Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix description for same/notSameLabels; remove NamespaceRelation #75

Merged
merged 1 commit into from
May 8, 2023
Merged

Fix description for same/notSameLabels; remove NamespaceRelation #75

merged 1 commit into from
May 8, 2023

Conversation

tssurya
Copy link
Contributor

@tssurya tssurya commented Mar 2, 2023
edited
Loading

Closes #45 (comment). See #45 (comment) for details.

This PR is removing Related field. TODO: Add docs to show how this can be achieved using same/notSame Labels.

In addition to that we are trying to clarify the meaning of same/notSame labels.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 2, 2023
@netlify
Copy link

netlify bot commented Mar 2, 2023
edited
Loading

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
🔨 Latest commit 2a9aa3d
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-network-policy-api/deploys/6458d786b03cfe0008dab4a8
😎 Deploy Preview https://deploy-preview-75--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 2, 2023
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 28, 2023
@tssurya tssurya changed the title Make description of sameLabels & notSameLabels consistent Fix description for same/notSameLabels; remove NamespaceRelation Mar 28, 2023
@tssurya
Copy link
Contributor Author

tssurya commented Mar 28, 2023

woops need to fix the verify

@npinaeva
Copy link
Member

npinaeva commented Mar 28, 2023
edited
Loading

Maybe we can follow the notin LabelSelector notation like https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#set-based-requirement, so that a namespace is selected when for every listed label, if that namespace has this label with a different value, or the label is not set?
Edit: one thing we need to figure out is if these labels should be ANDed or OR'd

@danwinship
Copy link
Contributor

danwinship commented Mar 28, 2023
edited
Loading

You should look at the user stories to see what functionality is needed, but I think the intention was that notSameLabels: ["x", "y", "z"] matches exactly the set of namespaces that sameLabels: ["x", "y", "z"] doesn't match. [EDIT: which I think matches what Nadia said?]

Related: sameLabels: ["x"] is not well-defined if the subject namespace doesn't have the label "x". (The current text would require the matched namespace to have the label "x" with the same value as the subject namespace, but the subject namespace has no value for it (not even "").)

@Dyanngg
Copy link
Contributor

Dyanngg commented Mar 28, 2023

Related: sameLabels: ["x"] is not well-defined if the subject namespace doesn't have the label "x". (The current text would require the matched namespace to have the label "x" with the same value as the subject namespace, but the subject namespace has no value for it (not even "").)

In that case I think the peer will always evaluate to an empty one, because if the subject's Namespace does not even have the label "x", we have no ground for deducing what Namespaces have the same labels at all

@npinaeva
Copy link
Member

I think in case subject doesn't have a label set, I would logically expect sameLabels to be all namespace with the same label unset. But it probably doesn't make sense in the ANP context, so what @Dyanngg said is reasonable, we can just ignore subjects with unset labels.
On the other side, this behaviour is not obvious, but we can add a doc recommendation to always put LabelSelector[MatchExpressions: [labelName, Exists]] in the subject for every label that is used in the same/notSameLabels peers (or make another object with subject based on the same labels :) )

Another tricky part is how to define multiple labels. I guess we understand same labels like sameLabels: [L1, ..., Ln] = sameLabels: [L1] && ... && sameLabels: [Ln]
If we want notSameLabels to be a complement to sameLabels, then
notSameLabels: [L1, ..., Ln] = not(sameLabels: [L1, ..., Ln]) = not (sameLabels: [L1] && ... && sameLabels: [Ln]) = not sameLabels: [L1] || ... || not sameLabels: [Ln], so if at least one label is different, it will be matched.
On the other hand, I can define the same logical OR with multiple 1-label peers, but I don't have a way to define not sameLabels: [L1] && not sameLabels: [L2] to only match when both labels are different. It's ok if we don't have a use case for that, but I think we still need to consider this limitation.

@tssurya
Copy link
Contributor Author

tssurya commented Apr 11, 2023

the matched namespace to have the label "x" with the same value as the subject namespace, but the subject namespace has no value for it (not even "").)

+1 no peers will match that.

@tssurya
Copy link
Contributor Author

tssurya commented Apr 11, 2023

Maybe we can follow the notin LabelSelector notation like https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#set-based-requirement, so that a namespace is selected when for every listed label, if that namespace has this label with a different value,

yes this is what I am going with similar to what @Dyanngg said

or the label is not set?

This is debatable on which way to go... by label not being set you mean a nil value right? but the key must exist, we don't want to assume a match on things that don't have keys set - notIn also seems to match on different values of the same key.

@tssurya tssurya force-pushed the update-not-same-labels branch 2 times, most recently from e12802b to f27df9b Compare April 11, 2023 11:54
@astoycos
Copy link
Member

In that case I think the peer will always evaluate to an empty one, because if the subject's Namespace does not even have the label "x", we have no ground for deducing what Namespaces have the same labels at all

I agree with Yang here

I think the intention was that notSameLabels: ["x", "y", "z"] matches exactly the set of namespaces that sameLabels: ["x", "y", "z"] doesn't match. [EDIT: which I think matches what Nadia said?]

So yeah the use cases are vague here, essentially we just want to make designing tenants simple.... however I think it makes most sense to ensure that notSameLabels is the exact inverse of sameLabels. i.e

	// To be selected a Namespace must have all of the labels defined in NotSameLabels,
	// AND at least one of them must have different values than the subject of this policy.
	// If NotSameLabels is empty then nothing is selected.

Should be

	// To be selected a Namespace must have all of the labels defined in NotSameLabels,
	// AND all of them must have different values than the subject of this policy.
	// If NotSameLabels is empty then nothing is selected.

@astoycos
Copy link
Member

astoycos commented May 3, 2023

Ping @tssurya WDYT about @Dyanngg's comments? I'd like to get this in before actually doing a release payload for V1alpha1 :)

@astoycos
Copy link
Member

astoycos commented May 5, 2023

Blocking #90

@tssurya
Copy link
Contributor Author

tssurya commented May 8, 2023

@astoycos : Yes let me update this with the suggestions, (was on PTO the last week for a few days saw the ping only now)

@tssurya
Fix description for same/notSameLabels; remove NamespaceRelation
2a9aa3d 
See kubernetes-sigs#45 (comment)
for details.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
@tssurya
Copy link
Contributor Author

tssurya commented May 8, 2023

@astoycos @Dyanngg: PTAL

@astoycos
Copy link
Member

astoycos commented May 8, 2023

/lgtm
/approve

Thanks @tssurya

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 8, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: astoycos, tssurya

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 8, 2023
@k8s-ci-robot k8s-ci-robot merged commit 645dbc2 into kubernetes-sigs:master May 8, 2023
@npinaeva npinaeva mentioned this pull request Jul 12, 2023
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Dyanngg Dyanngg Dyanngg left review comments

@abhiraut abhiraut Awaiting requested review from abhiraut

Assignees

@astoycos astoycos

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

we don't need Same / NotSame for namespaces
6 participants
@tssurya @npinaeva @danwinship @Dyanngg @astoycos @k8s-ci-robot