Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ValidatingAdmissionPolicy - Type Checking for API Expensions types #119109

Merged
merged 4 commits into from
Oct 30, 2023
Merged

ValidatingAdmissionPolicy - Type Checking for API Expensions types #119109

merged 4 commits into from
Oct 30, 2023

Conversation

jiahuif
Copy link
Member

@jiahuif jiahuif commented Jul 5, 2023
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds ValidatingAdmissionPolicy type checking support for CRDs and other API extensions APIS

Special notes for your reviewer:

There is no API changes.

Performance impact:
The RESTMapper is refreshed more often. To limit the impact, the RESTMapper can only be refreshed at most once per policy.

Does this PR introduce a user-facing change?

ValidatingAdmissionPolicy Type Checking now supports CRDs and API extensions types.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/code-generation area/test kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 5, 2023
@jiahuif jiahuif force-pushed the feature/validating-admission-policy/crd-typechecking branch from 698042c to 30f2942 Compare July 14, 2023 16:42
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 14, 2023
@cici37 cici37 mentioned this pull request Jul 17, 2023
Open
16 tasks
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 17, 2023
@jiahuif jiahuif force-pushed the feature/validating-admission-policy/crd-typechecking branch from f108430 to e76a39c Compare July 17, 2023 21:11
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 17, 2023
@jiahuif jiahuif force-pushed the feature/validating-admission-policy/crd-typechecking branch from 5b09d54 to b95e42b Compare October 26, 2023 17:26
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 26, 2023
@jiahuif jiahuif force-pushed the feature/validating-admission-policy/crd-typechecking branch from b95e42b to e0af8fb Compare October 26, 2023 17:28
@k8s-ci-robot k8s-ci-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 26, 2023
@jiahuif
Copy link
Member Author

jiahuif commented Oct 26, 2023

/test pull-kubernetes-e2e-kind-alpha-features

@jiahuif
Copy link
Member Author

jiahuif commented Oct 26, 2023

/remove-label kind/api-change

@k8s-ci-robot
Copy link
Contributor

@jiahuif: The label(s) /remove-label [kind/api-change](https://github.com/kubernetes/kubernetes/labels/kind%2Fapi-change) cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, official-cve-feed. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/remove-label kind/api-change

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jiahuif
Copy link
Member Author

jiahuif commented Oct 26, 2023

The alpha features E2E suite has some failure that is not related to this feature. The suite is not required for merging anyways.
@jpbetz , Could you take another look? Thank you.

@k8s-ci-robot
Copy link
Contributor

@jiahuif: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-e2e-kind-alpha-features e0af8fb4c51066cc98f2d9393e8a5d0f68baacbf link false /test pull-kubernetes-e2e-kind-alpha-features
pull-kubernetes-e2e-kind-beta-features e0af8fb4c51066cc98f2d9393e8a5d0f68baacbf link false /test pull-kubernetes-e2e-kind-beta-features

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@jiahuif jiahuif force-pushed the feature/validating-admission-policy/crd-typechecking branch from e0af8fb to bc3a8ba Compare October 27, 2023 00:03
@jiahuif
Copy link
Member Author

jiahuif commented Oct 27, 2023

beta features e2e job seems broken. I can fix it after code freeze. Here is the result of the e2e suite running locally.

KUBECONFIG=$HOME/.kube/config go test -v ./test/e2e/ --ginkgo.focus='ValidatingAdmissionPolicy' --ginkgo.v | tee /tmp/1.txt
  Oct 26 17:18:38.458: INFO: The --provider flag is not set. Continuing as if --provider=skeleton had been used.
=== RUN   TestE2E
  I1026 17:18:38.459134   63692 e2e.go:117] Starting e2e run "6c439c77-099c-40fa-a0de-34026a6b3b23" on Ginkgo node 1
Running Suite: Kubernetes e2e suite - /home/jhf/go/src/k8s.io/kubernetes/test/e2e
=================================================================================
Random Seed: 1698365918 - will randomize all specs

Will run 4 of 7403 specs
------------------------------
[ReportBeforeSuite] 
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/e2e_test.go:157
[ReportBeforeSuite] PASSED [0.000 seconds]
------------------------------
[SynchronizedBeforeSuite] 
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/e2e.go:77
  Oct 26 17:18:38.584: INFO: >>> kubeConfig: /home/jhf/.kube/config
  Oct 26 17:18:38.585: INFO: Waiting up to 30m0s for all (but 0) nodes to be schedulable
  Oct 26 17:18:38.614: INFO: Waiting up to 5m0s for all daemonsets in namespace 'kube-system' to start
  Oct 26 17:18:38.617: INFO: 2 / 2 pods ready in namespace 'kube-system' in daemonset 'kindnet' (0 seconds elapsed)
  Oct 26 17:18:38.617: INFO: 2 / 2 pods ready in namespace 'kube-system' in daemonset 'kube-proxy' (0 seconds elapsed)
  Oct 26 17:18:38.617: INFO: e2e test version: v0.0.0-master+$Format:%H$
  Oct 26 17:18:38.618: INFO: kube-apiserver version: v1.29.0-alpha.2.641+bc3a8bac0ea99d
  Oct 26 17:18:38.618: INFO: >>> kubeConfig: /home/jhf/.kube/config
  Oct 26 17:18:38.622: INFO: Cluster IP family: ipv4
[SynchronizedBeforeSuite] PASSED [0.038 seconds]
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[sig-api-machinery] ValidatingAdmissionPolicy [Privileged:ClusterAdmin] [FeatureGate:ValidatingAdmissionPolicy] [Beta] should validate against a Deployment [sig-api-machinery, FeatureGate:ValidatingAdmissionPolicy, Beta]
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/apimachinery/validatingadmissionpolicy.go:72
  STEP: Creating a kubernetes client @ 10/26/23 17:18:38.725
  Oct 26 17:18:38.725: INFO: >>> kubeConfig: /home/jhf/.kube/config
  STEP: Building a namespace api object, basename validating-admission-policy @ 10/26/23 17:18:38.726
  STEP: Waiting for a default service account to be provisioned in namespace @ 10/26/23 17:18:38.879
  STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 10/26/23 17:18:38.884
  STEP: creating the policy @ 10/26/23 17:18:39.149
  STEP: waiting until the marker is denied @ 10/26/23 17:18:39.381
  STEP: testing a replicated Deployment to be allowed @ 10/26/23 17:18:40.316
  STEP: testing a non-replicated ReplicaSet not to be denied @ 10/26/23 17:18:40.326
  Oct 26 17:18:40.350: INFO: Waiting up to 7m0s for all (but 0) nodes to be ready
  STEP: Destroying namespace "validating-admission-policy-6866" for this suite. @ 10/26/23 17:18:40.353
• [1.631 seconds]
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[sig-api-machinery] ValidatingAdmissionPolicy [Privileged:ClusterAdmin] [FeatureGate:ValidatingAdmissionPolicy] [Beta] should allow expressions to refer variables. [sig-api-machinery, FeatureGate:ValidatingAdmissionPolicy, Beta]
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/apimachinery/validatingadmissionpolicy.go:204
  STEP: Creating a kubernetes client @ 10/26/23 17:18:40.371
  Oct 26 17:18:40.371: INFO: >>> kubeConfig: /home/jhf/.kube/config
  STEP: Building a namespace api object, basename validating-admission-policy @ 10/26/23 17:18:40.372
  STEP: Waiting for a default service account to be provisioned in namespace @ 10/26/23 17:18:40.381
  STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 10/26/23 17:18:40.384
  STEP: creating a policy with variables @ 10/26/23 17:18:40.395
  STEP: waiting until the marker is denied @ 10/26/23 17:18:40.405
  STEP: testing a replicated Deployment to be allowed @ 10/26/23 17:18:41.229
  STEP: testing a non-replicated ReplicaSet not to be denied @ 10/26/23 17:18:41.237
  Oct 26 17:18:41.253: INFO: Waiting up to 7m0s for all (but 0) nodes to be ready
  STEP: Destroying namespace "validating-admission-policy-939" for this suite. @ 10/26/23 17:18:41.255
• [0.889 seconds]
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[sig-api-machinery] ValidatingAdmissionPolicy [Privileged:ClusterAdmin] [FeatureGate:ValidatingAdmissionPolicy] [Beta] should type check validation expressions [sig-api-machinery, FeatureGate:ValidatingAdmissionPolicy, Beta]
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/apimachinery/validatingadmissionpolicy.go:129
  STEP: Creating a kubernetes client @ 10/26/23 17:18:41.288
  Oct 26 17:18:41.288: INFO: >>> kubeConfig: /home/jhf/.kube/config
  STEP: Building a namespace api object, basename validating-admission-policy @ 10/26/23 17:18:41.289
  STEP: Waiting for a default service account to be provisioned in namespace @ 10/26/23 17:18:41.298
  STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 10/26/23 17:18:41.301
  STEP: creating the policy with correct types @ 10/26/23 17:18:41.311
  STEP: waiting for the type check to finish without any warnings @ 10/26/23 17:18:41.315
  STEP: creating the policy with type confusion @ 10/26/23 17:18:41.425
  STEP: waiting for the type check to finish with warnings @ 10/26/23 17:18:41.429
  Oct 26 17:18:41.544: INFO: Waiting up to 7m0s for all (but 0) nodes to be ready
  STEP: Destroying namespace "validating-admission-policy-4227" for this suite. @ 10/26/23 17:18:41.546
• [0.262 seconds]
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[sig-api-machinery] ValidatingAdmissionPolicy [Privileged:ClusterAdmin] [FeatureGate:ValidatingAdmissionPolicy] [Beta] should type check a CRD [sig-api-machinery, FeatureGate:ValidatingAdmissionPolicy, Beta]
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/apimachinery/validatingadmissionpolicy.go:267
  STEP: Creating a kubernetes client @ 10/26/23 17:18:41.561
  Oct 26 17:18:41.561: INFO: >>> kubeConfig: /home/jhf/.kube/config
  STEP: Building a namespace api object, basename validating-admission-policy @ 10/26/23 17:18:41.562
  STEP: Waiting for a default service account to be provisioned in namespace @ 10/26/23 17:18:41.572
  STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 10/26/23 17:18:41.575
  STEP: creating the CRD @ 10/26/23 17:18:41.584
  STEP: creating a vaild policy for crontabs @ 10/26/23 17:18:42.204
  STEP: waiting for the type check to finish without warnings @ 10/26/23 17:18:42.209
  STEP: creating a policy with type-confused expressions for crontabs @ 10/26/23 17:18:42.316
  STEP: waiting for the type check to finish with warnings @ 10/26/23 17:18:42.321
  Oct 26 17:18:42.442: INFO: Waiting up to 7m0s for all (but 0) nodes to be ready
  STEP: Destroying namespace "validating-admission-policy-5755" for this suite. @ 10/26/23 17:18:42.446
• [0.890 seconds]
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
------------------------------
[SynchronizedAfterSuite] 
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/e2e.go:88
  Oct 26 17:18:42.466: INFO: Running AfterSuite actions on node 1
[SynchronizedAfterSuite] PASSED [0.000 seconds]
------------------------------
[ReportAfterSuite] Kubernetes e2e suite report
/home/jhf/go/src/k8s.io/kubernetes/test/e2e/e2e_test.go:161
[ReportAfterSuite] PASSED [0.000 seconds]
------------------------------

Ran 4 of 7403 Specs in 3.882 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 7399 Skipped
--- PASS: TestE2E (4.01s)
PASS

@jiahuif jiahuif force-pushed the feature/validating-admission-policy/crd-typechecking branch from bc3a8ba to fd13266 Compare October 27, 2023 19:26
@jiahuif
Copy link
Member Author

jiahuif commented Oct 27, 2023

Re-based to resolve merge conflict. PTAL.

@cici37
Copy link
Contributor

cici37 commented Oct 27, 2023
edited

The currently PR aims to add the type checking for CRD and aggregated types with following limitations:

  1. The currently type checking is based on Policy create/updates, it doesn't matter if the policy is in use or not.
  2. If the CRD type changed without a Policy change, the type checking result will not be refreshed.(which means if the type checking error has been fixed, it might not be reflected immediately in type checking result.)
  3. If the CRD is created after policy creation/update, the CRD type check will not be reflected in type checking result.

This sounds good to me since the feature is still in beta and the changes improved the usability without modifying any existing behavior.
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 27, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 183ea48b7b17b0e32ea3d931de741824dbadb877

@cici37
Copy link
Contributor

cici37 commented Oct 27, 2023
edited

Additional thoughts(Thanks @jiahuif for the initial scalability test result. Could you briefly summarize here or somewhere in a doc?): Keep watching all resources types for type checking seems not scale great(especially with large number of policies across reference large number of CRDs with the current schema watcher). Curious on other thoughts on the tradeoffs between usability of type checking VS scalability :)

@jpbetz
Copy link
Contributor

jpbetz commented Oct 27, 2023

/approve
I agree with @cici37's above summary, I think this is a reasonable milestone.

@cici37
Copy link
Contributor

cici37 commented Oct 27, 2023

/assign @deads2k
for controller approval. Thanks!

deads2k
deads2k reviewed Oct 30, 2023
View reviewed changes
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking.go
@@ -268,7 +268,16 @@ func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schem
}
resolved, err := c.RestMapper.KindsFor(gvr)
if err != nil {
continue
if restMapperRefreshAttempted {
// RESTMapper refresh happens at most once per policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's actually once per policy per reconcile, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! Because there is no schema-watching re-requeue, a policy can be rechecked only due to a mutation to itself. If the policy mutated, the referred set of resources may change too (and we don't track that), thus once per policy-reconcile is reasonable.

@deads2k
Copy link
Contributor

deads2k commented Oct 30, 2023

with aggregated discovery the additional discovery cost each reconcile is tolerable.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, jiahuif, jpbetz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 30, 2023
@k8s-ci-robot k8s-ci-robot merged commit ceea5fd into kubernetes:master Oct 30, 2023
15 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Oct 30, 2023
@liggitt liggitt mentioned this pull request Oct 31, 2023
Merged
@soltysh soltysh mentioned this pull request Jan 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexzielenski alexzielenski alexzielenski left review comments

@sttts sttts sttts left review comments

@liggitt liggitt liggitt left review comments

@apelisse apelisse apelisse left review comments

@deads2k deads2k deads2k left review comments

@cheftako cheftako Awaiting requested review from cheftako

@cici37 cici37 Awaiting requested review from cici37

@jpbetz jpbetz Awaiting requested review from jpbetz

Assignees

@jpbetz jpbetz

@deads2k deads2k

@cici37 cici37

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/code-generation area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Apps
Archived in project
SIG Auth
Archived in project
[sig-release] Bug Triage
Archived in project
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

None yet