Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-4008: CRDValidationRatcheting: Ratchet errors from CEL expressions if old DeepEqual new #121016

Merged
merged 1 commit into from
Oct 24, 2023
Merged

KEP-4008: CRDValidationRatcheting: Ratchet errors from CEL expressions if old DeepEqual new #121016

merged 1 commit into from
Oct 24, 2023

Conversation

alexzielenski
Copy link
Contributor

@alexzielenski alexzielenski commented Oct 6, 2023
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds support for CEL expressions to CRDValidationRatcheting as part of beta. This is NOT the "Advanced CEL Ratcheting" part of the KEP. This is an implementation of standard ratcheting for CEL rules when old is DeepEqual to new.

Factors out the correlation and comparison bits from the schema ratcheting code into a reusable type so that it can be shared with CEL implementation without much ripple

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

CRDValidationRatcheting: Adds support for ratcheting `x-kubernetes-validations` in schema

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: http://kep.k8s.io/4008

/sig api-machinery
/assign @apelisse
/cc @sttts @cici37

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Oct 6, 2023
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. labels Oct 6, 2023
@k8s-ci-robot k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Oct 6, 2023
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver labels Oct 6, 2023
@alexzielenski alexzielenski force-pushed the apiserver/apiextensions/ratcheting-cel branch 5 times, most recently from 5522aa6 to 543f8d3 Compare October 9, 2023 19:27
This was referenced Oct 10, 2023
Merged
Merged
apelisse
apelisse reviewed Oct 13, 2023
View reviewed changes
Copy link
Member

@apelisse apelisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly looks good so far.

staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation/ratcheting.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 14, 2023
@alexzielenski alexzielenski mentioned this pull request Oct 16, 2023
Open
12 tasks
@alexzielenski alexzielenski force-pushed the apiserver/apiextensions/ratcheting-cel branch from 543f8d3 to d8df5a1 Compare October 16, 2023 22:31
@alexzielenski alexzielenski marked this pull request as ready for review October 16, 2023 22:52
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 16, 2023
@Jefftree
Copy link
Member

/triage accepted

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Oct 17, 2023
@alexzielenski alexzielenski force-pushed the apiserver/apiextensions/ratcheting-cel branch 4 times, most recently from ce9c864 to 519b7ed Compare October 18, 2023 20:07
apelisse
apelisse reviewed Oct 18, 2023
View reviewed changes
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
Comment on lines +3136 to +3152
schema: mustSchema(`
type: object
properties:
foo:
type: string
x-kubernetes-validations:
- rule: self == "bar"
message: "gotta be baz"
`),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks so beautiful, tabsdiedie is proud of you

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, is this a Scala stripMargin equivalent? Nice. I'd really like to have a general purpose one of these in a util package at some point (but this is great for now).

apelisse
apelisse reviewed Oct 18, 2023
View reviewed changes
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
- bar: bar
`),
warnings: []string{
`root[0].bar: Invalid value: "string": gotta be baz`,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated and not an action, but what is this

invalid value: "string": gotta be baz
// instead of
invalid value: "bar": gotta be baz

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've always wondered that. It is a curiosity of how our forked openapi validator in kube-openapi generates errors :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I guess it's a string indeed, cool ...

@apelisse
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 18, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: b57b5ade299652c9ac34f428ef727e31aebb5ef1

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 18, 2023
@alexzielenski alexzielenski mentioned this pull request Oct 20, 2023
Merged
jpbetz
jpbetz suggested changes Oct 23, 2023
View reviewed changes
Copy link
Contributor

@jpbetz jpbetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nit

staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
Comment on lines +3136 to +3152
schema: mustSchema(`
type: object
properties:
foo:
type: string
x-kubernetes-validations:
- rule: self == "bar"
message: "gotta be baz"
`),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, is this a Scala stripMargin equivalent? Nice. I'd really like to have a general purpose one of these in a util package at some point (but this is great for now).

staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
name: "ratchet error triggered by normal CEL expression from an uncorrelatable part of the schema if one of its parent nodes is totally unchanged",
schema: mustSchema(`
type: array
x-kubernetes-list-type: atomic
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Can we also get one test using x-kubernetes-list-type: atomic (I'm confident it will pass, I mostly want it for regression prevention)? It can be a copy-paste of an atomic one..

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean x-kubernetes-list-type: set? Either way, I noticed it wasnt included, and added some more cases, as well as some maplist and nested map cases.

staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go Outdated Show resolved Hide resolved
@alexzielenski alexzielenski force-pushed the apiserver/apiextensions/ratcheting-cel branch from 519b7ed to f075f4c Compare October 23, 2023 17:19
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 23, 2023
@alexzielenski alexzielenski force-pushed the apiserver/apiextensions/ratcheting-cel branch from f075f4c to 7840f8e Compare October 23, 2023 17:24
@alexzielenski alexzielenski force-pushed the apiserver/apiextensions/ratcheting-cel branch from 7840f8e to 6d580da Compare October 23, 2023 17:28
@alexzielenski
Copy link
Contributor Author

/retest

@jpbetz
Copy link
Contributor

jpbetz commented Oct 23, 2023

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 23, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 2ef307349d17924e738faa0f405074e8949befb8

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexzielenski, jpbetz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 23, 2023
@k8s-ci-robot k8s-ci-robot merged commit 3930f3f into kubernetes:master Oct 24, 2023
14 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Oct 24, 2023
@alexzielenski alexzielenski mentioned this pull request Oct 24, 2023
Merged
9 tasks
@alexzielenski alexzielenski changed the title CRDValidationRatcheting: Ratchet errors from CEL expressions if old DeepEqual new KEP-4008: CRDValidationRatcheting: Ratchet errors from CEL expressions if old DeepEqual new Oct 24, 2023
@sftim
Copy link
Contributor

sftim commented Oct 25, 2023

Changelog suggestion

ℹ️ should get a technical check before making the change

Added ratcheting (behind `CRDValidationRatcheting` feature gate) to tolerate `x-kubernetes-validations` errors when the old resource was equal - `reflect.DeepEqual()` - to the new object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiahuif jiahuif jiahuif left review comments

@cici37 cici37 cici37 left review comments

@jpbetz jpbetz jpbetz requested changes

@sttts sttts Awaiting requested review from sttts

@apelisse apelisse Awaiting requested review from apelisse

Assignees

@jpbetz jpbetz

@apelisse apelisse

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@alexzielenski @k8s-ci-robot @Jefftree @apelisse @jpbetz @sftim @jiahuif @cici37