fixes operation for "create on update"

[yue9944882]

What this PR does / why we need it:

Set operation to admission.Create for create-on-update requests.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #65553

Special notes for your reviewer:

Release note:

Checks CREATE admission for create-on-update requests instead of UPDATE admission

[yue9944882]

/kind bug
/sig api-machinery

[yue9944882]

/cc @jennybuckley

[jennybuckley]

Thanks for fixing this!

Just a couple comments but otherwise it looks good to me. Also I think it should have a release note since it will fix (change) the behavior of update.

[jennybuckley]

I think we also need to take the && mutatingAdmission.Handles(admission.Update) part out of line 101 and move it after this check. because the operation is currently hard coded as admission.Update there, and It should also be dependent on whether the object exists.

Also, have you looked into how the patcher checks if it is looking at a persisted object? It uses UID since that is guaranteed not to be specified until the object exists. Resource Version might work the same way, but maybe for consistency we should do it the same as in the patcher. https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go#L319-L323

[yue9944882]

@jennybuckley Nice catch. Just sync the change to PATCH. PTAL again. Thx :)

[yue9944882]

For reviewers, this line makes the transformer function dummy.

[yue9944882]

/test pull-kubernetes-e2e-gce

[yue9944882]

/cc @adohe

[adohe-zz]

Overall LGTM. I think @lavalamp could help approve this.

[adohe-zz]

/assign @lavalamp

[jennybuckley]

Thanks for fixing this!

Just a couple comments but otherwise it looks good to me. Also I think it should have a release note since it will fix (change) the behavior of update.

[jennybuckley]

We shouldn't change the patcher, because it doesn't currently allow create on update anyway.

[yue9944882]

@jennybuckley Thx for reviewing. I thought that patcher would finally call store.Update here. So the object would also be created when its AllowCreateOnUpdate is true. Am I missing sth?😃

kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go

Line 359 in e49e3ba

updateObject, _, updateErr := p.restPatcher.Update(ctx, p.name, p.updatedObjectInfo, p.createValidation, p.updateValidation)

[jennybuckley]

Thats true, but that the patcher also checks if the object already exists in it's applyPatch function and returns an error if the object doesn't exist yet.

[yue9944882]

@jennybuckley Make sense 👍

[jennybuckley]

I think this check should be the outer one, and only one of the checks mutatingAdmission.Handles(admission.Create)/mutatingAdmission.Handles(admission.Update) should be done, depending on the result of this accessor.GetResourceVersion() == "" check.

The way you have it now doesn't work in the case where mutatingAdmission.Handles(admission.Create) is false, accessor.GetResourceVersion() == "" is true, and mutatingAdmission.Handles(admission.Update) is true

In that case it would call Update admission, but it should be calling nothing.

[yue9944882]

Nice catch :) Thx

[CaoShuFeng]

If I try to create a pod on update, which is not allowed. Will this still have effect? For example, will this increase quota usage?

[yue9944882]

@CaoShuFeng Thanks for reviewing. I do find some codes need to be trimed in resourcequota controller as u can see in my following commit. And AFAICT resourcequotas would still be fine after these changes WDYT?

[CaoShuFeng]

Sorry that I have no suggestions about how to fix this issue. But I'd be happy to point it out when I see something doesn't work as expected.

Maybe we can ask for good suggestions from more experienced developers. :)

[yue9944882]

@CaoShuFeng Thx all the same. I'm all ears😃

[sttts]

Actually, I don't see any invocation of NewObjectCountEvaluator with allowCreateOnUpdate=true, not in kube and not in OpenShift. Maybe @derekwaynecarr can shed some light on that.

[sttts]

In other words: did we miss creations on update in the quota mechanism before this PR?

[yue9944882]

@sttts I don't see either even search through the whole project. It should have been pruned before 😅

[deads2k]

At a high level I like the idea of making the admission calls more correct. @sttts ptal

/assign @sttts

[sttts]

It looks pretty good. As a last thing I would like to see a "predetermined breaking point" in the patch handler, i.e.:

if len(oldObj.GetUID()) {
  // if we allow this some day, we have this TODO: call the mutating admission chain with the CREATE verb instead of UPDATE
  panic("a PATCH cannot create objects")
}

[yue9944882]

// if we allow this some day, we have this TODO

@sttts #65723 I believe it's coming very soon :)

[sttts]

we usually do %v and err

[sttts]

if isNotZeroObject, err := hasUID(currentObject); err != nil { ... } else if !isNotZeroObject { ... }

[sttts]

isZeroObject := !hasUID(...) makes the logic simpler

[yue9944882]

@sttts I'm afraid we cannot do this because unary operator ! can't be applied to a function returning 2 values.🧐

[sttts]

add another helper. Or even simpler: isPreExistingObject instead of isNotZeroObject. Just to get rid of the double negation.

[jennybuckley]

@sttts
Do we really need to change the patcher here? It doesn't allow create at this point. Before any admission gets called, the check in applyPatch would fail for objects which aren't in storage yet.

https://github.com/kubernetes/kubernetes/pull/64892/files#diff-15bdfc59ec78ff09b509d4a347560a1bR361 to the serverside apply feature branch which adds that functionality, also makes sure that the admission controllers are called correctly. By trying to change it here too we aren't actually changing any behavior, it would just make it harder to merge later.

[sttts]

all this is kind of ugly, agreeing with @jennybuckley. Let's condense the change for the patch here into the simple TODO, no panic. Lgtm then.

[yue9944882]

@sttts Done

[sttts]

misunderstanding I think. Even remove the upper logic. Just a comment: // if we allow create-on-patch, TODO: ...

[yue9944882]

@sttts Oops.. Indeed

[sttts]

what is "this"? 🙂 needs some context, like "if we allow create-on-patch, we have this TODO: ..."

[yue9944882]

/test pull-kubernetes-e2e-kops-aws

[yue9944882]

@sttts PTAL

[sttts]

lgtm from my side.

/assign @deads2k

for final review and approval.

[jennybuckley]

It all looks good to me too, but I'll hold off on giving lgtm since @deads2k is planning to review this.

[deads2k]

The old admission code (at least for quota) used to compare against nil. Am I to understand the old code was wrong?

[deads2k]

The old admission code (at least for quota) used to compare against nil. Am I to understand the old code was wrong?

Ah, it probably was for create on update, but not for create. That kind of makes sense. I'm glad this is getting fixed.

[deads2k]

/lgtm

[k8s-github-robot]

/test all

Tests are more than 96 hours old. Re-running tests.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, yue9944882

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/controller/OWNERS [deads2k]
• pkg/quota/OWNERS [deads2k]
• plugin/pkg/admission/OWNERS [deads2k]
• staging/src/k8s.io/apiserver/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.