-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ValidatingAdmissionPolicy - Type Checking for API Expensions types #119109
ValidatingAdmissionPolicy - Type Checking for API Expensions types #119109
Conversation
698042c
to
30f2942
Compare
f108430
to
e76a39c
Compare
5b09d54
to
b95e42b
Compare
b95e42b
to
e0af8fb
Compare
/test pull-kubernetes-e2e-kind-alpha-features |
/remove-label kind/api-change |
@jiahuif: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The alpha features E2E suite has some failure that is not related to this feature. The suite is not required for merging anyways. |
@jiahuif: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
e0af8fb
to
bc3a8ba
Compare
beta features e2e job seems broken. I can fix it after code freeze. Here is the result of the e2e suite running locally.
|
bc3a8ba
to
fd13266
Compare
Re-based to resolve merge conflict. PTAL. |
The currently PR aims to add the type checking for CRD and aggregated types with following limitations:
This sounds good to me since the feature is still in beta and the changes improved the usability without modifying any existing behavior. |
LGTM label has been added. Git tree hash: 183ea48b7b17b0e32ea3d931de741824dbadb877
|
Additional thoughts(Thanks @jiahuif for the initial scalability test result. Could you briefly summarize here or somewhere in a doc?): Keep watching all resources types for type checking seems not scale great(especially with large number of policies across reference large number of CRDs with the current schema watcher). Curious on other thoughts on the tradeoffs between usability of type checking VS scalability :) |
/approve |
/assign @deads2k |
@@ -268,7 +268,16 @@ func (c *TypeChecker) typesToCheck(p *v1beta1.ValidatingAdmissionPolicy) []schem | |||
} | |||
resolved, err := c.RestMapper.KindsFor(gvr) | |||
if err != nil { | |||
continue | |||
if restMapperRefreshAttempted { | |||
// RESTMapper refresh happens at most once per policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's actually once per policy per reconcile, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! Because there is no schema-watching re-requeue, a policy can be rechecked only due to a mutation to itself. If the policy mutated, the referred set of resources may change too (and we don't track that), thus once per policy-reconcile is reasonable.
with aggregated discovery the additional discovery cost each reconcile is tolerable. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, jiahuif, jpbetz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds ValidatingAdmissionPolicy type checking support for CRDs and other API extensions APIS
Special notes for your reviewer:
There is no API changes.
Performance impact:
The RESTMapper is refreshed more often. To limit the impact, the RESTMapper can only be refreshed at most once per policy.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: