plumb Update resthandler to allow old/new comparisons in admission

[liggitt]

Rework how updated objects are passed to rest storage Update methods (first pass at #23928 (comment))

• allows centralizing precondition checks (uid and resourceVersion)
• allows admission to have the old and new objects on patch/update operations (sets us up for field level authorization, differential quota updates, etc)
• allows patch operations to avoid double-GETting the object to apply the patch

Overview of important changes:

• pkg/api/rest/rest.go
  • changes rest.Update interface to give rest storage an UpdatedObjectInfo interface instead of the object directly. To get the updated object, the storage must call UpdatedObject(), passing in the current object
• pkg/api/rest/update.go
  • provides a default UpdatedObjectInfo impl
  • passes a copy of the updated object through any provided transforming functions and returns it when asked
  • builds UID preconditions from the updated object if they can be extracted
• pkg/apiserver/resthandler.go
  • Reworks update and patch operations to give old objects to admission
• pkg/registry/generic/registry/store.go
  • Calls UpdatedObject() inside GuaranteedUpdate so it can provide the old object

Todo:

• Update rest.Update interface:
  • Given the name of the object being updated
  • To get the updated object data, the rest storage must pass the current object (fetched using the name) to an UpdatedObject(ctx, oldObject) (newObject, error) func. This is typically done inside a GuaranteedUpdate call.
• Add old object to admission attributes interface
• Update resthandler Update to move admission into the UpdatedObject() call
• Update resthandler Patch to move the patch application and admission into the UpdatedObject() call
• Add resttest tests to make sure oldObj is correctly passed to UpdatedObject(), and errors propagate back up

Follow-up:

• populate oldObject in admission for delete operations?
• update quota plugin to use GetOldObject() in admission attributes
• admission plugin to gate ownerReference modification on delete permission
• Decide how to handle preconditions (does that belong in the storage layer or in the resthander layer?)

[liggitt]

cc @deads2k @smarterclayton @lavalamp @caesarxuchao (related to discussion on plumbing for protecting ownerReferences)

@derekwaynecarr PTAL at admission-related bits
@deads2k PTAL at resthandler patch bits

[liggitt]

This resolves a TODO inside the generic store that noted that all sorts of things in the updated object got mutated in BeforeCreate. It also exposed several tests that only passed because of side-effect modifications on the object passed to Update that made later DeepEqual comparisons pass.

[liggitt]

squashed

[lavalamp]

This is a huge change which I'm just noticing now-- how important for 1.3 is this?

@caesarxuchao some of your change is overlapping this change. Can you look over this so at least someone from here will have read this closely?

[smarterclayton]

This is what allows us to secure garbage collection.

[caesarxuchao]

Sure. I'm taking a look.

[smarterclayton]

The change looks a lot worse than it is.

[caesarxuchao]

A unrelated question, does anyone know why the folder is called "controller" instead of "replicationcontroller"?

[liggitt]

probably just cruft

[liggitt]

@k8s-bot unit test this issue #23822

[caesarxuchao]

Can you keep this logic out of the tryUpdate function? It doesn't need to be rerun in every retry. I think you can get the obj by objInfo.UpdatedObject(ctx, nil).

[liggitt]

no, this check is not expensive, and I definitely don't want to call UpdatedObject with a nil oldObj (or even call it multiple times unnecessarily). in Patch API calls, passing in the old object is how the new object is determined, and the admission chain now lives in that call as well.

There are unit tests in place in resttest.go to make sure the old object passed to UpdatedObject() is actually the old object from storage.

[caesarxuchao]

Thanks for the explanation.

[caesarxuchao]

@liggitt, I realized if obj is not available until calling into the storage layer, I don't know how to rebase my PR onto yours: https://github.com/kubernetes/kubernetes/pull/25599/files#diff-543310447bdc03ffceba5cf23a04be97R313

Do you have any suggestions?

[liggitt]

@k8s-bot test this issue #22655

[liggitt]

added requested godoc

[k8s-bot]

GCE e2e build/test passed for commit 29252ac.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[k8s-github-robot]

Automatic merge from submit-queue