MutatingAdmissionPolicy implementation #123332
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
release-note-none
k8s-ci-robot
added
do-not-merge/work-in-progress
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
from
0efb78b
to
0958983
Compare
k8s-ci-robot
added
size/XXL
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
2 times, most recently
from
b35e987
to
fc84831
Compare
4 tasks
k8s-ci-robot
removed
the
approved
need this to know when to invalidate the cache
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
from
c9a3749
to
01d383c
Compare
This was referenced Feb 21, 2024
to be used by mutating dispatcher
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
3 times, most recently
from
f9e04db
to
ff6a155
Compare
and account for the fact we will need separate evaluator for each mutation to handle reinvocation
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
2 times, most recently
from
ce34c1e
to
327983a
Compare
| // ParamKind specifies the kind of resources used to parameterize this policy. | ||
| // If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. | ||
| // If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. | ||
| // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. |
There was a problem hiding this comment.
Suggested change
| // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. | |
| // If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null. |
There was a problem hiding this comment.
Thanks for the review. Updated :)
| MatchConstraints *MatchResources | ||
|
|
||
| // Mutations contain CEL expressions which is used to apply the mutation. | ||
| // Mutations may be empty; a minimum of one Mutations is required. |
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
from
9ff2450
to
a1a5fbd
Compare
deads2k
reviewed
Feb 28, 2024
| // * mutations that use this option may be reordered to minimize the number of additional invocations. | ||
| // * to validate an object after all mutations are guaranteed complete, use a validating admission policy instead. | ||
| // | ||
| // Defaults to "Never". |
There was a problem hiding this comment.
I prefer to default to IfNeeded so that by default every check will be able to see mutations made by other admission plugins.
and resolve linter issues This makes it more clear how we handle errors for policy plugins. Two types of errors: policy errors, and internal error. Internal error raises internal k8s status immediately and aborts operation. Policy error is handled according to the failure policy of the policy raising the error.
* WIP compilation. * compile during creation not invocation.
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
from
3c6be77
to
95b17e5
Compare
alexzielenski
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
alexzielenski
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
from
95b17e5
to
8e5bb14
Compare
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
k8s-ci-robot
added
the
needs-rebase
jiahuif
force-pushed
the
apiserver/policy/mutating-fw-imp
branch
from
8e5bb14
to
baba3f9
Compare
|
re-based due to introduction of workspace. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: alexzielenski The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
removed
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
| } | ||
|
|
||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
| // +k8s:prerelease-lifecycle-gen:introduced=1.30 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implmentation of mutating admission policy with major missing features:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
/cc @cici37
/cc @jiahuif
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: