Sending existing object to the webhook for the DELETE verb

[caesarxuchao]

Based on #66535, with these major changes:

• The deleteValidation is plumbed to the GuaranteedUpdate and etcd3#Delete, so that it's always called when the update and delete retry on conflicts.

/assign
/sig api-machinery
/kind bug

For admission webhooks registered for DELETE operations on k8s built APIs or CRDs, the apiserver now sends the existing object as admissionRequest.Request.OldObject to the webhook. 
For custom apiservers they uses the generic registry in the apiserver library, they get this behavior automatically.

[caesarxuchao]

This is a duplicate of line 183.

[caesarxuchao]

This might be controversial.

[liggitt]

this is interesting. wouldn't malformed data in etcd also prevent us from listing and finding out what the problematic key was? I'm trying to understand if this special handling actually enables us to resolve the issue, or if it's just a step in that direction.

[caesarxuchao]

Good point. The error message send by the LIST handler does include the key:

kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go

Line 610 in 0889c3e

return storage.NewInternalErrorf("unable to transform key %q: %v", kv.Key, err)

So this special handling enables us to resolve the issue.

[caesarxuchao]

/retest

[caesarxuchao]

/unassign
/assign @liggitt @mbohlool @roycaihw @yue9944882

[caesarxuchao]

CHAO: finalizer for roles.rbac.authorization.k8s.io/role1 is [test/k8s.io], uid is 01f1dcc1-65e4-4836-b85f-ccf0b3be4f56, rv is 1312
CHAO: again, finalizer for roles.rbac.authorization.k8s.io/role1 is [test/k8s.io], uid is 01f1dcc1-65e4-4836-b85f-ccf0b3be4f56, rv is 1312
CHAO: in updateForGracefulDeletionAndFinalizers 1, finalizer for role1 is [], uid is 01f1dcc1-65e4-4836-b85f-ccf0b3be4f56, rv is 1311
CHAO: in updateForGracefulDeletionAndFinalizers 2, finalizer for role1 is [], uid is 01f1dcc1-65e4-4836-b85f-ccf0b3be4f56, rv is 1311
CHAO: in updateForGracefulDeletionAndFinalizers 3, finalizer for role1 is [], uid is 01f1dcc1-65e4-4836-b85f-ccf0b3be4f56, rv is 1311

Somehow the rv goes backwards in this code block: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store.go#L873-L909.

[sttts]

Any chance to squash this into logical pieces for easier review?

[caesarxuchao]

I had to add a specific delete test for CRD, because like namespaces, apiserver does not delete CRD on an update that removes the last pending finalizer.

[liggitt]

should it? that seems like the same bug as the one you fixed in storage

[liggitt]

CRD storage doesn't override Update, and only changes Delete behavior on first delete... I don't think it should require a custom test method (I'd expect removing finalizers on update of a CRD with a deletiontimestamp set to actually delete)

[caesarxuchao]

I removed the commit that modified shouldDeleteDuringUpdate. The function returns false unless the DeletionGracePeriodSeconds was set on the first Delete. CRD storage doesn't set the DeletionGracePeriodSeconds.

I removed my previous fix to shouldDeleteDuringUpdate because that would make Namespaces misbehave.

I tracked the issue in #77944. We can solve it in a followup.

[caesarxuchao]

This matches the existing behavior:

kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go

Lines 743 to 750 in 08afeb8

	// Delete succeeds but reports an error because we cannot access the body
	if err := store.Delete(ctx, preset[1].key, &example.Pod{}, nil); !storage.IsInternalError(err) {
	t.Errorf("Unexpected error: %v", err)
	}
	if err := store.Get(ctx, preset[1].key, "", &example.Pod{}, false); !storage.IsNotFound(err) {
	t.Errorf("Unexpected error: %v", err)
	}

[liggitt]

/retest

[liggitt]

Is it better to skip validateDeletion or call it with a nil object? Currently, delete admission is always called, regardless of transform error, with a nil oldObject. would it be preferable to continue calling delete admission with a nil oldObject in the case of a transform error over skipping it entirely?

[liggitt]

I can't decide which bothers me more, giving an inconsistent API to admission consumers (sometimes getting a nil oldObject in a delete admission call), skipping delete admission entirely, or requiring talking to etcd to delete a malformed value.

Will CRD webhook conversion errors and KMS transform errors exercise this path? I'm not sure I'd want to abandon calling admission if an external system like that flakes.

[caesarxuchao]

Indeed the KMS transform is part of the transformer stack:

kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go

Line 190 in 4d3d153

transformer, err = getEnvelopePrefixTransformer(provider.KMS, envelopeService, kmsTransformerPrefixV1)

.

I'll trace the CRD webhook path later.

[update] CRD webhook conversion is plumbed to the storage codec, not as a transformer. See code.

[caesarxuchao]

Among all the options, "giving an inconsistent API to admission consumers" seems to be the lesser of the evils.

I added the last commit to send nil objects to validateDelete.

[liggitt]

Discussed offline. since we already have to look up the existing object in the REST handler to verify there are no remaining finalizers, a persistent transform error is already blocking, and we'll never make it here. Continuing to simply return if we encounter a transform error (rather than skipping admission or passing a nil object) is no worse than the current state, and lets us give a consistent API to admission authors.

[liggitt]

Let's drop the transformation error changes from this PR to keep it focused on passing existing objects to delete admission

[liggitt]

also return if origState is nil, since we don't have the rev info to use later

[caesarxuchao]

Added a return after the error checks.

[liggitt]

CRD storage doesn't override Update, and only changes Delete behavior on first delete... I don't think it should require a custom test method (I'd expect removing finalizers on update of a CRD with a deletiontimestamp set to actually delete)

[caesarxuchao]

/retest

[caesarxuchao]

@liggitt I cherry-picked your #77952 to get the integration tests working, I would need a rebase after #77952 merged. The PR is otherwise ready for another round of review. Thank you for the meticulous reviews.

[liggitt]

/lgtm
/approve

needs a rebase since #77952 merged

[caesarxuchao]

/retest

[caesarxuchao]

/retest

[liggitt]

/lgtm
/approve
/priority important-soon

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• cmd/kube-apiserver/OWNERS [caesarxuchao,liggitt]
• pkg/master/OWNERS [liggitt]
• pkg/registry/OWNERS [liggitt]
• staging/src/k8s.io/apiextensions-apiserver/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/OWNERS [liggitt]
• test/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yue9944882]

awesome! 🎉

[liggitt]

included in docs PR for 1.15 at kubernetes/website#14671

[roycaihw]

/area admission-control