-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject new Shoots with internal apiVersion in infrastructureConfig #4927
Reject new Shoots with internal apiVersion in infrastructureConfig #4927
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have expected such validation in the provider extensions instead of in gardener/gardener
. Generally, Gardener does not know or make any assumptions of the content in *runtime.RawExtension
fields, so it doesn't quite fit here.
Yeah, I was stuck between a rock and a hard place here. Doing this in the extensions has the benefit that decoding is easy and therefore you can do this check with less hassle. On the other hand it requires pretty much the same code in all extensions, new extension releases, and so on. This check also isn't really provider specific, denying access to the internal version feels like a thing that shouldn't be possible ever. I'm not sure if you were thinking of a better way of doing this? If you feel this should not belong in g/g, I'm happy to make this individual PRs in the extensions. |
Yes, that's all correct, but I fear that this is pretty much the price for having such extensibility. |
@rfranzke I am also a bit struggling with your comment. Although I see your point, I would vote for a pragmatic approach here.
Isn't
Why does this matter? From the tests I see that the decoding succeeds and the check works? What exactly is confusing?
We would need to modify each and every extension (not only provider extensions, every extension that uses any |
I don't think so,
I find the usage of
We could, of course, and I am not strongly insisting on not having such validation centrally. Obviously, I see the arguments for this pragmatic approach. However, I still think that it is conceptually wrong and rather "hacky" doing it in this admission plugin. Hence, I'm personally rather tending towards implementing it "cleanly" (even if this is much more additional work and takes longer, however, the urgency of this fix is probably rather low and we are not under pressure). |
For me the answer to this question comes down to whether RawExtension is defined as being an inlined kubernetes object or whether it can be an arbitrary blob. Because all g/g knows about the InfrastructureConfig is that it is a rawExtension. (Please correct me if I read that wrong) But it seems here rawExtension is used to not store a kubernetes object : https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/daemon/update.go#L481 Following how rawExtension is used in the k8s codebase I tend to implement the validation logic in the extensions. |
FMPOV, we miss unambiguous information about the usage of
-> System-wide rule that internal versions should not be used. This is independent from the client/controller which knows which concrete type is anticipated.
-> Although I also first saw this validation rather to be part of every extension, I don't have any objections doing it in |
Thanks for all the comments, this is a very insightful discussion for me! When trying to take a step back to look at the arguments, here's what I'm understanding Doing it in the Extensions:
Doing it in Gardener:
It seems to me that we have an argument on two different levels here: one side is based on principles (e.g. 'an extension can contain basically anything'), the other based on on concrete observations of actual usage and behavior (i.e. 'the extensions we know are using k8s objects in their Neither argument is wrong or incorrect here, I guess the main question is: Is this one of the issues where concrete needs should allow us to violate principles? It feels to me there are more drawbacks if we would stick to the principles here, I'm leaning towards being pragmatic with this validation. WDYT? |
I don't think we are violating any principles. We can do this check in g/g and the extensions are still free to use whatever JSON blobs they want and do further checking and validation, as they see it appropriate. The "principle" that matters to me here is DRY ("don't repeat yourself") and the need to stay pragmatic having in mind our limited resources to invest in such improvements. |
Thanks @timuthy for digging this up. Fair enough then, as already said above, I'm not insisting on anything and fine with doing it in this admission plugin for the very valid pragmatic reasons. Let's just have some code comments explaining why we do such validation here and why we use apparently "wrong" schemes/scheme-group-versions so that readers of this code get a chance to understand, please. |
abb0481
to
0dc1e0b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this with a few of the raw extension kinds, the validation seems to be working as expected in general.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks!
…ardener#4927) * Reject new Shoots with internal apiVersion in infrastructureConfig * Make RawExtension internal version check re-usable * Allow RawExtensions to contain arbitrary json * Allow RawExtensions to be empty without failing API check * Reject new Shoots with internal apiVersion in controlPlaneConfig * Reject new Shoots with internal apiVersion in NetworkConfig * Reject new Shoots with internal apiVersion in OperatingsystemConfig * Reject new Shoots with internal apiVersion in MachineImageConfig * Reject new Shoots with internal apiVersion in ContainerRuntimeConfig * Extract GVK check into function * Extract error message constant and path variable * Declutter RawExtensions used in tests
…ardener#4927) * Reject new Shoots with internal apiVersion in infrastructureConfig * Make RawExtension internal version check re-usable * Allow RawExtensions to contain arbitrary json * Allow RawExtensions to be empty without failing API check * Reject new Shoots with internal apiVersion in controlPlaneConfig * Reject new Shoots with internal apiVersion in NetworkConfig * Reject new Shoots with internal apiVersion in OperatingsystemConfig * Reject new Shoots with internal apiVersion in MachineImageConfig * Reject new Shoots with internal apiVersion in ContainerRuntimeConfig * Extract GVK check into function * Extract error message constant and path variable * Declutter RawExtensions used in tests
…ardener#4927) * Reject new Shoots with internal apiVersion in infrastructureConfig * Make RawExtension internal version check re-usable * Allow RawExtensions to contain arbitrary json * Allow RawExtensions to be empty without failing API check * Reject new Shoots with internal apiVersion in controlPlaneConfig * Reject new Shoots with internal apiVersion in NetworkConfig * Reject new Shoots with internal apiVersion in OperatingsystemConfig * Reject new Shoots with internal apiVersion in MachineImageConfig * Reject new Shoots with internal apiVersion in ContainerRuntimeConfig * Extract GVK check into function * Extract error message constant and path variable * Declutter RawExtensions used in tests
How to categorize this PR?
/area control-plane
/kind bug
What this PR does / why we need it:
New Shoots which specify
__internal
as apiVersion for their InfrastructureConfig are rejected. Updates to existing Shoots are still allowed for compatibility reasons.Which issue(s) this PR fixes:
Fixes #4874
Special notes for your reviewer:
A similar issue seems to exist for ControlPlaneConfig, should I be adding a new PR with similar change?
Release note: