WIP: api: apply field validation to dropped fields #130467
Conversation
|
Skipping CI for Draft Pull Request. |
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pohly The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Large PR even though the "real" changes are in a limited set of files. Let me call out those files by asking questions about the current approach (still in flux).
Continuation of https://kubernetes.slack.com/archives/C0EG7JC6T/p1739953008081669
| @@ -1088,6 +1088,9 @@ const ( | |||
| // CauseTypeResourceVersionTooLarge is used to report that the requested resource version | |||
| // is newer than the data observed by the API server, so the request cannot be served. | |||
| CauseTypeResourceVersionTooLarge CauseType = "ResourceVersionTooLarge" | |||
| // CauseTypeUnsupported is used to report that support for a resource or | |||
| // field is disabled. | |||
| CauseTypeUnsupported CauseType = "Unsupported" | |||
There was a problem hiding this comment.
When warning about a dropped field, the StatusCause needs a type.
Not sure whether a new type is needed. The closest existing one is "FieldValueNotSupported", which kind of makes sense because the non-nil field in the parent struct is also a value...
| // caller will return them to the client as if they had been generated | ||
| // in WarningsOnCreate. If it is Strict, the warnings are turned into | ||
| // an error and the operation fails immediately. | ||
| PrepareForCreate(ctx context.Context, obj runtime.Object, fieldValidation string) (warnings []string, err error) |
There was a problem hiding this comment.
Still debating with myself what the best return values are here...
The error only gets added for the sake of completeness as I am touching this method and all implementations. It seems useful that an implementer should also be able to say "stop right now, something is completely wrong" here. But for warnings about dropped fields its not needed.
I'm currently using warnings []string for consistency with WarningsOnCreate. That's fine when just passing those warnings through and has the advantage that warnings are not limited to dropped fields.
But when converting the warnings to an error, the caller has to parse the warning and provide a common error text, so in the end those have to be warnings about dropped fields and they have to have the expected format.
I'm therefore leaning towards a less flexible return value. field.ErrorList is too flexible because Error has additional fields (Type, BadValue) that we don't need.
[]struct{Field string, Message string} ?
Alternatively, we can keep the prototype as it is and require that implementations themselves turn warnings into an error for fieldValidation == "Strict", then return that error instead of warnings. A helper function could be provided which does that.
There was a problem hiding this comment.
A couple thoughts:
- I'd need to think more about what it would mean to add a fatal error return to this code path
- If possible, I'd want to handle what we do with dropped fieldPaths centrally and minimize the surface area / reliance on dozens of individual strategy methods constructing consistent messages and distinguishing between warn and error correctly
I think the minimal surface area required here is:
- In parameters, tell PrepareForCreate / PrepareForUpdate if the caller needs to know about dropped field paths (since it adds some complexity / cost to accumulate those ... if fieldValidation is "Ignore", there's no point in doing that work)
- In the return value, let PrepareForCreate / PrepareForUpdate return any dropped field paths, possibly with an associated reason string for each about why they were dropped
If we're changing the strategy signature, I'd probably plan for the future and add an input type and a return type we can augment in the future if needed
possibly something like:
type PrepareForCreateOptions struct {
ReturnDroppedFieldPaths bool
}
type PrepareForCreateResult struct {
DroppedFieldPaths []string // or map[string]string to give associated reasons?
}
PrepareForCreate(ctx context.Context, obj runtime.Object, opts PrepareForCreateOptions) PrepareForCreateResult
type PrepareForUpdateOptions struct {
ReturnDroppedFieldPaths bool
}
type PrepareForUpdateResult struct {
DroppedFieldPaths []string // or map[string]string to give associated reasons?
}
PrepareForUpdate(ctx context.Context, obj, old runtime.Object, opts PrepareForUpdateOptions) PrepareForUpdateResultThen, in the one place we call these methods, we decide if we care about tracking dropped field paths based on whether we need to warn or error, and we handle warning or erroring based on the result
There was a problem hiding this comment.
If possible, I'd want to handle what we do with dropped fieldPaths centrally and minimize the surface area / reliance on dozens of individual strategy methods constructing consistent messages and distinguishing between warn and error correctly.
Fully agreed. Whatever we do, it would be a lot of manual work.
In addition, like validation itself it also is conceptually at the wrong place: the field paths are for the internal API version. If the external APIs do not all use exactly the same paths, then users get confusing errors or warnings for those API versions with different paths. DRA will have this situation because we are restructuring a bit in v1beta2.
This leads me to: can we do this as part of declarative validation?
We already have the +featureGate annotation. Generating code which does the usual "if any feature-gated field is set or feature gate enabled, return, otherwise drop feature-gated fields" logic should be doable.
There was a problem hiding this comment.
This leads me to: can we do this as part of declarative validation?
Only if we can guarantee we never error / warn for this on an update of an existing object that already contains data in that field
Generating code which does the usual "if any feature-gated field is set or feature gate enabled, return, otherwise drop feature-gated fields" logic should be doable.
Are we able to perfectly automatically detect / correlate use of the gated field in the old object?
There was a problem hiding this comment.
Only if we can guarantee we never error / warn for this on an update of an existing object that already contains data in that field
That's what I meant with "if any feature-gated field is set" - just accidentally dropped the "in the existing object".
Are we able to perfectly automatically detect / correlate use of the gated field in the old object?
That's a question to the people implementing declarative validation. We would need access to the stored object in the same version that the incoming update has. Then whatever is set there should match the +featureGate annotations and thus the code generated for that version.
| details.Causes = append(details.Causes, cause) | ||
| } | ||
| err.ErrStatus.Details = details | ||
| return err |
There was a problem hiding this comment.
This conversion into an error needs to go into some helper function, either one that is shared by create and update or exported such that implementations can use it.
| if warn { | ||
| warnings = append(warnings, fmt.Sprintf("spec.devices.requests[%d].adminAccess: %s disabled", i, features.DRAAdminAccess)) | ||
| } | ||
| } |
There was a problem hiding this comment.
As a proof-of-concept I've converted this "drop disabled fields". There's a corresponding E2E test in test/e2e/dra.go.
If we go ahead with this, do I need to update all "drop disabled fields" implementations and write tests for that in this PR? It would be desirable for the sake of consistency, but also a lot of busy work and lead to a very large PR.
The alternative is to add the ability to do this in one PR, then convert individual API types one-by-one. That work can be spread across different contributors.
I'm leaning towards the latter approach. They key argument is that clients cannot rely on getting an error for a while because they probably need to support also older Kubernetes release where this new functionality wasn't available yet. For DRA, we need such a "plan B" for DRA drivers running on Kubernetes 1.32.
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
If this is relevant to #127701, I suggest we make this a candidate for backports. It won't cover everything but the fewer times we have to triage a sidecar being treated as an init container (and people filing bugs against the Helm chart, Kubernetes, etc) the better. |
It is, but it doesn't meet our backport criteria: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/cherry-picks.md#what-kind-of-prs-are-good-for-cherry-picks |
|
(quoting from the page about backports)
I'm willing to support this. From my perspective, I want to preempt the problem #127701 calls out (the ecosystem sees a stream of issues from users confused about init vs. sidecar containers). I'd rather have this ahead of GA (for sidecar containers) than feel obliged to jump in to comms after the problem proves to be serious. |
|
I can't speak for SIG Node, but considering how large this PR might become (note that it's not complete yet!) I expect considerable and justified pushback against backporting this. If I were SIG Node, I wouldn't try. SIG Arch might be a better champion for it, but even then I find it unlikely. What SIG Node can do is delay graduation until this PR is merged. So far, it is unclear when that will be. It has not received any comments on the implementation questions that I raised. |
I don't think there's any way we would backport this. This requires signature changes and touching many many implementation files. |
|
Ok, thanks @liggitt. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
What type of PR is this?
/kind feature
What this PR does / why we need it:
When a field gets dropped because the corresponding feature gate is disabled, the client currently gets neither a warning when
fieldValidation: Warnis set (also the default), nor does it get an error forfieldValidation: Strict.This is inconsistent with submitting the same request to an older Kubernetes which doesn't have the feature at all yet: there the fields are unknown and trigger warnings resp. an error during decoding.
This PR addresses that by allowing the REST strategy implementation to return warnings when dropping fields. The create and update code then return those warnings or turn them into an error when field validation is strict.
Special notes for your reviewer:
Does this PR introduce a user-facing change?
TBD