Fixes delete admission nil object attributes#66535
Fixes delete admission nil object attributes#66535yue9944882 wants to merge 1 commit intokubernetes:masterfrom
Conversation
|
/sig api-machinery |
There was a problem hiding this comment.
For reviewers, forcing the name via accessor here is because that DeleteCollections will set an empty name in the attributes.
5593744 to
c386a21
Compare
There was a problem hiding this comment.
We call admission for each element in the collection?
There was a problem hiding this comment.
Hi @CaoShuFeng, thanks for reviewing! I am sort of confused here when I found that we are actually not doing loose admission checks in delete collection. Shouldn't we force the check for every item of it?
attrs := admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, "", scope.Resource, scope.Subresource, admission.Delete, userInfo)
There was a problem hiding this comment.
The changes here are not quite related to the PR tho.. Or we can put the changes into another PR so that this PR doesn't change any behavior of the server.
There was a problem hiding this comment.
Shouldn't we force the check for every item of it?
If we have remote admission controllers set, this will not be that good.
e.g. I delete a collection of 1000 elements, than the api-server will call the remote admission controller 1000 times in a short time, this will be a flood I think.
53f82d1 to
2128cf0
Compare
|
/test pull-kubernetes-integration |
|
See questions raised in |
Thanks @liggitt . I'm afraid I got a little confused about the line above. In the Update calls we only guarantee the mutating validation call to ensure that the object has to be mutated as expected but other validation funcs like Do you mean that guaranteeing both mutating and validating admission check for object deletion via some approach like
Current state of this PR is right doing admission check twice for graceful deletion IMHO.😃 |
There was a problem hiding this comment.
this change means that admission is not actually called for namespaces on the first delete request (since this function does a r.store.Storage.GuaranteedUpdate call internally to set the deletion timestamp and namespace finalizer
There was a problem hiding this comment.
@liggitt Added the validation check for these manual update-on-delete
There was a problem hiding this comment.
same here, admission is not called on first delete
ef059d0 to
4a16762
Compare
|
@yue9944882 do you have time reviving this PR? We need this fix for webhook GA. I can complete this PR if you are busy with the rate limiting project. |
|
@caesarxuchao heh sure, take it and go 😋 |
|
@yue9944882 thanks, do you mind squashing the commits to one? That way I can keep your authorship by cherrypicking just one commit. |
backward compatibility: add validation for direct storage delete calls apply nil validation to existing tests revert behavior changes in deleteCollection call fixes validation on wiring graceful deletion remove nil validation check continue admission check on not found error
1c33139 to
ab07482
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: yue9944882 If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@yue9944882: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
thanks for asking. squashed. |
|
closing in favor of #76346 /close |
|
@liggitt: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
validate deletion admission object backward compatibility: add validation for direct storage delete calls apply nil validation to existing tests revert behavior changes in deleteCollection call fixes validation on wiring graceful deletion remove nil validation check continue admission check on not found error
validate deletion admission object backward compatibility: add validation for direct storage delete calls apply nil validation to existing tests revert behavior changes in deleteCollection call fixes validation on wiring graceful deletion remove nil validation check continue admission check on not found error
validate deletion admission object backward compatibility: add validation for direct storage delete calls apply nil validation to existing tests revert behavior changes in deleteCollection call fixes validation on wiring graceful deletion remove nil validation check continue admission check on not found error
What this PR does / why we need it:
Fixes nil old object in admission attributes for storage delete calls.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #66536
Special notes for your reviewer:
This PR doesn't change the current behavior of kube-apiserver.
Release note: