-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
instancetype: Reject Matcher updates without updating RevisionName #9421
Conversation
if oldMatcher.GetName() != newMatcher.GetName() && newMatcher.GetRevisionName() != "" { | ||
return fmt.Errorf("the Matcher Name has been updated without clearing the RevisionName") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change this to
if oldMatcher.GetName() != newMatcher.GetName() && oldMatcher.GetRevisionName() == newMatcher.GetRevisionName() {
return fmt.Errorf("the Matcher Name has been updated without updating the RevisionName")
}
to allow changing to a different matcher with a specific revision in one go?
/retest-required |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks!
/cherrypick release-0.59 |
@lyarwood: once the present PR merges, I will cherry-pick it on top of release-0.59 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
return nil | ||
} | ||
|
||
func validateMatcherUpdate[M v1.Matcher](oldMatcher M, newMatcher M) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why generic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To save duplicating the logic below between {Instancetype,Preference}Matcher
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func validateMatcherUpdate(oldMatcher, newMatcher v1.Matcher) error
works fine. Can you elaborate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xpivarc hopefully that answered your question, would you mind taking another look?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func validateMatcherUpdate(oldMatcher, newMatcher v1.Matcher) error
works fine. Can you elaborate?
facepalm I'll drop this now sorry.
@@ -125,6 +147,7 @@ var _ = Describe("VirtualMachine Mutator", func() { | |||
|
|||
k8sClient = k8sfake.NewSimpleClientset() | |||
virtClient.EXPECT().CoreV1().Return(k8sClient.CoreV1()).AnyTimes() | |||
virtClient.EXPECT().AppsV1().Return(k8sClient.AppsV1()).AnyTimes() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, the mutation webhook will attempt to lookup any preference related ControllerRevisions
but ultimately swallow any errors later in the mutation flow:
kubevirt/pkg/virt-api/webhooks/mutating-webhook/mutators/vm-mutator.go
Lines 136 to 141 in 7d90329
preferenceSpec, err := mutator.InstancetypeMethods.FindPreferenceSpec(vm) | |
if err != nil { | |
// Log but ultimately swallow any preference lookup errors here and let the validating webhook handle them | |
log.Log.Reason(err).Error("Ignoring error attempting to lookup PreferredMachineType.") | |
return nil | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But it is required for the introduced context and not for this one. So can we move it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup that's true, I'll move it down.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I forgot to submit my review
return nil | ||
} | ||
|
||
func validateMatcherUpdate[M v1.Matcher](oldMatcher M, newMatcher M) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func validateMatcherUpdate(oldMatcher, newMatcher v1.Matcher) error
works fine. Can you elaborate?
@@ -125,6 +147,7 @@ var _ = Describe("VirtualMachine Mutator", func() { | |||
|
|||
k8sClient = k8sfake.NewSimpleClientset() | |||
virtClient.EXPECT().CoreV1().Return(k8sClient.CoreV1()).AnyTimes() | |||
virtClient.EXPECT().AppsV1().Return(k8sClient.AppsV1()).AnyTimes() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But it is required for the introduced context and not for this one. So can we move it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
@0xFelix Can you give this one proper look?
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: xpivarc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
if oldPreferenceMatcher == nil && newPreferenceMatcher == nil { | ||
return nil | ||
} | ||
if err := validateMatcherUpdate(*oldPreferenceMatcher, *newPreferenceMatcher); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you pass the matchers without derefing them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
edit - Apologies replied to the wrong comment, staticcheck
was complaining about something before when I tried this but it's working now. Updated.
} | ||
|
||
func validatePreferenceMatcherUpdate(oldPreferenceMatcher *v1.PreferenceMatcher, newPreferenceMatcher *v1.PreferenceMatcher) []metav1.StatusCause { | ||
if oldPreferenceMatcher == nil && newPreferenceMatcher == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if only one matcher is nil? Will it panic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah good catch, updated the && above, should be || to skip the check when one side isn't provided when they are initially introduced or later dropped.
As set out in issue kubevirt#9132 requests to update the Name of an {Instancetype,Preference}Matcher were always accepted regardless of the RevisionName being cleared or updated. This would result in an older and likely unwanted ControllerRevision being used containing an outdated or completely wrong Instancetype or Preference. With this change the VM mutation webhook will now reject requests to update the target Name of a {Instancetype,Preference}Matcher without also clearing or updating the RevisionName. Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
Thanks! /lgtm |
@lyarwood: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
/retest-required |
1 similar comment
/retest-required |
@lyarwood: new pull request created: #9500 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/area instancetype
What this PR does / why we need it:
As set out in issue #9132 requests to update the
Name
of an{Instancetype,Preference}Matcher
were always accepted regardless of theRevisionName
also being updated. This would result in an older and likely unwantedControllerRevision
being used containing an outdated or completely wrongInstancetype
orPreference
.With this change the VM mutation webhook will now reject requests to update the target
Name
of a{Instancetype,Preference}Matcher
without also updating theRevisionName
.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #9132
Special notes for your reviewer:
Release note: