Add webhook validation for remote Tasks #6942
Conversation
tekton-robot
added
kind/misc
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
lbernick
force-pushed
the
validate-remote-pipelines-2
branch
from
aad013f
to
e8ff288
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/retest: #6943 |
|
/retest |
|
@lbernick Thanks for this. My only doubt about this approach was the extra load it generates on the k8s API server. However, considering that it will only call the API once per |
| @@ -448,14 +451,6 @@ func TestGetTaskFunc_RemoteResolution(t *testing.T) { | |||
| taskYAMLString, | |||
| }, "\n"), | |||
| wantTask: parse.MustParseV1Task(t, taskYAMLString), | |||
| }, { | |||
There was a problem hiding this comment.
Curious why do we remove these tests?
There was a problem hiding this comment.
The webhook will now validate that beta features aren't used in v1 tasks unless enable-api-fields is set to beta. This replaces the existing hard-coded check for this specific bit of validation (
pipeline/pkg/reconciler/taskrun/resources/taskref.go
Lines 173 to 177 in 080ea13
lbernick
force-pushed
the
validate-remote-pipelines-2
branch
from
e8ff288
to
9b9cdeb
Compare
Thanks @afrittoli! I also think this should be fine-- we already call the webhook to update every taskrun and our k8s clients are rate limited. Are there any changes I can make to this PR that would help alleviate concerns about extra api calls? |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
This call is conditionned though (aka it won't happen for all PipelineRun or TaskRun), but ok. |
My understanding (from #5146) is this function is actually what does all our status updates for TaskRuns, so it'll be called multiple times per TaskRun. Do you have any suggestions for changes I could make to this PR, or concerns about merging it? |
|
/retest |
|
/hold |
tekton-robot
added
the
do-not-merge/hold
lbernick
force-pushed
the
validate-remote-pipelines-2
branch
from
9b9cdeb
to
309c650
Compare
tekton-robot
added
size/XL
lbernick
force-pushed
the
validate-remote-pipelines-2
branch
from
309c650
to
f39cd22
Compare
|
/hold cancel |
tekton-robot
removed
the
do-not-merge/hold
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
A prior commit added validation for remote Pipelines by issuing dry-run create requests to the kubernetes API server, allowing validating admission webhooks to accept or reject remote pipelines without actually creating them. This commit adds the same logic for remote Tasks, and moves common logic into a shared package.
lbernick
force-pushed
the
validate-remote-pipelines-2
branch
from
f39cd22
to
0ad1bc8
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom, Yongxuanzhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
A prior commit (#6887) added validation for remote Pipelines by issuing dry-run create requests to the kubernetes API server, allowing validating admission webhooks to accept or reject remote pipelines without actually creating them. This commit adds the same logic for remote Tasks, and moves common logic into a shared package.
/kind misc
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
/kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes