New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MutatingAdmissionPolicy implementation #123332
base: master
Are you sure you want to change the base?
MutatingAdmissionPolicy implementation #123332
Conversation
0efb78b
to
0958983
Compare
b35e987
to
fc84831
Compare
need this to know when to invalidate the cache
c9a3749
to
01d383c
Compare
to be used by mutating dispatcher
f9e04db
to
ff6a155
Compare
and account for the fact we will need separate evaluator for each mutation to handle reinvocation
ce34c1e
to
327983a
Compare
// ParamKind specifies the kind of resources used to parameterize this policy. | ||
// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. | ||
// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. | ||
// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. | |
// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review. Updated :)
MatchConstraints *MatchResources | ||
|
||
// Mutations contain CEL expressions which is used to apply the mutation. | ||
// Mutations may be empty; a minimum of one Mutations is required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
may not be?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
9ff2450
to
a1a5fbd
Compare
// * mutations that use this option may be reordered to minimize the number of additional invocations. | ||
// * to validate an object after all mutations are guaranteed complete, use a validating admission policy instead. | ||
// | ||
// Defaults to "Never". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer to default to IfNeeded so that by default every check will be able to see mutations made by other admission plugins.
and resolve linter issues This makes it more clear how we handle errors for policy plugins. Two types of errors: policy errors, and internal error. Internal error raises internal k8s status immediately and aborts operation. Policy error is handled according to the failure policy of the policy raising the error.
* WIP compilation. * compile during creation not invocation.
3c6be77
to
95b17e5
Compare
95b17e5
to
8e5bb14
Compare
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
8e5bb14
to
baba3f9
Compare
re-based due to introduction of workspace. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: alexzielenski The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/triage accepted |
} | ||
|
||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
// +k8s:prerelease-lifecycle-gen:introduced=1.30 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
today,it's 1.31
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implmentation of mutating admission policy with major missing features:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
/cc @cici37
/cc @jiahuif
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: