Introduce a "host-strict" network provider as a superset of "host" #13651
Conversation
obnoxxx
changed the title
travisn
changed the title
obnoxxx
force-pushed
the
host-strict
branch
3 times, most recently
from
c0c2b5c
to
5e42771
Compare
BlaineEXE
changed the title
pkg/apis/ceph.rook.io/v1/network.go
Outdated
| // IsHost can be used to determine if pods should use host networking by | ||
| // checking whether the cephCluster is configured to use the "host" network provider. | ||
| // This method also maintains compatibility with the old hostNetwork setting |
There was a problem hiding this comment.
Note to check space usage in doc comments. I see several double-spaces here and below. I'm not too concerned about this in draft status, but it might be good to check if the editor you're using makes it harder to see these. I have whitespace markers turned on in mine, and I find it very helpful for visualizing space and tab usage.
| // IsHost can be used to determine if pods should use host networking by | |
| // checking whether the cephCluster is configured to use the "host" network provider. | |
| // This method also maintains compatibility with the old hostNetwork setting | |
| // IsHost can be used to determine if pods should use host networking by | |
| // checking whether the cephCluster is configured to use the "host" network provider. | |
| // This method also maintains compatibility with the old hostNetwork setting |
obnoxxx
force-pushed
the
host-strict
branch
2 times, most recently
from
6911ff0
to
4cb8a91
Compare
pkg/apis/ceph.rook.io/v1/network.go
Outdated
| // IsHost can be used to determine if pods should use host networking by | ||
| // checking whether the cephCluster is configured to use the "host" network provider. | ||
| // This method also maintains compatibility with the old hostNetwork setting |
There was a problem hiding this comment.
Because we are adding a new mode, it will be good for users to clarify how host and host-strict behavior differs. For host, something like, "This network mode only applies host networking to pods that require it in order to limit the number of pods exposed to the host network, improving cluster security."
And a parallel doc comment in IsHostStrict() mentioning something like, "This network mode applies host networking to all pods without caveat. This is useful for clusters with no default CNI. This mode is less secure than "host" mode. Use "host" mode instead of "host-strict" when possible."
I might also suggest adding a note like "This network mode is needed rarely and so is supported on a best-effort basis."
|
|
||
| assert.True(t, net.IsHost()) | ||
| } | ||
|
|
||
| func TestNetworkCephIsHost(t *testing.T) { | ||
| net := NetworkSpec{provider : "host"} |
There was a problem hiding this comment.
If you look at the "files" view on GitHub, you can see some golang linter issues reported. The CI "action" view doesn't show these issues as well.
This particular issue is because it should be Provider (an exported go struct field) and not provider (a nonexistent, non-exported struct field).
pkg/apis/ceph.rook.io/v1/network.go
Outdated
| // IsHost can be used to determine if pods should use host networking by | ||
| // checking whether the cephCluster is configured to use the "host" network provider. | ||
| // This method also maintains compatibility with the old hostNetwork setting |
There was a problem hiding this comment.
Because we are adding a new mode, it will be good for users to clarify how host and host-strict behavior differs. For host, something like, "This network mode only applies host networking to pods that require it in order to limit the number of pods exposed to the host network, improving cluster security."
And a parallel doc comment in IsHostStrict() mentioning something like, "This network mode applies host networking to all pods without caveat. This is useful for clusters with no default CNI. This mode is less secure than "host" mode. Use "host" mode instead of "host-strict" when possible."
I might also suggest adding a note like "This network mode is needed rarely and so is supported on a best-effort basis."
There was a problem hiding this comment.
FWIW, when Travis and I chatted, he agreed that it isn't necessary to have e2e in CI for this since it is such a rare case. Solid local testing should be fine. Also, it isn't necessary to mention that it is supported on a best-effort basis since that is essentially how all FOSS is supported.
There was a problem hiding this comment.
@BlaineEXE wrote:
Because we are adding a new mode, it will be good for users to clarify how
hostandhost-strictbehavior differs. Forhost, something like, "This network mode only applies host networking to pods that require it in order to limit the number of pods exposed to the host network, improving cluster security."And a parallel doc comment in
IsHostStrict()mentioning something like, "This network mode applies host networking to all pods without caveat. This is useful for clusters with no default CNI. This mode is less secure than "host" mode. Use "host" mode instead of "host-strict" when possible."I might also suggest adding a note like "This network mode is needed rarely and so is supported on a best-effort basis."
Good points, thanks! I added corresponding sections to the PR, mostly using your words directly. I'll add Co-authored-by you when doing final squashing/polishing.
There was a problem hiding this comment.
@BlaineEXE wrote:
FWIW, when Travis and I chatted, he agreed that it isn't necessary to have e2e in CI for this since it is such a rare case. Solid local testing should be fine.
Thanks. I don't complain as it makes it easier for me 😉
Also, it isn't necessary to mention that it is supported on a best-effort basis since that is essentially how all FOSS is supported.
Fair enough, but I already added that clause. Do you want me to remove it again?
| @@ -43,11 +43,32 @@ func TestNetworkCephSpecLegacy(t *testing.T) { | |||
| } | |||
|
|
|||
| func TestNetworkCephIsHostLegacy(t *testing.T) { | |||
| net := NetworkSpec{HostNetwork: true} | |||
| net := NetworkSpec{ HostNetwork: true} | |||
There was a problem hiding this comment.
I'm not sure how this space got added. My golang formatter will auto remove spaces like this to keep code in line with what is expected by gofmt. You should see if your editor has a "format on save" option or something like that. Or you can run gofmt manually if you prefer.
There was a problem hiding this comment.
@BlaineEXE wrote:
I'm not sure how this space got added.
I don't know either: At least I didn't intentionally modify that line.
My usual suspect for such unexpected changes is the editor. I don't like the editor to do a lot without me entering the changes myself. At least I usually try to undo formatting changes by the editor as soon as I notice them. but that is usually of course not very successful 😉
I prefer to run gofmt manually. I just did and after committing the result now the extra space is gone.
There was a problem hiding this comment.
I guess this check must not be in our CI, but Go code must be formatted with gofmt and should not be changed afterwards to alter its formatting.
I think we haven't noticed it before because most people use VSCode and the Golang plugin that does this automatically. I'm surprised that our linter doesn't check for it as well.
|
|
||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
I'm pretty sure gofmt (the built-in tool for ensuring go source code has consistent style) will remove double empty lines in go source files.
There was a problem hiding this comment.
ran gofmt and now the blank lines are gone.
|
failure in the macos build ci check: I guess something did not go quite right with my modification of the types. Then again, the member |
obnoxxx
force-pushed
the
host-strict
branch
2 times, most recently
from
5ca4c60
to
5f90bb2
Compare
Found it. I had to write |
| net := NetworkSpec{Provider: "host"} | ||
|
|
||
| assert.True(t, net.IsHost()) | ||
| net = NetworkSpec{Provider: "host-strict"} | ||
|
|
||
| assert.True(t, net.IsHost()) |
There was a problem hiding this comment.
It's best visually to keep test setup and test check together.
| net := NetworkSpec{Provider: "host"} | |
| assert.True(t, net.IsHost()) | |
| net = NetworkSpec{Provider: "host-strict"} | |
| assert.True(t, net.IsHost()) | |
| net := NetworkSpec{Provider: "host"} | |
| assert.True(t, net.IsHost()) | |
| net = NetworkSpec{Provider: "host-strict"} | |
| assert.True(t, net.IsHost()) |
| @@ -48,6 +48,24 @@ func TestNetworkCephIsHostLegacy(t *testing.T) { | |||
| assert.True(t, net.IsHost()) | |||
| } | |||
|
|
|||
| func TestNetworkCephIsHost(t *testing.T) { | |||
There was a problem hiding this comment.
These tests should also include the default provider ("") as well as the legacy boolean in their matrix to make sure that they do the right thing related to other values.
And when things start to get more complicated, it can be good to use t.Run("subtest name", ... to define subtests that clearly spell out what is being tested.
There was a problem hiding this comment.
@BlaineEXE wrote:
These tests should also include the default provider ("") as well as the legacy boolean in their matrix to make sure that they do the right thing related to other values.
I added it to the pre-existing test and will check for more possible places.
And when things start to get more complicated, it can be good to use
t.Run("subtest name", ...to define subtests that clearly spell out what is being tested.
I will look around the code to understand the point of this better.
obnoxxx
force-pushed
the
host-strict
branch
3 times, most recently
from
26898a5
to
a37a263
Compare
|
Bookmarking a topic for later: we should add some Validating Admission Policy to incorporate The existing code looks like this: // NetworkSpec for Ceph includes backward compatibility code
// +kubebuilder:validation:XValidation:message="at least one network selector must be specified when using multus",rule="!has(self.provider) || (self.provider != 'multus' || (self.provider == 'multus' && size(self.selectors) > 0))"
type NetworkSpec struct {
// Provider is what provides network connectivity to the cluster e.g. "host" or "multus".
// If the Provider is updated from being empty to "host" on a running cluster, then the operator will automatically fail over all the mons to apply the "host" network settings.
// +kubebuilder:validation:XValidation:message="network provider must be disabled (reverted to empty string) before a new provider is enabled",rule="self == '' || self == oldSelf"
// +nullable
// +optional
Provider NetworkProviderType `json:"provider,omitempty"`I think it makes sense that we will want to amend the logic to allow users to switch between We should also add logic that seems to be missing where users are currently allowed to set |
I also don't that restriction and agree we should not allow setting network in two places. |
This change is a follow-up to PR rook#13651 . It is also intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation comment and the unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org>
…sHost() This change is a follow-up to PR rook#13651 . It is also intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation comment and the unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org>
…sHost() This change is a follow-up to PR rook#13651 . It is also intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation comment and the unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org>
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
|
This pull request has been automatically closed due to inactivity. Please re-open if these changes are still required. |
…sHost() This change is a follow-up to PR rook#13651 . It is also intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation comment and the unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org>
…sHost() This change is a follow-up to PR rook#13651 . It is also intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation comment and the unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org>
…sHost() This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is also intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation comment and the unit testing for the `IsHost()` method of the `CephCluster.Network` spec. The implementation of IsHost() is changed to validate the Network Spec and return error if the spec is invalid. Signed-off-by: Michael Adam <obnox@samba.org>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the `IsHost()` method of the `CephCluster.Network` spec. The implementation of IsHost() is changed to validate the Network Spec and return error if the spec is invalid. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the `IsHost()` method of the `CephCluster.Network` spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
This change is a follow-up to PR rook#13651 . It is also meant to provide a continuation of the closed, stale PR rook#13878 . It is furthermore intended as a preparation for the introduction of a way to enforce host networking in the next round of updates to PR rook#13651 . This change improves the documentation, implementation, and unit testing for the method of the spec. Signed-off-by: Michael Adam <obnox@samba.org> Co-authored-by: Blaine Gardner <b.blaine.gardner@gmail.com> Co-authored-by: Travis Nielsen <tnielsen@redhat.com>
description of changes:
This change adds a new network provider "host-strict" to the cephCluster that behaves as a superset of the known "host" provider. in that it lets rook configure all pods for host networking, not only those that were previously affected by "host".
** ToDo:**
Issue resolved by this Pull Request:
Resolves #13571
Checklist: