Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ValidatingAdmissionPolicy: support namespace access #118267

Merged
merged 8 commits into from
Jul 15, 2023

Conversation

cici37
Copy link
Contributor

@cici37 cici37 commented May 26, 2023

What type of PR is this?

/kind feature

What this PR does / why we need it:

Support namespace access from CEL expression.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added namespace access support to the CEL expressions of ValidatingAdmissionPolicy via a `namespaceObject`
variable with expressions.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/issues/3488

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 26, 2023
@cici37 cici37 force-pushed the access branch 2 times, most recently from 7607329 to b8e9012 Compare May 26, 2023 21:44
@cici37
Copy link
Contributor Author

cici37 commented May 30, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 30, 2023
@benluddy
Copy link
Contributor

/cc

@k8s-ci-robot k8s-ci-robot requested a review from benluddy July 11, 2023 16:15
@jiahuif
Copy link
Member

jiahuif commented Jul 11, 2023

/assign

Copy link
Member

@jiahuif jiahuif left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall it's a bit unclear what happens for cluster-scoped objects without a namespace. I did not see a test for this situation either. Otherwise pretty clean and concise.

Comment on lines +89 to +91
// Certain nested fields in Namespace (e.g. managedFields, ownerReferences etc.) are omitted in the generated DeclType
// by design.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm concerned about the maintainability of this function because if later a new field is added to metadata or to to namespace.spec, it will be very hard for a PR author to know to also modify this function to add the field. We useSchemaDeclType() conversion for object even though it has managedFields and ownerReferences. Is it really essential that we omit those fields? Could we just call SchemaDeclType() here? If we REALLY don't want those fields, are we going to remove them from object and oldObject and self and oldSelf when they refer to a root object as well? (the latter is a breaking change)

If we decide to omit the fields (after addressing my above concerns), should we instead offer a SchemaDeclType() style function that always omits the fields from root objects (note that the function does take a "isRoot" param).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If use the schemaResolver that the type checker uses, these SSA fields are already omitted.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this way, the type is built from namespace openAPI definition. The building process does not require networking either but there is a JSON marshall/unmarshall of a small schema object.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anything we can do here to avoid redefining the schema for namespace (and incurring the maintenance cost of having the schema defined in yet another place) would be really really nice.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've reconsidered this matter. I think it is not worthwhile to wire in the whole OpenAPI definitions only for one type. I am planning to compromise with a test to ensure this hand-crafted namespace schema matches that of OpenAPI. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's postponed the check a bit later. The handcrafted type looks consistent with v1.Namespace. We can find a way to sync this later in next release since there is no change of behavior on the user's side.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've reconsidered this matter. I think it is not worthwhile to wire in the whole OpenAPI definitions only for one type. I am planning to compromise with a test to ensure this hand-crafted namespace schema matches that of OpenAPI. What do you think?

SGTM!

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 12, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 13, 2023
@k8s-ci-robot k8s-ci-robot added the sig/testing Categorizes an issue or PR as relevant to SIG Testing. label Jul 14, 2023
@jiahuif
Copy link
Member

jiahuif commented Jul 14, 2023

/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jul 14, 2023
@jpbetz
Copy link
Contributor

jpbetz commented Jul 14, 2023

/lgtm
/approve

/assign @deads2k
For API review of API documentation comment change

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 14, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 2de2a6fbe8f2e12b744a5f183aa447489ac03dce

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 14, 2023
@jiahuif
Copy link
Member

jiahuif commented Jul 14, 2023

Typo fix. 'namespaceObject to'namespaceObject'`
/test pull-kubernetes-e2e-kind-alpha-features

@jiahuif
Copy link
Member

jiahuif commented Jul 14, 2023

re-run codegen
/test pull-kubernetes-e2e-kind-alpha-features

@deads2k
Copy link
Contributor

deads2k commented Jul 14, 2023

api change lgtm

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cici37, deads2k, jpbetz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 14, 2023
@cici37
Copy link
Contributor Author

cici37 commented Jul 14, 2023

/lgtm Thank you!

@jiahuif
Copy link
Member

jiahuif commented Jul 14, 2023

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 14, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: b423d5ce4055695071544d148d0d50803ea46fe1

@k8s-ci-robot k8s-ci-robot merged commit 13172cb into kubernetes:master Jul 15, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone Jul 15, 2023
maaoBit pushed a commit to maaoBit/kubernetes that referenced this pull request Aug 20, 2024
* Support namespace access from cel expression in validatingadmissionpolicy.

* Whitelist the exposed fields in namespace object and add test

* better handling of cluster-scoped resources.

* [API REVIEW] namespaceObject in Expression doc.

* compatibility with composition.

* generated: ./hack/update-codegen.sh && ./hack/update-openapi-spec.sh

* workaround namespace of namespace is unexpectedly set.

* basic test coverage for namespaceObject.

---------

Co-authored-by: Jiahui Feng <jhf@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/code-generation area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants