Server Side Field Validation #2
Conversation
liggitt
force-pushed
the
json-stdlib
branch
5 times, most recently
from
fbe25a5 to
434ce43
Compare
kevindelgado
force-pushed
the
validation-unify-all
branch
from
f0caae4 to
8bc736a
Compare
| @@ -855,6 +855,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS | |||
| genericfeatures.WarningHeaders: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.24 | |||
| genericfeatures.OpenAPIEnums: {Default: false, PreRelease: featuregate.Alpha}, | |||
| genericfeatures.CustomResourceValidationExpressions: {Default: false, PreRelease: featuregate.Alpha}, | |||
| genericfeatures.FieldValidation: {Default: false, PreRelease: featuregate.Alpha}, | |||
There was a problem hiding this comment.
Not completely sure about the name yet, what about ... StrictValidation, or both StrictFieldsValidation?
| return obj, gvk, err | ||
| } | ||
| return nil, gvk, err |
There was a problem hiding this comment.
I've never seen this type of return signature where one doesn't check for err != nil but obj != nil and I can see how it'd be confusing for people.
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Show resolved
Hide resolved
| @@ -1321,10 +1327,12 @@ func (v *unstructuredSchemaCoercer) apply(u *unstructured.Unstructured) error { | |||
| if err != nil { | |||
| return err | |||
| } | |||
|
|
|||
| pruned := map[string]bool{} | |||
There was a problem hiding this comment.
You could possibly have used an empty struct here, struct{} rather than bool, though I don't know if it matters.
There was a problem hiding this comment.
also prefer var pruned map[string]... which avoids an unused map allocation
| pruned = structuralpruning.Prune(u.Object, v.structuralSchemas[gv.Version], false) | ||
| structuraldefaulting.PruneNonNullableNullsWithoutDefaults(u.Object, v.structuralSchemas[gv.Version]) | ||
| } |
There was a problem hiding this comment.
So if we're not pruning, we can't fail on unknown fields?
There was a problem hiding this comment.
that seems correct... if we're preserving fields not mentioned in the schema, we're effectively saying all field names are permissible
There was a problem hiding this comment.
On the other hand, this mostly exists for compatibility reason, doesn't mean people necessarily wanted arbitrary fields? I think it's useful even as a warning for example.
| scope.err(err, w, req) | ||
| return | ||
| } | ||
|
|
||
| decoder := scope.Serializer.DecoderToVersion(s.Serializer, scope.HubGroupVersion) | ||
| trace.Step("About to convert to expected version") | ||
| obj, gvk, err := decoder.Decode(body, &defaultGVK, original) |
There was a problem hiding this comment.
That answers one of my question above. It doesn't look like ignore and warn are fundamentally different, do we need to keep ignore then? Or if we keep it, does it need to be the default?
| return | ||
| } | ||
| if validationDirective == runtime.WarnFieldValidation { | ||
| warning.AddWarning(req.Context(), "", err.Error()) |
There was a problem hiding this comment.
I would have expected one warning per unknown field, this looks like it would build a very large warning
There was a problem hiding this comment.
I've made an attempt at doing that now. Let me know if it's correct
|
|
||
| // smpTestSetup applies an object that will later be patched | ||
| // in the actual test/benchmark. | ||
| func smpTestSetup(t testing.TB, client clientset.Interface) { |
There was a problem hiding this comment.
I'm not a big fan of this function for tests in general
| // smpTestSetup applies an object that will later be patched | ||
| // in the actual test/benchmark. | ||
| func smpTestSetup(t testing.TB, client clientset.Interface) { | ||
| bodyBase, err := os.ReadFile("./testdata/deploy-small.json") |
There was a problem hiding this comment.
I'd also ideally avoid having files read from disk for tests, since it makes it harder to understand what the test does.
| var testcases = []struct { | ||
| name string | ||
| opts metav1.UpdateOptions | ||
| errContains string | ||
| warnContains string |
There was a problem hiding this comment.
For this test (and another), I don't know if I enjoy the value of table-driven testing here, as I feel this obfuscates what the test does for very limited code re-use.
|
I don't have a strong opinion about any of my comments and this is super good and could probably be merged as is (except maybe we should answer to a few TODOs ;-). Thanks Kevin! |
|
I spent all of today focused on the SMP unstructured converter because that is where I felt the least comfortable and wanted to get some resolution on first. In addressing your feedback @apelisse , I think I finally understood the "pre-flattening" algo we had discussed before that I was previously failing to grok. I've updated the converter to use this now which gets rid of the wonky "fields" field we had to add to the various method signatures that you had commented on (and clears up some of the other concerns you had). On the performance side , the way I had implemented converter strict validation was about 300% slower and more memory intensive than what's currently in master "no validation" (and Ignore also suffered the penalty because it was doing the unknown fields check and just not returning the error). Now, I'm seeing roughly parity between strict validation and the old "no validation" (actually, strict appears to be slightly faster and less memory (which is weird and I need to look into it on monday)). One thing I did not implement was the "full path to unknown field" that we discussed offline. I noticed that the json deserializer also does not indicate the full path, so I wasn't sure if we actually wanted to do that here in SMP. I think it's easy enough to add (although I think it will require changing the method signatures to store the path down successive recursive calls of Anyways, I know this is a lot of text, so let's sync on Monday. If you want, feel free to take another look at |
|
kubernetes#105030 is merged if you want to transition this to k/k before the next round of feedback |
| if len(pruned) > 0 && v.persistStrictDecodingErrors { | ||
| allStrictErrs := make([]error, len(pruned)) | ||
| i := 0 | ||
| for unknownField, _ := range pruned { |
There was a problem hiding this comment.
iterating over a map makes the order non-deterministic, which is not ideal
also see suggestion above about making this low-level function just return the list of unknown field paths and letting the caller turn that into warnings/messages
| @@ -1321,10 +1327,12 @@ func (v *unstructuredSchemaCoercer) apply(u *unstructured.Unstructured) error { | |||
| if err != nil { | |||
| return err | |||
| } | |||
|
|
|||
| pruned := map[string]bool{} | |||
There was a problem hiding this comment.
also prefer var pruned map[string]... which avoids an unused map allocation
| pruned = structuralpruning.Prune(u.Object, v.structuralSchemas[gv.Version], false) | ||
| structuraldefaulting.PruneNonNullableNullsWithoutDefaults(u.Object, v.structuralSchemas[gv.Version]) | ||
| } |
There was a problem hiding this comment.
that seems correct... if we're preserving fields not mentioned in the schema, we're effectively saying all field names are permissible
| structuralSchemas map[string]*structuralschema.Structural | ||
| structuralSchemaGK schema.GroupKind | ||
| preserveUnknownFields bool | ||
| persistStrictDecodingErrors bool |
There was a problem hiding this comment.
"persist" reads strangely... maybe returnUnknownFieldPaths?
| structuralSchemas map[string]*structuralschema.Structural | ||
| structuralSchemaGK schema.GroupKind | ||
| preserveUnknownFields bool | ||
| persistStrictDecodingErrors bool | ||
| } | ||
|
|
||
| func (v *unstructuredSchemaCoercer) apply(u *unstructured.Unstructured) error { |
There was a problem hiding this comment.
since this signature is private, would it be clearer to make the list of unknown fields be returned as a separate return value?
func (v *unstructuredSchemaCoercer) apply(u *unstructured.Unstructured) (unknownFieldPaths []string, err error)
That would let the caller determine how to use the list of unknown field paths, would preserve order, and would distinguish between validation errors and unknown fields
| trace.Step("About to convert to expected version") | ||
| obj, gvk, err := decoder.Decode(body, &defaultGVK, original) | ||
|
|
||
| validationDirective, err := fieldValidation(req) |
There was a problem hiding this comment.
is there a reason not to do the validation in ValidateCreateOptions above (which presumably already extracted the desired directive from the req parameters), and use options.FieldValidation instead of a second local var? same question applies to all the places fieldValidation(req) is being used
There was a problem hiding this comment.
Somehow I completely missed the Validate*Options. I've done that now
| @@ -424,7 +438,7 @@ type applyPatcher struct { | |||
| userAgent string | |||
| } | |||
|
|
|||
| func (p *applyPatcher) applyPatchToCurrentObject(obj runtime.Object) (runtime.Object, error) { | |||
| func (p *applyPatcher) applyPatchToCurrentObject(_ context.Context, obj runtime.Object) (runtime.Object, error) { | |||
There was a problem hiding this comment.
is this a TODO? duplicate and unknown fields are detectable here, right?
There was a problem hiding this comment.
This was not meant as a TODO, because SSA already defaults to strict validation on unknown fields. But I just realized that we had spoke about how SSA does not error on duplicate fields, so I’ve added a TODO to capture this.
| if contentType != "" { | ||
| supported = false | ||
| for _, v := range strings.Split(contentType, ",") { | ||
| t, _, err := mime.ParseMediaType(v) |
There was a problem hiding this comment.
ParseMediaType has non-trivial cost and is already done in NegotiateInputSerializer for create/update, and is unused for patch (we require Content-Type to be exactly one of the supported patch types) ... I didn't expect to be doing this parsing a second time here
is there a reason we can't define a strict version of each deserializer and select that in create.go / update.go if FieldValidation is set to Warn or Strict?
There was a problem hiding this comment.
removed this as part of the Validate*Options work
| } | ||
| } | ||
|
|
||
| validationParam := req.URL.Query()["fieldValidation"] |
There was a problem hiding this comment.
pull this from create/update/patch options rather than re-extracting from the query
| case 0: | ||
| return runtime.IgnoreFieldValidation, nil | ||
| case 1: | ||
| switch strings.ToLower(validationParam[0]) { |
There was a problem hiding this comment.
I'm not sure why we'd want to be case-insensitive here
There was a problem hiding this comment.
Changed it to be case-sensitive. Wasn’t sure what the right way was based on this comment kubernetes#104433 (comment)
|
Has this been re-opened in k/k? I wanted to do another pass. |
| // - Ignore: ignore's unknown/duplicate fields | ||
| // - Strict: fail the request on unknown/duplicate fields | ||
| // - Warn: respond with a warning, but successfully serve the request. |
There was a problem hiding this comment.
reordered the values. Waiting on another round of feedback before defaulting to warn to confirm that is what we want to do
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Show resolved
Hide resolved
| @@ -23,7 +23,8 @@ import ( | |||
| // Prune removes object fields in obj which are not specified in s. It skips TypeMeta and ObjectMeta fields | |||
| // if XEmbeddedResource is set to true, or for the root if isResourceRoot=true, i.e. it does not | |||
| // prune unknown metadata fields. | |||
| func Prune(obj interface{}, s *structuralschema.Structural, isResourceRoot bool) { | |||
| // It returns the set of fields that it prunes. | |||
| func Prune(obj interface{}, s *structuralschema.Structural, isResourceRoot bool) map[string]bool { | |||
| @@ -424,7 +438,7 @@ type applyPatcher struct { | |||
| userAgent string | |||
| } | |||
|
|
|||
| func (p *applyPatcher) applyPatchToCurrentObject(obj runtime.Object) (runtime.Object, error) { | |||
| func (p *applyPatcher) applyPatchToCurrentObject(_ context.Context, obj runtime.Object) (runtime.Object, error) { | |||
There was a problem hiding this comment.
This was not meant as a TODO, because SSA already defaults to strict validation on unknown fields. But I just realized that we had spoke about how SSA does not error on duplicate fields, so I’ve added a TODO to capture this.
| return runtime.IgnoreFieldValidation, nil | ||
| } | ||
|
|
||
| // TODO: Should we blocklist unsupportedContentTypes (just protobuf) rather than allowlisting everything that isn't protobuf? |
There was a problem hiding this comment.
removed as part of the Validation*Options work
| if contentType != "" { | ||
| supported = false | ||
| for _, v := range strings.Split(contentType, ",") { | ||
| t, _, err := mime.ParseMediaType(v) |
There was a problem hiding this comment.
removed this as part of the Validate*Options work
| } | ||
| } | ||
|
|
||
| validationParam := req.URL.Query()["fieldValidation"] |
| case 0: | ||
| return runtime.IgnoreFieldValidation, nil | ||
| case 1: | ||
| switch strings.ToLower(validationParam[0]) { |
There was a problem hiding this comment.
Changed it to be case-sensitive. Wasn’t sure what the right way was based on this comment kubernetes#104433 (comment)
This is the commit message for patch #2 (refresh-temp):
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> fix (#2) Signed-off-by: Monis Khan <mok@microsoft.com>
What type of PR is this?
/kind feature
What this PR does / why we need it:
Performs strict server side schema validation via the
fieldValidation=[Strict,Warn,Ignore]query parameter.This change is dependent on
liggitt/json-stdliband so this PR is opened on this fork in order to begin collecting feedback on it untilliggitt/json-stdlibis merged into upstream k/k.It introduces the
fieldValidationquery parameter that when set toStrictcauses requests to error when unknown fields are present, when set toWarnsucceeds the request but returns a warning, and when set toIgnoreit ignores unknown fields.For create/update requests, we use strict json unmarshalling to determine the unknown fields and error/warn based on those fields.
For JSON Patch requests (i.e. CRDs), we use the prune mechanism in the customresource handler to resolve any unknown fields.
For SMP Patch request, we use the the unstructured converter to resolve unknown fields.
Apply Patch requests already require strict schemas and will error on unknown fields.
Which issue(s) this PR fixes:
First step in solving kubernetes#39434 and kubernetes#5889
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
KEP-2885