Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR #662

Merged
merged 24 commits into from
Feb 20, 2020
Merged

#644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR #662

merged 24 commits into from
Feb 20, 2020

Conversation

shravanshetty1
Copy link
Contributor

No description provided.

@shravanshetty1
Copy link
Contributor Author

Since i am unclear on why these changes are required, i would like these changes to be reviewed before i test them .etc.

@shravanshetty1 shravanshetty1 mentioned this pull request Jan 30, 2020
Closed
@JimBugwadia
Copy link
Member

JimBugwadia commented Feb 6, 2020
edited

@shravanshetty1 here is the reason for doing this change request:

From https://github.com/nirmata/kyverno/issues/634

If a rule has this exclude block:

    exclude:
      resources:
        kinds:
        - Pod
      clusterroles:
        - cluster-admin
        - admin

the user expectation is that the kinds and clusterroles are processed as an logical AND. The current implementation was a logical OR.

Does that help clarify the intent?

@shravanshetty1
Copy link
Contributor Author

@JimBugwadia Yes this does clarify the intent will update the PR by EOD

JimBugwadia
JimBugwadia requested changes Feb 6, 2020
View reviewed changes
Copy link
Member

@JimBugwadia JimBugwadia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intent is to combine the resource kind and user info checks into a single logical AND check. We still need both checks.

The error reporting should indicate the precise conditions that fail.

We can extract these checks into a separate method.

@shravanshetty1 shravanshetty1 changed the title [WIP] #644 - Match/Exclude filters should be applied to policies before they reach engine [WIP] #644 - Match/Exclude conditions should be processed a logical AND instead of a logical OR Feb 6, 2020
@shravanshetty1 shravanshetty1 changed the title [WIP] #644 - Match/Exclude conditions should be processed a logical AND instead of a logical OR [WIP] #644 - Match/Exclude conditions should be processed as a logical AND instead of a logical OR Feb 6, 2020
@shravanshetty1 shravanshetty1 changed the title [WIP] #644 - Match/Exclude conditions should be processed as a logical AND instead of a logical OR [WIP] #644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR Feb 6, 2020
golangcibot
golangcibot reviewed Feb 6, 2020
View reviewed changes
pkg/engine/utils.go Outdated Show resolved Hide resolved
pkg/engine/utils.go Outdated Show resolved Hide resolved
@shravanshetty1 shravanshetty1 changed the title [WIP] #644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR #644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR Feb 6, 2020
@shravanshetty1 shravanshetty1 changed the title #644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR [WIP]#644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR Feb 6, 2020
@shravanshetty1 shravanshetty1 changed the title [WIP]#644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR #644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR Feb 7, 2020
@shravanshetty1 shravanshetty1 changed the title #644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR [WIP]#644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR Feb 7, 2020
golangcibot
golangcibot reviewed Feb 9, 2020
View reviewed changes
pkg/engine/utils_test.go Outdated Show resolved Hide resolved
pkg/userinfo/roleRef.go Outdated Show resolved Hide resolved
@shravanshetty1 shravanshetty1 changed the title [WIP]#644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR #644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR Feb 9, 2020
@shravanshetty1
Copy link
Contributor Author

@JimBugwadia Requested changes have been made

@realshuting realshuting mentioned this pull request Feb 18, 2020
Merged
shivdudhani
shivdudhani reviewed Feb 18, 2020
View reviewed changes
Copy link
Contributor

@shivdudhani shivdudhani left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shravanshetty1
Curious to know the reason behind using goroutines to do checks?

  • As most of the checks inside the goroutines are small and fast( wondering if we will spend time just managing the goroutines for tasks like looping over a list of slices). Routines are helpful to process tasks in async but, if the tasks are really small it might be faster to process them sequentially in a single goroutine(could be an overkill, but this is a theoretical observation).
  • The error is captured using a channel and each goroutine can finish at different times, so the order of messages might be different. And we also assign indices after receiving errors, so the order of messages would matter. The generated messages are being used internally, so shouldnt be a major issue. But if we do plan to use the output to the unit tests(we do not check for error text returned), then we would expect the errors to be consistent order.
  • Suggestion, the channel used in each goroutine is open(i.e. send & receive), will be a good design to pass the "sending only" channel if we are just adding error values to it.

@shravanshetty1
Copy link
Contributor Author

@realshuting @shivdudhani

  1. Your correct, it seems like goroutines have alot of overhead to use it for small tasks such as these. I could not find any source about overhead on goroutines, so i decided to bench it myself.
    Screenshot from 2020-02-19 09-52-36
    Concurrent - is the version in PR
    Single - version i created without any go routines
    Hybrid - Kept 2 of the main go routines, since they were making over 50+ instructions concurrent

Seems its better to not have go routines even for 50+ instructions.

  1. Will be removing go routines - should not be an issue now

  2. Will be removing go routines - should not be an issue now

golangcibot
golangcibot reviewed Feb 19, 2020
View reviewed changes
pkg/engine/utils.go Outdated Show resolved Hide resolved
@shravanshetty1
Copy link
Contributor Author

@shravanshetty1
Curious to know the reason behind using goroutines to do checks?

  • As most of the checks inside the goroutines are small and fast( wondering if we will spend time just managing the goroutines for tasks like looping over a list of slices). Routines are helpful to process tasks in async but, if the tasks are really small it might be faster to process them sequentially in a single goroutine(could be an overkill, but this is a theoretical observation).
  • The error is captured using a channel and each goroutine can finish at different times, so the order of messages might be different. And we also assign indices after receiving errors, so the order of messages would matter. The generated messages are being used internally, so shouldnt be a major issue. But if we do plan to use the output to the unit tests(we do not check for error text returned), then we would expect the errors to be consistent order.
  • Suggestion, the channel used in each goroutine is open(i.e. send & receive), will be a good design to pass the "sending only" channel if we are just adding error values to it.

@shivdudhani suggested changes have been made

@realshuting
Copy link
Member

Fix #644.

@realshuting realshuting reopened this Feb 20, 2020
@realshuting realshuting merged commit 8725c5a into kyverno:master Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@golangcibot golangcibot golangcibot left review comments

@shivdudhani shivdudhani shivdudhani approved these changes

@realshuting realshuting realshuting approved these changes

@JimBugwadia JimBugwadia Awaiting requested review from JimBugwadia

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@shravanshetty1 @JimBugwadia @realshuting @shivdudhani @golangcibot