Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API for immutable Secrets and ConfigMaps #86377

Merged
merged 3 commits into from
Jan 18, 2020
Merged

API for immutable Secrets and ConfigMaps #86377

merged 3 commits into from
Jan 18, 2020

Conversation

wojtek-t
Copy link
Member

This implements the API part of the KEP (allow for marking secrets/configmaps as immutable + necessary bits to enforce that and e2e tests for it).

The Kubelet part is not yet implemented (those this part itself solve the first user problem being ability to protect from accidental bad pushes).

Part of kubernetes/enhancements#1412

Introduce Alpha field `Immutable` in both Secret and ConfigMap objects to mark their contents as immutable. The implementation is hidden behind feature gate `ImmutableEphemeralVolumes` (currently in Alpha stage).

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 18, 2019
@k8s-ci-robot k8s-ci-robot added area/kubectl area/test kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 18, 2019
@wojtek-t wojtek-t changed the title [WIP] API for immutable Secrets and ConfigMaps API for immutable Secrets and ConfigMaps Dec 18, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 18, 2019
@fejta-bot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

sftim
sftim reviewed Dec 19, 2019
View reviewed changes
api/openapi-spec/swagger.json
@@ -5354,6 +5354,10 @@
"description": "Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.",
"type": "object"
},
"immutable": {
"description": "Immutable field, if set, ensures that data stored in the configmap cannot be updated (only object metadata can be modified). This is an alpha field enabled by ImmutableEphemeralVolumes feature gate.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, capitalization

Suggested change
"description": "Immutable field, if set, ensures that data stored in the configmap cannot be updated (only object metadata can be modified). This is an alpha field enabled by ImmutableEphemeralVolumes feature gate.",
"description": "Immutable field, if set, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). This is an alpha field enabled by ImmutableEphemeralVolumes feature gate.",

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

saad-ali
saad-ali reviewed Jan 4, 2020
View reviewed changes
Copy link
Member

@saad-ali saad-ali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Kubelet part is not yet implemented (those this part itself solve the first user problem being ability to protect from accidental bad pushes).

Is the plan to get the kubelet changes in this release as well?

pkg/apis/core/validation/validation.go Show resolved Hide resolved
pkg/registry/core/configmap/strategy.go Outdated Show resolved Hide resolved
pkg/apis/core/validation/validation.go Show resolved Hide resolved
@wojtek-t
Copy link
Member Author

wojtek-t commented Jan 6, 2020

Is the plan to get the kubelet changes in this release as well?

Yes - I have them as part of my POC - just need to clean them up.
That said, I think this PR is self-contained, so I was thinking about doing them as a separate PR.

Re other comments - thanks, will address them.

wojtek-t
wojtek-t commented Jan 7, 2020
View reviewed changes
Copy link
Member Author

@wojtek-t wojtek-t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@saad-ali - thanks for the review.
Comments addressed or responded to. PTAL

pkg/apis/core/validation/validation.go Show resolved Hide resolved
pkg/apis/core/validation/validation.go Show resolved Hide resolved
@wojtek-t wojtek-t added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 7, 2020
saad-ali
saad-ali approved these changes Jan 8, 2020
View reviewed changes
Copy link
Member

@saad-ali saad-ali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2020
@wojtek-t
Copy link
Member Author

wojtek-t commented Jan 8, 2020

Thanks @saad-ali !

@wojtek-t
Copy link
Member Author

wojtek-t commented Jan 8, 2020

/assign @thockin
For API approval (already reviewed by Saad (api-reviewer)).

thockin
thockin reviewed Jan 10, 2020
View reviewed changes
staging/src/k8s.io/api/core/v1/types.go Outdated
@@ -5424,6 +5424,12 @@ type Secret struct {
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

// Immutable field, if set, ensures that data stored in the Secret cannot
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since comments become docs...

"Immutable ensures that data ..." (basically drop 'field')

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Document the default?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this field updatable or only set at creation?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this field change from false to true?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed all (here and in configmap).

pkg/registry/core/secret/strategy.go Outdated
}

func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
return validation.ValidateSecretUpdate(obj.(*api.Secret), old.(*api.Secret))
}

func dropDisabledFields(secret *api.Secret, oldSecret *api.Secret) {
if !utilfeature.DefaultFeatureGate.Enabled(features.ImmutableEphemeralVolumes) && oldSecret == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most times I see this call an "is in use" funtion that encapsulates both old == nil and old.field == nil.

pkg/registry/core/configmap/strategy.go Outdated Show resolved Hide resolved
pkg/apis/core/validation/validation.go Show resolved Hide resolved
pkg/apis/core/validation/validation.go Outdated
@@ -5005,6 +5005,16 @@ func ValidateSecretUpdate(newSecret, oldSecret *core.Secret) field.ErrorList {
}

allErrs = append(allErrs, ValidateImmutableField(newSecret.Type, oldSecret.Type, field.NewPath("type"))...)
if oldSecret.Immutable != nil && *oldSecret.Immutable {
if !reflect.DeepEqual(newSecret.Immutable, oldSecret.Immutable) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("immutable"), "field is immutable when immutable is set"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @wojtek-t

field names in errors should be back-quoted: "when immutable is set"

wojtek-t
wojtek-t commented Jan 12, 2020
View reviewed changes
Copy link
Member Author

@wojtek-t wojtek-t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thockin - comments addressed; PTAL

pkg/apis/core/validation/validation.go Show resolved Hide resolved
pkg/apis/core/validation/validation.go Outdated
@@ -5005,6 +5005,16 @@ func ValidateSecretUpdate(newSecret, oldSecret *core.Secret) field.ErrorList {
}

allErrs = append(allErrs, ValidateImmutableField(newSecret.Type, oldSecret.Type, field.NewPath("type"))...)
if oldSecret.Immutable != nil && *oldSecret.Immutable {
if !reflect.DeepEqual(newSecret.Immutable, oldSecret.Immutable) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("immutable"), "field is immutable when immutable is set"))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed (both here, below and for configmap)

pkg/registry/core/secret/strategy.go Outdated
}

func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
return validation.ValidateSecretUpdate(obj.(*api.Secret), old.(*api.Secret))
}

func dropDisabledFields(secret *api.Secret, oldSecret *api.Secret) {
if !utilfeature.DefaultFeatureGate.Enabled(features.ImmutableEphemeralVolumes) && oldSecret == nil {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done (both here and in configmap)

staging/src/k8s.io/api/core/v1/types.go Outdated
@@ -5424,6 +5424,12 @@ type Secret struct {
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

// Immutable field, if set, ensures that data stored in the Secret cannot
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed all (here and in configmap).

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 13, 2020
@wojtek-t
Copy link
Member Author

/retest

2 similar comments
@wojtek-t
Copy link
Member Author

/retest

@wojtek-t
Copy link
Member Author

/retest

@wojtek-t
Copy link
Member Author

@thockin - this is now ready for the second pass (test failures are unrelated flakes)

/retest

thockin
thockin reviewed Jan 18, 2020
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last bit can be a followup

Thanks!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 18, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thockin, wojtek-t

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 18, 2020
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

2 similar comments
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 37d9c22 into kubernetes:master Jan 18, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Jan 18, 2020
@wojtek-t wojtek-t mentioned this pull request Jan 28, 2020
Merged
uthark added a commit to uthark/kubernetes.github.io that referenced this pull request Jul 21, 2020
@uthark
Fixed typo in feature gate name.
e5e0faf 
Fixed typo.

related PR: kubernetes/kubernetes#86377
@uthark uthark mentioned this pull request Jul 21, 2020
Merged
wking pushed a commit to wking/kubernetes that referenced this pull request Jul 21, 2020
@k8s-publishing-bot
Merge pull request kubernetes#86377 from wojtek-t/immutable_secrets_api
6856f9b 
API for immutable Secrets and ConfigMaps

Kubernetes-commit: 37d9c22
@jyotimahapatra jyotimahapatra mentioned this pull request Aug 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tedyu tedyu tedyu left review comments

@thockin thockin thockin left review comments

@sftim sftim sftim left review comments

@saad-ali saad-ali saad-ali approved these changes

@brendandburns brendandburns Awaiting requested review from brendandburns

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@thockin thockin

@saad-ali saad-ali

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubectl area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.18
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@wojtek-t @fejta-bot @ahg-g @k8s-ci-robot @tedyu @thockin @saad-ali @sftim