Adding ObjectSelector to admission webhooks#78226
Adding ObjectSelector to admission webhooks#78226caesarxuchao wants to merge 8 commits intokubernetes:masterfrom
Conversation
252773a to
13ef626
Compare
There was a problem hiding this comment.
The changes to the patch handler are complicated. I need to extract the labels after the patch is applied to the existing object, but before the running the mutation webhooks (applyAdmission), and pass the labels to the validation webhooks (encapsuled in createValidation and updateValidation). I used the *ctx.LabelsHolder to pass the labels.
13ef626 to
c2558a1
Compare
59426bd to
32297f4
Compare
There was a problem hiding this comment.
in what cases do we allow error?
There was a problem hiding this comment.
extensions/v1beta1/deployments/rollback does not implement the Object interface. That seems to be the only exceptions.
I updated the update.go to return NewInternalError if meta.Accessor() fails.
There was a problem hiding this comment.
Looks safe. Log an error if it ever does happen just so we're not entirely silent about the error?
There was a problem hiding this comment.
is the returning error behavior here different from other verbs?
There was a problem hiding this comment.
it seems that the update doesn't tolerate modified object. I got the following flake locally:
--- FAIL: TestWebhookV1beta1/apiextensions.k8s.io.v1beta1.customresourcedefinitions/delete (0.35s)
admission_test.go:608: Operation cannot be fulfilled on customresourcedefinitions.apiextensions.k8s.io "openshiftwebconsoleconfigs.webconsole.operator.openshift.io": the object has been modified; please apply your changes to the latest version and try again
There was a problem hiding this comment.
Thanks. I'll update the code.
|
I believe that the flake I encountered was due to the watch cache. The object in watch cache contains already removed labels, thus the request was dispatched to wrong webhooks. |
It verifies that object selector is respected. It verifies that labels added by the mutation webhooks are not affecting object selector decision in the same round of admission.
if the obj does not implement the Object interface. The only exception is the CREATE handler, as extension/v1beta1/deployments/rollback does not implement the interface.
9cf4343 to
3264ace
Compare
|
/retest Integration test failure not related. |
|
@caesarxuchao: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| // object (passed as oldObject in the admissionRequest). | ||
| // Admission behavior for subresources with non-empty object selector | ||
| // is undefined currently. | ||
| // Use the object selector only if the webhook is opt-in, because end |
There was a problem hiding this comment.
In addition to allowing users to opt-in to a webhook, labels also make it possible to ensure that all objects with a particular label have been admitted by the webhooks for that label.
| type Matcher struct { | ||
| } | ||
|
|
||
| // MatchObjectSelector decideds whether the request matches the ObjectSelector |
There was a problem hiding this comment.
Looks safe. Log an error if it ever does happen just so we're not entirely silent about the error?
| if !ok { | ||
| return nil, errors.NewInternalError(fmt.Errorf("expect labelsHolder set in context")) | ||
| } | ||
| labelsHolder.SetLabels(labels) |
There was a problem hiding this comment.
Add comment here summarizing why/how labels are messaged via the context? Seems like we should comment about that somewhere..
| // users may skip the admission webhook by setting the labels. | ||
| // Default to the empty LabelSelector, which matches everything. | ||
| // +optional | ||
| ObjectSelector *metav1.LabelSelector |
There was a problem hiding this comment.
Why not ObjectLabelSelector ?
| // UPDATE, the object is the new object. For DELETE, it is existing | ||
| // object (passed as oldObject in the admissionRequest). | ||
| // Admission behavior for subresources with non-empty object selector | ||
| // is undefined currently. |
| dryRun: dryRun, | ||
| object: object, | ||
| oldObject: oldObject, | ||
| labels: labels, |
There was a problem hiding this comment.
why do we need labels globally throughout the code base and not only in the webhooks. This looks wrong. Please move that logic into the webhook.
| } | ||
|
|
||
| type mutateObjectUpdateFunc func(obj, old runtime.Object) error | ||
| type mutateObjectUpdateFunc func(ctx context.Context, obj, old runtime.Object) error |
|
I am not happy about the ripples of the change. I am against merging it in this way. /hold |
|
The requirement of extracting labels "at the admission time before running any plugins and will be used for all webhooks during the admission process" makes the implementation complicated. Especially for PATCH operations, I needed to extract the labels after the patch is applied, but before applying the mutation webhooks in this line, thus I used One alternative I had considered was letting the mutation webhook controller extract the labels. The drawbacks are:
|
|
@caesarxuchao: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Talked through the various issues with @sttts, @caesarxuchao, @jpbetz, and @roycaihw. most of the difficulties with this implementation came from the original behavior specified in the KEP, which in retrospect led to very counter-intuitive behavior from an end-user's perspective. The updated behavior we landed on (which is much easier to explain and to implement... double win): To determine whether the objectSelector matches given admission attributes:
|
|
I very much prefer what @liggitt suggests in #78226 (comment). Feel free to unhold the PR with such an implementation. |
|
Superseded by #78505 |
/assign
/sig api-machinery
Implementing KEP#objectSelector.
I only implemented it for the main resource. The behavior for subresources is undefined.
I added to the admission webhook integration test to make sure webhooks are called if labels matches the object selector. The test also makes sure in-flight label changes made by the mutation webhooks are not counted when compared to the object selector.
TODO:
I still need to do some code cleanup, so marked as WIP. cc @liggitt @jpbetz @roycaihw