DANM 4.0 EP1: Validating Webhook #82
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Levovar
changed the title
Shoutout to https://github.com/K8sNetworkPlumbingWG and https://github.com/nokia/CPU-Pooler/blob/master/cmd/webhook as these were my inspiration for the boilerplate code!
Basically the idea is that a set of validating functions will be mapped to specific API paths, and automatically executed. If any of them return an error, we block the object provisioning. The framework enables the easy expansion of the wbehook with other APIs... which we might need preeeeettyyyy sooon in the future ;) Several functions in ipam and netcontrol packages are moved around to better fitting places.
Still some ways to go with testing, finishing the refactoring in other packages, UT, documentation, integration...
Added mutating default NetworkType value to ipvlan
Levovar
force-pushed
the
webhook
branch
14 times, most recently
from
88f23dd
to
2700ceb
Compare
Levovar
force-pushed
the
webhook
branch
6 times, most recently
from
b334ce9
to
c3232cf
Compare
Levovar
changed the title
1: Started logging the return value of the HTTPS server 2: Changed default bind-address value from "0.0.0.0" to empty string 3: Changed to json.Decoder and started hard-enforcing total adherence to DanmNet schema (no unknown fields are allowed) 4: Added possibility to patch NetworkType parameter (setting to default "ipvlan") 5: To be able to handle modify operations, we only change Alloc if it was previously empty 6: Patch needs to be added when orig and new value are NOT equal :) 7: Value of patch needs to be force-enclosed with quotes, otherwise JSON marshalling fails 8: Other returns reason, and descriptive error logs to some previously not tracked execution paths 9: Alloc start and end were not properly set into the changedNetwork due to copy issues 10: Options related patching operations were changed to "replace", and use upper-case spelling to satisfy json-patch code 11: Dictionary type fields like Allocation_Pool needs to be replaced unblock if any of its fields changed 12: Webhook was coring because we tried to create allocation array even for empty CIDRs 13: Start being smaller than end check was not working due to substracting two uint32s from each other apparently does not work in Golang?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Today marks the start of maybe our biggest undertaking since the initial creation of DANM. When all said and done, it will culminate into what we will call "DANM 4.0".
But what is exactly DANM 4.0? Well, I can't say right now, but we hope once it arrives you will be tempted to re-evaluate everything you have ever thought about how networks should be managed in Kubernetes :)
As Rome (or in case of some people, Paris) wasn't build in one day, we are also pushing out the code in smaller functional chunks. The first functional chunk can actually stand on its own, as it implements a long-awaited functionality already discussed in #23.
This review only implements what is absolutely crucial for DANM 4.0, not all requirements.
Namely, we will execute only the existing DanmNet validation rules for CREATE and MODIFY operations, but nothing else - no new validations are implemented right now, and we are not handling DELETE related use-cases.
The relocation of the validation code is already a complete change compared to the existing mode of operandi though, meaning, that the full responsibility is transferred over from netwatcher to the new component called webhook. (Ah yeah, webhook is a K8s standard Validating + Mutating Admission Webhook, if this was not self-evident 'til now :) )
Besides finally being able to entirely deny the admittance of a faulty DanmNet into a K8s cluster, webhook also takes over the responsibility of executing the necessary object mutation tasks, such as allocation pool initialization.