Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CEL-based admission webhook match conditions #3716

Open
9 of 12 tasks
tallclair opened this issue Jan 10, 2023 · 45 comments
Open
9 of 12 tasks

CEL-based admission webhook match conditions #3716

tallclair opened this issue Jan 10, 2023 · 45 comments
Assignees
Labels
lead-opted-in Denotes that an issue has been opted in to a release sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Milestone

Comments

@tallclair
Copy link
Member

tallclair commented Jan 10, 2023

Enhancement Description

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jan 10, 2023
@tallclair tallclair added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Jan 10, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jan 10, 2023
@tallclair tallclair added this to the v1.27 milestone Jan 10, 2023
@tallclair tallclair added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jan 10, 2023
@tallclair tallclair self-assigned this Jan 10, 2023
@sftim
Copy link
Contributor

sftim commented Jan 10, 2023

@tallclair tallclair changed the title CEL-based webhook filters CEL-based admission webhook match conditions Jan 19, 2023
@tallclair
Copy link
Member Author

@sftim this is only for admission webhooks (updated the title). We've also had conversations about doing something similar for authorization webhooks, but that will probably be folded in with #3221

@logicalhan
Copy link
Member

Is there a KEP for this I can review for PRR?

@fsmunoz
Copy link

fsmunoz commented Feb 1, 2023

Hello @tallclair 👋, v1.27 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.27 (please correct me, if otherwise)

Here's where this enhancement currently stands:

  • KEP readme using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable for latest-milestone: 1.27
  • KEP readme has a updated detailed test plan section filled out
  • KEP readme has up to date graduation criteria
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

For this enhancement, the first thing we need is access to the KEP so we can then confirm the rest.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

@logicalhan
Copy link
Member

@sftim this is only for admission webhooks (updated the title). We've also had conversations about doing something similar for authorization webhooks, but that will probably be folded in with #3221

If so, should this be tracked separately? I've confused about what I'm supposed to review for PRR here.

@sftim
Copy link
Contributor

sftim commented Feb 2, 2023

The problem was the original title - the rename fully addressed my concern.

@sftim
Copy link
Contributor

sftim commented Feb 2, 2023

If we want CEL conditions for admission authz webhooks, that change won't be part of this KEP.

@fsmunoz
Copy link

fsmunoz commented Feb 8, 2023

Hi @logicalhan , an update based on the linked KEP PR.

This enhancement is targeting for stage alpha for 1.27 (please correct me, if otherwise)

Here's where this enhancement currently stands, assuming #3717 in it's current state:

  • KEP readme using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable for latest-milestone: 1.27
  • KEP readme has a updated detailed test plan section filled out
  • KEP readme has up to date graduation criteria
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

For this enhancement, the following would need to be updated, assuming #3717 in it's current state:

  • Use the latest version of the template. There is an additional question on the Scalability section of the PRR, although in one that isn't mandatory for alpha, it would be a good time to add it and sync with the latest template structure.
  • An updated Test Plan, with the sections filled.
  • Up-to-date graduation criteria filled.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

@tallclair
Copy link
Member Author

@fsmunoz Thanks for the list. The remaining items are addressed in #3861

@logicalhan sorry for missing your earlier questions! It looks like you figured it out, but please ping me on chat/slack if you have any outstanding questions.

@fsmunoz
Copy link

fsmunoz commented Feb 9, 2023

Hello @tallclair , thank you.

I'm marking this as tracked with two comments:

  • The Test Plan has TBD information that should be analysed and reviewed.
  • The Graduation Criteria would benefit from including other stages, but it does contain the alpha one.

This enhancement is ready to be traced for graduation to alpha in v1.27

/stage alpha
/label tracked/yes

@k8s-ci-robot
Copy link
Contributor

@fsmunoz: The label(s) /label stage/alpha cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, lead-opted-in, tracked/no, tracked/out-of-tree, tracked/yes. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

Hello @tallclair , thank you.

I'm marking this as tracked with two comments:

  • The Test Plan has TBD information that should be analysed and reviewed.
  • The Graduation Criteria would benefit from including other stages, but it does contain the alpha one.

This enhancement is ready to be traced for graduation to alpha in v1.27

/label stage/alpha
/label tracked/yes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Feb 9, 2023
@fsmunoz
Copy link

fsmunoz commented Feb 9, 2023

/stage alpha

@katmutua
Copy link
Member

katmutua commented Mar 9, 2023

Hello @tallclair 👋🏾 !

@katmutua 1.27 Release Docs shadow here. This enhancement is marked as ‘Needs Docs’ for 1.27 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.27 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by March 16. For more information, please take a look at Documenting for a release to familiarize yourself with the documentation requirements for the release.

If you already have existing open PRs please link them to the description so we can easily track them. Thanks!

@fsmunoz
Copy link

fsmunoz commented Mar 13, 2023

Hi @tallclair 👋,

Checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023.

Please ensure the following items are completed:

  • All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • All PRs are fully merged by the code freeze deadline.

For this enhancement, it looks like the following PRs need to be merged before code freeze:

Please let me know what other PRs in k/k I should be tracking for this KEP.

As always, we are here to help should questions come up. Thanks!

@ivelichkovich
Copy link
Contributor

This should be graduation criteria for beta: kubernetes/kubernetes#116588

@Atharva-Shinde
Copy link
Contributor

Hey @andrewsykim 👋 Enhancements Lead here,
With kubernetes/kubernetes#116261 and kubernetes/kubernetes#119380 merged as per the issue description, this enhancement is now tracked for v1.28 Code Freeze!

@Rishit-dagli
Copy link
Member

Hello @tallclair wave: please take a look at Documenting for a release - PR Ready for Review to get your docs PR ready for review before Tuesday 25th July 2023. Thank you!

Ref: kubernetes/website#42060

wongma7 pushed a commit to wongma7/kubernetes that referenced this issue Jul 24, 2023
Description:
* Allows for the bypassing of admission controller webhook for certain resources.

Upstream PR, Issue, KEP, etc. links:
* See below.

If this patch is based on an upstream commit, how (if at all) do this patch and the upstream source differ?
* N/A

If this patch's changes have not been added by upstream, why not?
* This patch has not been added by upstream, but work is being actively done to add the ability to filter webhooks. See:
    - KEP-3716 -- https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3716-admission-webhook-match-conditions
    and kubernetes/enhancements#3717
    - Tracking issue -- kubernetes/enhancements#3716
    - Kubernetes PR kubernetes#116261 -- kubernetes#116261

Other patches related to this patch:
* None

Changes made to this patch after its initial creation and reasons for these changes:
* February 2, 2023 -- This patch replaced 0002-EKS-PATCH-Bypassed-admission-controller-webhook-for-.patch
(https://github.com/aws/eks-distro/blob/v1-22-eks-18/projects/kubernetes/kubernetes/1-22/patches/0002-EKS-PATCH-Bypassed-admission-controller-webhook-for-.patch).
The difference between this patch and its predecessor is that this patch allows for users to supply a config file that
defines which webhooks should be excluded. If this files is not provided, this patch and the previous one function the
same.

Kubernetes version this patch can be dropped:
* When the upstream efforts to implement these changes are merged.

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
@a-hilaly
Copy link
Member

@Rishit-dagli I just updated kubernetes/website#42060 PTAL

@Atharva-Shinde
Copy link
Contributor

Hey @a-hilaly 👋 Enhancements lead here,

Are these 2 test related PRs aiming for v1.28 milestone because I don't see the v1.28 milestone attached to them but you have mentioned them in your comment above. In case they are, just a reminder that the Test Freeze will be in effect from 01:00 UTC Wednesday, 26th July, 2023, so we would need to get them merged before the deadline :)

@a-hilaly
Copy link
Member

Are these 2 test related PRs aiming for v1.28 milestone because I don't see the v1.28 milestone attached to them but you have mentioned them in your comment above. In case they are, just a reminder that the Test Freeze will be in effect from 01:00 UTC Wednesday, 26th July, 2023, so we would need to get them merged before the deadline :)

@Atharva-Shinde Yes we aim to merge them before test freeze deadline. I'll ping here once it's done. Thank you :)

@a-hilaly
Copy link
Member

@Atharva-Shinde @Rishit-dagli @aramase PR kubernetes/website#42060 is ready

@npolshakova
Copy link

/remove-label lead-opted-in

@k8s-ci-robot k8s-ci-robot removed the lead-opted-in Denotes that an issue has been opted in to a release label Aug 27, 2023
@enj enj removed this from the v1.28 milestone Sep 7, 2023
ivelichkovich added a commit to ivelichkovich/kubernetes that referenced this issue Sep 13, 2023
Description:
* Allows for the bypassing of admission controller webhook for certain resources.

Upstream PR, Issue, KEP, etc. links:
* See below.

If this patch is based on an upstream commit, how (if at all) do this patch and the upstream source differ?
* N/A

If this patch's changes have not been added by upstream, why not?
* This patch has not been added by upstream, but work is being actively done to add the ability to filter webhooks. See:
    - KEP-3716 -- https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3716-admission-webhook-match-conditions
    and kubernetes/enhancements#3717
    - Tracking issue -- kubernetes/enhancements#3716
    - Kubernetes PR kubernetes#116261 -- kubernetes#116261

Other patches related to this patch:
* None

Changes made to this patch after its initial creation and reasons for these changes:
* February 2, 2023 -- This patch replaced 0002-EKS-PATCH-Bypassed-admission-controller-webhook-for-.patch
(https://github.com/aws/eks-distro/blob/v1-22-eks-18/projects/kubernetes/kubernetes/1-22/patches/0002-EKS-PATCH-Bypassed-admission-controller-webhook-for-.patch).
The difference between this patch and its predecessor is that this patch allows for users to supply a config file that
defines which webhooks should be excluded. If this files is not provided, this patch and the previous one function the
same.

Kubernetes version this patch can be dropped:
* When the upstream efforts to implement these changes are merged.
* We can replace with new match using match conditions in 1.28+ or when match conditions become GA

Signed-off-by: Jyoti Mahapatra <jyotima@amazon.com>
@jpbetz
Copy link
Contributor

jpbetz commented Jan 25, 2024

/label lead-opted-in
/milestone v1.30

@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Jan 25, 2024
@k8s-ci-robot k8s-ci-robot added the lead-opted-in Denotes that an issue has been opted in to a release label Jan 25, 2024
@sreeram-venkitesh
Copy link
Member

Hello @tallclair, @jpbetz 👋, v1.30 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 9th February 2024.

This enhancement is targeting for stage stable for v1.30 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • KEP readme using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable for latest-milestone: 1.30. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
  • KEP readme has up-to-date graduation criteria
  • KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

Almost everything is done in #4435. One minor change that we need to make is to update the stage to stable here

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

@liggitt liggitt added stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status and removed stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status labels Feb 8, 2024
@sreeram-venkitesh
Copy link
Member

Hello 👋, v1.30 Enhancements team here.

Unfortunately, this enhancement did not meet requirements for enhancements freeze.

#4435 hasn't updated the stage key to stable. It still says beta.

This is a small fix, so please file an exception request. Thanks!

@salehsedghpour
Copy link
Contributor

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.30 milestone Feb 9, 2024
@ivelichkovich
Copy link
Contributor

Just raised a PR: #4513

@salehsedghpour salehsedghpour added this to the v1.30 milestone Feb 11, 2024
@celestehorgan
Copy link

Hello @tallclair 👋, 1.30 Docs Shadow here.
Does this enhancement work planned for 1.30 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.30 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday February 22nd 2024 18:00 PDT.
Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.
Thank you!


(At a minimum, please remember to update the feature flags to stable for this release ✨)

@a-mccarthy
Copy link

Hi @tallclair,

👋 from the v1.30 Communications Team! We'd love for you to opt in to write a feature blog about your enhancement!

We encourage blogs for features including, but not limited to: breaking changes, features and changes important to our users, and features that have been in progress for a long time and are graduating.

To opt in, you need to open a Feature Blog placeholder PR against the website repository.
The placeholder PR deadline is 27th February, 2024.
Here's the 1.30 Release Calendar

@tallclair
Copy link
Member Author

/assign @ivelichkovich

Igor, can you take a look at the docs & comms requests above?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lead-opted-in Denotes that an issue has been opted in to a release sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
Status: Tracked
Status: Tracked
Status: Tracked for Enhancements Freeze
Status: In Progress
Development

No branches or pull requests