-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
is it required to validate object #135
is it required to validate object #135
Conversation
@clyang82 interesting find! So the reason it's needed is that during object creation, it validates to ensure all required fields and no unknown fields are set in the policy. On updates, it takes the object returned from the Kubernetes API and merges in any updates from the policy. The validation ensures that no unknown fields were set. The reason it is important that no unknown fields are set is that Kubernetes silently ignores unknown fields and then when ConfigurationPolicy is evaluated again, it'll think that it's non-compliant because the unknown field is missing and tries to update it again. I think we could consider setting What do you think @JustinKuli? |
Thanks @mprahl for your comments. I gave a try to set |
The changes sound right to me. I'm happy to see the kind tests cover both the newer k8s with the validation, and the older version where it wasn't possible server-side. @clyang82 what did you mean in the original description "And it cannot be released." ? |
log.Error(err, "Could not get the server version") | ||
} | ||
|
||
r.serverVersion = serverVersion.String() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this work if err != nil
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming that in that case it is just set to an empty string, then the semver library would treat it as invalid and do this:
An invalid semantic version string is considered less than a valid one. All invalid semantic version strings compare equal to each other.
(https://pkg.go.dev/golang.org/x/mod/semver#Compare)
So I think it would fallback to the "old" validation gracefully.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. @JustinKuli is correct. in that case it would fallback to the original validation.
I mean the memory is allocated by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice job!
/hold for squashing of the commits |
use FieldValidation only if the k8s version is above 1.25 Signed-off-by: clyang82 <chuyang@redhat.com>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: clyang82, mprahl The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold |
This is not a final PR need to be reviewed.
I just post this PR to discuss:
config-policy-controller/controllers/configurationpolicy_controller.go
Lines 1504 to 1506 in 0499944
config-policy-controller/controllers/configurationpolicy_controller.go
Line 2544 in 0499944
Here is my tests code
FYI @gparvin @mprahl