New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api server: patch operation should use patched object to check admission control #19479
Comments
|
@smarterclayton @kubernetes/goog-csi @kubernetes/rh-cluster-infra is there a group for API server? @kubernetes/kube-iam this affects field level authorization. |
|
I think I want to apply the admission chain twice. Once for patch as-is and once for "update" with the patched object. This is necessary because admission may mutate the patch itself before its applied, so you can't patch the object ahead of time. |
|
Why? |
|
If you check for the patch as is admission control plugins would have to special case objects that are not complete. |
Since the patch itself may mutate during the admission process, the "patched" object created at the beginning of the admission change is not guaranteed to be correct, so it would be incorrect for an admission controller to do any work against the "patched" object. |
|
It may make sense then to have a separate operation (Patch?) for admission control plugins to explicitly check / mutate patches and not special case complete/incomplete objects on update. |
|
@kubernetes/sig-api-machinery On Mon, Jan 11, 2016 at 10:54 AM, Cesar Wong notifications@github.com
|
|
Update is a totally separate kind of operation from create, and IMO needs to have a different admission mechanism. Specifically, I think you need an admission call that passes the old object and the proposed object (patched, if appropriate). Otherwise, you have no way to forbid certain transitions. Just because the initial and final states are independently valid, it does not necessarily mean that the transition between them is allowed. |
|
I had proposed that before and completely agree. It's fairly involved
today because we'd have to deal with guaranteed update and commit
retries.
|
Currently, patch will check admission control with an empty object and if it passes, then will proceed to update the object with the patch. Admission control plugins don't get a chance to see/validate what is actually going to be updated.
The text was updated successfully, but these errors were encountered: