CNP embedding inside CCNP
6d18d81 
Previously, embedding CNP inside the CCNP object was meant to simplify
the code as a CCNP is an identical structure to CNP.

However, due to a bug reported by a user
(cilium#14526), we've uncovered that
CCNP validation in the preflight command was completely broken. Upon
further investigation, it was due to an unmarshalling issue with the
CCNP object (that embeds a CNP).

Throughout the code, we have instances where we must treat the CCNP
object with special care to avoid this unmarshalling issue (see
b5c04ee and
c813a15). In the above reported issue,
yet again we can apply the same workarounds as the aforementioned
commits do.

However, we should avoid papering over this again with the same
workaround, because in the future someone may not be aware of this
gotcha when they make a new change. It is better to simply move away
from embedding CNP inside CCNP and deal with the code duplication that
results from it, than to rely on the mental energy and worst of all,
waste time trying to debug very unintuitive errors within K8s
infrastructure code. This commit moves away from embedding CNP inside
CCNP.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi
docs: Update docs referencing CCNP
be9d0dc 
Following the previous commit, update the references in the docs for
CCNP.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi
docs: Update docs referencing Go struct of CNP
89eab48 
Bring this up-to-date with what's currently in the codebase.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi force-pushed the pr/christarazi/decouple-ccnp-from-cnp branch from b680840 to 89eab48 Compare January 8, 2021 18:36
fristonio
fristonio approved these changes Jan 8, 2021
View reviewed changes
Copy link
Member

@fristonio fristonio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀 💯

@christarazi
Copy link
Member Author

test-me-please

qmonnet
qmonnet approved these changes Jan 11, 2021
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good as far as I can tell.

Documentation/concepts/kubernetes/policy.rst

// Status is the status of the Cilium policy rule.
//
// The reason this field exists in this structure is due a bug in the k8s
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// The reason this field exists in this structure is due a bug in the k8s
// The reason this field exists in this structure is due to a bug in the k8s

@qmonnet
Copy link
Member

qmonnet commented Jan 11, 2021

test-gke

@aanm aanm merged commit 79f9812 into cilium:master Jan 14, 2021
@errordeveloper errordeveloper mentioned this pull request Jan 14, 2021
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.9 in 1.9.2 Jan 14, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.9 in 1.9.2 Jan 14, 2021
@christarazi christarazi deleted the pr/christarazi/decouple-ccnp-from-cnp branch January 14, 2021 17:30
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.9 to Backport done to v1.9 in 1.9.2 Jan 18, 2021
@aanm aanm mentioned this pull request Jan 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanm aanm aanm approved these changes

@qmonnet qmonnet qmonnet approved these changes

@fristonio fristonio fristonio approved these changes

@nathanjsweet nathanjsweet Awaiting requested review from nathanjsweet

Assignees

@nathanjsweet nathanjsweet

Labels
kind/bug This is a bug in the Cilium logic. kind/cleanup This includes no functional changes. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.
Projects
No open projects
1.10.0
Done
1.9.2
Backport done to v1.9
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CCNP preflight validator broken
6 participants
@christarazi @qmonnet @aanm @fristonio @errordeveloper @nathanjsweet