New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor AdmissionPolicy for code sharing with mutating #122919
Refactor AdmissionPolicy for code sharing with mutating #122919
Conversation
89dd6c1
to
68ba230
Compare
I think this is ready for review @cici37 |
also renames to remove stutter comment
96380f5
to
e608dee
Compare
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/accessor.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/plugin.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/plugin.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/interfaces.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/interfaces.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/interfaces.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
Outdated
Show resolved
Hide resolved
e608dee
to
4b725ba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've reviewed all the implementation code. Are we satisfied with the test coverage?
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
Show resolved
Hide resolved
// and we'd have a no-op after comparing resource versions on the next sync. | ||
klog.Infof("refreshing policies") | ||
policies, err := s.calculatePolicyData() | ||
s.policies.Store(&policies) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this policies update when a non-nil err
is returned intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, added godocs to make it more clear. err
is non-nil if a policy had a configuration error. We still want those partial policies included in the result to produce errors for the user.
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/interfaces.go
Show resolved
Hide resolved
d04d7d8
to
c3e28ac
Compare
The current refactor passes all existing tests. I reviewed a combined test coverage output for the unit and integration tests against 80% package coverage. The new files of interest have following coverage:
I reviewed the remaining lines which for the most part are unreachable by precondition. I think coverage is good to continue for now. We will have time later in release to improve it even more. |
c3e28ac
to
b7e70f0
Compare
/lgtm |
LGTM label has been added. Git tree hash: 7fad7602acf583611744a6e2f39445700fa6e502
|
Validation and controllers deps cel compiler which moved. The usage didn't change, so we're equivalent /approve |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
for vendor/
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexzielenski, BenTheElder, cici37, deads2k, jpbetz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@alexzielenski: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
KEP-3962 adds MutatingAdmissionPolicy. This PR refactors the ValidatingAdmissionPolicy code to be useable from mutatingadmissionpolicy, and makes it look a lot like the familiar generic webhook implementation.
ValidatingAdmissionPolicy controller was already split into
controller.go
andcontroller_reconcile.go
. This separation just happened to be the same separation used for the webhook framework'sdispatcher
andsource
concepts; so it was natural to refactor it in the same way.I created a generic admission Plugin framework (that may also be merged with webhooks eventually? sicne it is very similar) which links together a Source and a Dispatcher. The source is in charge of gathering configurations and digesting them into "Hooks", or in our case matching policies/bindings/params. The dispatcher evaluates the compiled & matched policies/bindings from the source to evaluate them against an admissoin request.
For mutating and validating admission policy, we can share the same
PolicySource[P, B]
to manage params, matching policies to bindings, and compilation where P, B are the types for the (Validating/Mutating)Admission(Policy/Biinding). Most of the code forcontroller_reconcile.go
was used for this implementation.The dispatcher for validating/mutating will be different. For validating, it was a small refactor to change
controller.go
into a dispatcher in the new framework. Mutating dispatcher will come in a future PR.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
/assign @cici37 @jiahuif
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: