Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to admissionregistration.k8s.io/v1 #1250

Merged
merged 13 commits into from
May 6, 2021

Conversation

sozercan
Copy link
Member

@sozercan sozercan commented Apr 15, 2021

Signed-off-by: Sertac Ozercan sozercan@gmail.com

What this PR does / why we need it:

  • Updates admissionregistration.k8s.io/v1beta1 to v1. This will change minimum required Kubernetes version to v1.16.
  • Updates controller-gen to v0.5.0.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #818

Special notes for your reviewer:

  • Upgrade test validates that a cluster with admissionregistration.k8s.io/v1beta1 can be upgraded to v1.

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@sozercan sozercan requested a review from a team April 15, 2021 02:50
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
- clientConfig:
caBundle: Cg==
- admissionReviewVersions:
- v1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any differences between the two admission review versions?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's detailed here: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.16.md#api-changes
doesn't sounds like any major differences, just required fields and api server support for receiving corresponding versions

Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@@ -24,8 +26,11 @@ webhooks:
- UPDATE
resources:
- namespaces
- clientConfig:
caBundle: Cg==
Copy link
Member

@ritazh ritazh Apr 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like caBundle is removed here but they are persisted in the MutatingWebhookConfiguration in config/overlays/mutation_webhook/webhook.yaml

Copy link
Member Author

@sozercan sozercan Apr 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think config/overlays/mutation_webhook/webhook.yaml is temporary location, and it's not generated. Once it's generated, it'll go to config/webhook/manifests.yaml (and caBundle doesn't get generated)

https://github.com/open-policy-agent/gatekeeper/pull/1250/files#diff-b51dd886772df2afc559857517988e0b2c597cc944583aa47891f6de293b4f21R50-R51

Copy link
Member

@ritazh ritazh Apr 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah ok. should we manually update config/overlays/mutation_webhook/webhook.yaml for now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it matters but, I updated to be same as it would have been generated.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related bug: #817

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for linking the issue @maxsmythe so this PR would fix that issue as a bonus.

@sozercan sozercan requested a review from ritazh April 19, 2021 18:59
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@codecov-commenter
Copy link

codecov-commenter commented Apr 19, 2021

Codecov Report

Merging #1250 (da9039d) into master (20a0e1a) will decrease coverage by 0.06%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1250      +/-   ##
==========================================
- Coverage   48.55%   48.49%   -0.07%     
==========================================
  Files          68       68              
  Lines        4879     4879              
==========================================
- Hits         2369     2366       -3     
- Misses       2159     2161       +2     
- Partials      351      352       +1     
Flag Coverage Δ
unittests 48.49% <ø> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/webhook/mutation.go 17.64% <ø> (ø)
pkg/webhook/namespacelabel.go 72.00% <ø> (ø)
pkg/webhook/policy.go 28.62% <ø> (ø)
...onstrainttemplate/constrainttemplate_controller.go 56.63% <0.00%> (-0.98%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 20a0e1a...da9039d. Read the comment docs.

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@sozercan
Copy link
Member Author

cert-controller PR: open-policy-agent/cert-controller#34

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@maxsmythe
Copy link
Contributor

still LGTM, if needed

@maxsmythe
Copy link
Contributor

Though the tests look unhappy

@sozercan
Copy link
Member Author

@maxsmythe failures are due to open-policy-agent/cert-controller#31 that includes controller-runtime v0.8 which includes breaking changes

@maxsmythe
Copy link
Contributor

Major breaking changes? Or do we just need to tweak some things?

@sozercan
Copy link
Member Author

sozercan commented Apr 20, 2021

Sounds like conversion function changes in apimachinery. I think this will have to wait until frameworks repo updates unless we want to revert controller-runtime changes in cert-controller

#17 59.04 # github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1
#17 59.04 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go:438:22: too many arguments in call to s.Convert
#17 59.04 	have (*v1beta1.JSONSchemaProps, *apiextensions.JSONSchemaProps, number)
#17 59.04 	want (interface {}, interface {})
#17 59.04 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go:457:22: too many arguments in call to s.Convert
#17 59.04 	have (*apiextensions.JSONSchemaProps, *v1beta1.JSONSchemaProps, number)
#17 59.04 	want (interface {}, interface {})
#17 59.07 # github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1
#17 59.07 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go:438:22: too many arguments in call to s.Convert
#17 59.07 	have (*v1beta1.JSONSchemaProps, *apiextensions.JSONSchemaProps, number)
#17 59.07 	want (interface {}, interface {})
#17 59.07 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go:457:22: too many arguments in call to s.Convert
#17 59.07 	have (*apiextensions.JSONSchemaProps, *v1beta1.JSONSchemaProps, number)
#17 59.07 	want (interface {}, interface {})

@willbeason
Copy link
Member

willbeason commented Apr 27, 2021

We should explicitly set matchPolicy and sideEffects in our Validating/MutatingWebhookConfigurations to preserve behavior and be valid. In several files we aren't declaring these fields, which is problematic as the defaults have changed.

matchPolicy now defaults to "Equivalent" instead of "Exact". We aren't being explicit in our Validating/MutatingWebhookConfiguration, so this will cause a change in behavior. I don't know whether we intend to be the current default of "Exact". Note that if a user applies a different API Version of an object than the mutator is written for, "Exact" will ignore it but "Equivalent" will match it. However, the webhook would then needs to make sure it properly converts the object to the expected API Version.

sideEffects has changed and now needs to be explicitly set. "In admissionregistration.k8s.io/v1, sideEffects must be set to None or NoneOnDryRun."

I would have linked to a specific file as an example inline but I don't seem to have permission to do that?

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@@ -357,14 +368,15 @@ spec:
created:
type: boolean
type: object
version: v1beta1
type: object
version: v1alpha1
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maxsmythe @julianKatz do we want version to be v1alpha1 or v1beta1?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

@maxsmythe maxsmythe May 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

version needs to be equal to the first item in the versions list. It looks like it doesn't actually do anything except break if it doesn't match:

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#customresourcedefinitionspec-v1beta1-apiextensions-k8s-io

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: In apiextensions.k8s.io/v1beta1, there was a version field instead of versions. The version field is deprecated and optional, but if it is not empty, it must match the first item in the versions field.

Looks like version is deprecated. Do we want to keep it?

Copy link
Member Author

@sozercan sozercan May 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's okay to remove but @julianKatz wasn't able to find a way for controller-gen to generate without version I believe

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it should go away when we switch to generating v1 CRDs (which don't have this field)

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@sozercan
Copy link
Member Author

sozercan commented May 3, 2021

@willbeason thanks! explicitly defined matchPolicy to be Exact to match previous behavior. I think we are already defining sideEffects explicitly.

@ritazh @maxsmythe thoughts on whether matchPolicy should be Equivalent or Exact?
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy

@ritazh
Copy link
Member

ritazh commented May 4, 2021

+1 Setting matchPolicy to Exact to match previous behavior. If we have enough people asking for Equivalent, then we could expose a helm parameter for users to set it.

@maxsmythe
Copy link
Contributor

Exact match works. Because we match against / by default, either would be fine. Users who customize the config may be surprised.

@sozercan
Copy link
Member Author

sozercan commented May 5, 2021

rebased with @shomron's changes to controller-runtime. @ritazh @maxsmythe still lgty?

Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still LGTM!

Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@sozercan sozercan merged commit 0fccf8b into open-policy-agent:master May 6, 2021
@sozercan sozercan deleted the update-vwh-v1 branch May 6, 2021 03:19
sozercan added a commit to sozercan/gatekeeper that referenced this pull request May 7, 2021
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
@sozercan sozercan mentioned this pull request May 7, 2021
sozercan added a commit that referenced this pull request May 10, 2021
julianKatz pushed a commit to julianKatz/gatekeeper that referenced this pull request May 11, 2021
julianKatz pushed a commit to julianKatz/gatekeeper that referenced this pull request May 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
5 participants