Systems with conflicting mutators may not converge #1216

maxsmythe · 2021-04-01T00:55:47Z

If a system has conflicting mutators (i.e. they disagree as to the schema of the resource they're mutating), currently the first mutator to be ingested is recognized and the second is ignored.

In an eventually consistent system with mutiple pods, this is broken and will not converge. If mutators A and B are in conflict and pod 1 recognizes mutator A, while pod 2 recognizes mutator B, the system will not be idempotent... it's answer may change depending on which pod processes the request.

The solution is to disallow all conflicting mutators. Such a rule would lead to convergence regardless of order.

willbeason · 2021-06-07T19:33:17Z

I can take this

willbeason · 2021-06-07T20:00:57Z

An example of mutators with conflicting schemas would be:

spec.containers[name: "foo"].bar = "hello"
spec.containers.foo.bar = "hello"

The first assumes spec.containers is a list, and the second assumes spec.containers is an object.

The following class of conflict is considered out of scope for this issue (it is left to the user to prevent this):

spec.containers.azure.bar = "hi"
spec.containers.azure.bar = "hello"

When multiple Pods are running mutators, it is possible that they will ingest mutators in different orders. Before this PR, we would essentially randomly pick which mutator to honor and discard future mutators which conflicted. Fixes: open-policy-agent#1216 Signed-off-by: Will Beason <willbeason@google.com>

When multiple Pods are running mutators, it is possible that they will ingest mutators in different orders. Before this PR, we would essentially randomly pick which mutator to honor and discard future mutators which conflicted. Fixes: #1216 Signed-off-by: Will Beason <willbeason@google.com>

maxsmythe · 2021-07-13T19:48:59Z

This issue isn't yet closed... #1364 sets the stage for fixing the issue, but we still:

Accept the first conflicting mutators and reject subsequent ones:

gatekeeper/pkg/mutation/system.go

Lines 53 to 56 in a88df07

    
           err := s.schemaDB.Upsert(withSchema) 
        
           if err != nil { 
        
           	s.schemaDB.Remove(withSchema.ID()) 
        
           	return errors.Wrapf(err, "Schema upsert caused conflict for %v", m.ID())

Have no way of reporting conflicting mutators, or that those conflicts have resolved

IIRC those issues were going to be addressed in a follow-on PR

…1364) When multiple Pods are running mutators, it is possible that they will ingest mutators in different orders. Before this PR, we would essentially randomly pick which mutator to honor and discard future mutators which conflicted. Fixes: open-policy-agent#1216 Signed-off-by: Will Beason <willbeason@google.com> Signed-off-by: juliankatz <juliankatz@google.com>

maxsmythe added bug Something isn't working mutation labels Apr 1, 2021

maxsmythe added this to the Mutation Beta milestone Apr 1, 2021

maxsmythe assigned willbeason Jun 7, 2021

willbeason mentioned this issue Jun 15, 2021

Preserve conflicting schemas and report conflicts #1364

Merged

willbeason closed this as completed in #1364 Jul 13, 2021

maxsmythe reopened this Jul 13, 2021

willbeason mentioned this issue Sep 21, 2021

Preserve conflicting mutators #1569

Merged

willbeason closed this as completed in #1569 Sep 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Systems with conflicting mutators may not converge #1216

Systems with conflicting mutators may not converge #1216

maxsmythe commented Apr 1, 2021

willbeason commented Jun 7, 2021

willbeason commented Jun 7, 2021

maxsmythe commented Jul 13, 2021

Systems with conflicting mutators may not converge #1216

Systems with conflicting mutators may not converge #1216

Comments

maxsmythe commented Apr 1, 2021

willbeason commented Jun 7, 2021

willbeason commented Jun 7, 2021

maxsmythe commented Jul 13, 2021