✨ Check for identityHash in APIExport admission and support multiple versions for APIs in permission claims #2169
Conversation
openshift-ci
bot
added
the
kind/api-change
| @@ -57,7 +51,7 @@ func (c *APIReconciler) reconcile(ctx context.Context, apiDomainKey dynamicconte | |||
| } | |||
|
|
|||
| // add built-in apiResourceSchema | |||
| for _, apiResourceSchema := range syncerSchemas { | |||
| for _, apiResourceSchema := range syncerbuiltin.SyncerSchemas { | |||
There was a problem hiding this comment.
I think the process of how we add the ARS to the sync target set can be improved here as we are essentially duplicating these for every apiSet even though we know they are always present. That being said, I opted to not include in this PR as it was already carrying a fairly large diff. Planning to address in follow-up.
| "testing" | ||
|
|
||
| "github.com/stretchr/testify/require" | ||
| _ "k8s.io/kubernetes/pkg/apis/core/install" |
There was a problem hiding this comment.
We could consider moving this anonymous import into builtin.go as inclusion of the package without also importing core install will cause init() to panic.
There was a problem hiding this comment.
I'm happy to, though in theory this is a change in behavior that is not strictly how all consumers would have to behave today. In practice, kcp is installing the core types into the legacy schema before this init() runs, but not all consumers have to. In general I don't love this pattern of registering schemas in init() calls, and would lean towards going ahead and moving the anonymous import (as you suggest) to cover the 99% case here.
There was a problem hiding this comment.
@sttts any thoughts here?
There was a problem hiding this comment.
don't have much context here. But in general it is highly discourage to use the legacyscheme in any way, especially in new code like kcp. Create dedicated schemes and add the group you want via the AddToScheme methods.
hasheddan
force-pushed
the
admission-apiexport
branch
from
2355d9c to
332e7fc
Compare
|
Need to cleanup some of these e2e tests that I believe are correctly failing now. |
Update the APIResourceSchema generation to consider multiple versions of an API and append the schemas to one ARS rather than generating a separate ARS for each. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Moves the APIExport built-in API ARS generation to a dedicated builtin schema package and consume it in the APIExport reconciler. Methods are broken out into a check of whether an ARS exists and a getter for the actual ARS to accommodate more flexible use-cases. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Moves the syncer built-in schema generation to a dedicated package such that it can be consumed in multiple locations. Updates the syncer API reconciler to use it as first consumer. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Fixes up virtual worksapce e2e test to consume internal APIs from built-in package. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
hasheddan
force-pushed
the
admission-apiexport
branch
3 times, most recently
from
30c0882 to
870ca54
Compare
pkg/admission/apiexport/admission.go
Outdated
| field.Invalid( | ||
| field.NewPath("spec"). | ||
| Child("permissionClaims"). | ||
| Child(fmt.Sprintf("[%d]", i)). |
hasheddan
force-pushed
the
admission-apiexport
branch
from
870ca54 to
223bf7b
Compare
pkg/admission/apiexport/admission.go
Outdated
| type APIExportAdmission struct { | ||
| *admission.Handler | ||
|
|
||
| isBuiltInFn func(apisv1alpha1.GroupResource) bool |
pkg/admission/apiexport/admission.go
Outdated
| } | ||
|
|
||
| // NewAPIExportAdmission constructs a new APIExportAdmission admission plugin. | ||
| func NewAPIExportAdmission(isInternal func(apisv1alpha1.GroupResource) bool) *APIExportAdmission { |
There was a problem hiding this comment.
| func NewAPIExportAdmission(isInternal func(apisv1alpha1.GroupResource) bool) *APIExportAdmission { | |
| func NewAPIExportAdmission(isBuiltIn func(apisv1alpha1.GroupResource) bool) *APIExportAdmission { |
| func updateAttr(name string, obj runtime.Object, kind, resource string) admission.Attributes { | ||
| return admission.NewAttributesRecord( | ||
| helpers.ToUnstructuredOrDie(obj), | ||
| nil, |
There was a problem hiding this comment.
Since this is an update, I know it doesn't matter for the code under test, but should we fill in the "old" object here?
| kind string | ||
| resource string | ||
| hasIdentity bool | ||
| isBuiltIn func(apisv1alpha1.GroupResource) bool |
There was a problem hiding this comment.
Unless you're intending to vary the return based on the input, I think this can be a normal bool and you can set the function pointer once, inside t.Run?
pkg/virtual/apiexport/controllers/apireconciler/apiexport_apireconciler_reconcile.go
Show resolved
Hide resolved
| "testing" | ||
|
|
||
| "github.com/stretchr/testify/require" | ||
| _ "k8s.io/kubernetes/pkg/apis/core/install" |
Adds an APIExport admission plugin that, for the time-being, only validates that any permissionClaims for types that are not built-in include an identityHash. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Registers the APIExport admission plugin as a default. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Adds hasheddan as a reviewer for the APIExport admission plugin. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
Cleans up some unecessary conditional logic in APIExport reconciler. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
hasheddan
force-pushed
the
admission-apiexport
branch
from
223bf7b to
5cfb111
Compare
|
/lgtm Would like to hear Stefan's thoughts on the import question |
|
/assign @sttts |
|
|
||
| func init() { | ||
| genericcontrolplane.Install(legacyscheme.Scheme) | ||
| schemes := []*runtime.Scheme{legacyscheme.Scheme} |
There was a problem hiding this comment.
what is this used for? don't like to see the legacyscheme in our code.
There was a problem hiding this comment.
@sttts this isn’t strictly new in this patch set, just being relocated from the syncer API reconciler. I presume the legacy scheme is being used as the sync target is assumed to be Kubernetes API-compatible. Happy to update this to explicitly add each type in the internal API list below to the scheme.
There was a problem hiding this comment.
I would recommend doing a follow-up to deal with legacyscheme usage as a whole
There was a problem hiding this comment.
@ncdc happy to open a tracking issue and tackle 👍🏻
There was a problem hiding this comment.
@hasheddan yes let's do that please, thanks!
|
Approving. Keep merging & iterate on 😄 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ncdc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Summary
This patch set includes two primary changes:
Update the APIResourceSchema generation to consider multiple versions of
an API and append the schemas to one ARS rather than generating a
separate ARS for each.
Signed-off-by: hasheddan georgedanielmangum@gmail.com
Adds an APIExport admission plugin that, for the time-being, only
validates that any permissionClaims for types that are not built-in
include an identityHash.
Signed-off-by: hasheddan georgedanielmangum@gmail.com
The first can be observed when creating an
APIExportwithpermissionClaimsonFlowSchemasorPriorityLevelConfigurations.Before:
After:
The second can be observed by trying to include a
permissionClaimfor something likeDeployment(not built-in) without anidentityHash:Related issue(s)
Fixes #2161
xref #2152 (more work to be done on exposing conditions for other failure modes)