-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubectl: Verify dry run support #69449
kubectl: Verify dry run support #69449
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: apelisse The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
749bc05
to
782bda2
Compare
/kind bug |
pkg/kubectl/cmd/apply.go
Outdated
@@ -684,6 +693,22 @@ type patcher struct { | |||
} | |||
|
|||
func (p *patcher) patchSimple(obj runtime.Object, modified []byte, source, namespace, name string, errOut io.Writer) ([]byte, runtime.Object, error) { | |||
if p.serverDryRun { | |||
doc, err := p.discoveryClient.OpenAPISchema() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
patchSimple is already a large function. Should we break this check into it's own patcher method? Additionally, can we add significant comments to describe why this is necessary (what bug this fixes).
|
||
func checkExtension(extensions []*openapi_v2.NamedAny, gvk schema.GroupVersionKind) bool { | ||
for _, extension := range extensions { | ||
if extension.GetValue().GetYaml() == "" || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with this method of getting data out of the openapi doc... it's yaml-encoded?
cc @mbohlool for review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since vendor extensions can be any type of yaml data in the openapi spec, this framework is just keeping it as bytes that can be decoded into whatever needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Antonie used gnostic openapi structs more than me, if this works, I am fine with it. If I want to be on the safe side, I will only check the name and if the value is empty, log error or fail or something because that is not usual.
1895724
to
277bfa4
Compare
pkg/kubectl/cmd/apply.go
Outdated
// supports dryRun. Sending dryRun requests to apiserver that don't | ||
// support it will result in objects being unwillingly persisted. | ||
// | ||
// If the GVK can not be found (it can be a CRD or a resource coming |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I won't do this assumption specially for aggregated server. I would say it safer to say it does not support dry-run than assuming it does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. I guess my argument is that this piece of code is safer than what we have today (nothing is checked at all).
"k8s.io/apimachinery/pkg/runtime/schema" | ||
) | ||
|
||
func checkExtension(extensions []*openapi_v2.NamedAny, gvk schema.GroupVersionKind) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would use a better name here.e.g., hasGVKExtension
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good suggestion, thank you!
277bfa4
to
8e67678
Compare
8e67678
to
11ffcfe
Compare
I've been caught by the gofmt change! :-) Fixed all the things. |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
7 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
11ffcfe
to
40028fd
Compare
We don't want to run dryRun requests against servers that don't support dry-run, since they might ignore the flag and just persist the unwanted changes. This creates a new method that checks in the OpenAPI if the dryRun parameter can be used.
Finding out if a Group-version-kind is a CRD is useful, since we want to detect dry-run ability differently for CRDs.
For each object, first we verify if they have a dryRun parameter in the openapi for the patch verb. If we can't find the object, we assume that CRD will behave like "namespace". So we check if namespace supports dryRun. If it does, then we verify that the resource is a CRD.
40028fd
to
f2e2a93
Compare
/retest |
We want to verify if the resource supports dry-run before we send dry-run queries to it, because old servers are just ignoring the query-param and will persist the objects. Not good.
Even though the heuristic isn't perfect yet, I think it's obviously better than what we have today.
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: