Server Side Strict Field Validation #105916
Conversation
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
area/apiserver
area/test
kind/api-change
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Outdated
Show resolved
Hide resolved
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
There was a problem hiding this comment.
Writing tests now, but it's going pretty slowly. Will hopefully add a bunch more tomorrow. Probably wont address the converter stuff until I've made it through all the tests. Feel free to hold off on reviewing until I've added more tests, but if you do want to take a look I made some changes the to jsonPatcher in order to collect decoding errors that arise from the patch itself having invalid json, and started updating a few of the tests to be more inline with your testing comment.
kevindelgado
force-pushed
the
validation-unify-all
branch
from
e8b931a
to
dd91910
Compare
There was a problem hiding this comment.
I've done a big pass based on previous feedback. In particular, I revamped the integration testing suite based on Jordan's previous comments. It caught a bunch of bugs.
I figured this would be a good time to check in and ask for a review especially around the testing strategy.
In parallel, I have a few isolated issues I'm working on, but I don't want this to block reviewing. These are mainly:
1. (fixed by unmarshalling directly into the object)kjson.UnmarshalStrict doesn't seem to recognizing duplicate fields when unmarshalling into an unstructured object. I need to dig into this further.
2. I still need to implement full field path collection to the converter (and pruning) so that the errors reported contain the full path to the field (i.e (Done)/spec/unknownField rather than just unknownField)
3. The SMP/warn test case is not returning the full list of unknown fields. I need to dig into this further.(Fixed via the new converter implementation)
Also, I've cordoned off the benchmark tests for now. Still working on them, but the ones I had I think lost their utility and were hard to maintain as I was rapidly iterating on the tests. I will rewrite them once the test suite gets reviewed and is a little more stable.
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
All feedback addressed, benchstats still look good (ignore case is completely inert, but slightly more allocs in the strict case than before):
Ignore
name old time/op new time/op delta
FromUnstructuredWithValidation/Ignore-16 149µs ± 1% 148µs ± 1% ~ (p=0.222 n=5+5)
name old alloc/op new alloc/op delta
FromUnstructuredWithValidation/Ignore-16 26.8kB ± 0% 26.8kB ± 0% ~ (p=0.524 n=5+5)
name old allocs/op new allocs/op delta
FromUnstructuredWithValidation/Ignore-16 641 ± 0% 641 ± 0% ~ (all equal)
Strict
name old time/op new time/op delta
FromUnstructuredWithValidation/Strict-16 149µs ± 1% 167µs ± 1% +11.87% (p=0.008 n=5+5)
name old alloc/op new alloc/op delta
FromUnstructuredWithValidation/Strict-16 26.8kB ± 0% 33.5kB ± 0% +25.00% (p=0.008 n=5+5)
name old allocs/op new allocs/op delta
FromUnstructuredWithValidation/Strict-16 641 ± 0% 745 ± 0% +16.22% (p=0.008 n=5+5)
c6d7e04
to
be7e61d
Compare
| // alpha: v1.23 | ||
| // | ||
| // Enables server-side field validation. | ||
| StrictFieldValidation featuregate.Feature = "StrictFieldValidation" |
There was a problem hiding this comment.
nit: would ServerSideFieldValidation be a better name, since the feature enables warnings in addition to strict handling? should be an easy find/replace if so
There was a problem hiding this comment.
yea I agree, done
There was a problem hiding this comment.
follow up with a PR updating the KEP and a PR updating website docs
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/recognizer/recognizer.go
Show resolved
Hide resolved
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning/algorithm.go
Show resolved
Hide resolved
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go
Outdated
Show resolved
Hide resolved
kevindelgado
force-pushed
the
validation-unify-all
branch
from
be7e61d
to
a46c5f9
Compare
| // alpha: v1.23 | ||
| // | ||
| // Enables server-side field validation. | ||
| StrictFieldValidation featuregate.Feature = "StrictFieldValidation" |
There was a problem hiding this comment.
yea I agree, done
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/recognizer/recognizer.go
Show resolved
Hide resolved
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go
Show resolved
Hide resolved
kevindelgado
force-pushed
the
validation-unify-all
branch
from
a46c5f9
to
8cd4bf0
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kevindelgado, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
kevindelgado
force-pushed
the
validation-unify-all
branch
from
8cd4bf0
to
bea263b
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@kevindelgado: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Implements server side field validation behind the `ServerSideFieldValidation` feature gate. With the feature enabled, any create/update/patch request with the `fieldValidation` query param set to "Strict" will error if the object in the request body have unknown fields. A value of "Warn" (also the default when the feautre is enabled) will succeed the request with a warning. When the feature is disabled (or the query param has a value of "Ignore"), the request will succeed as it previously had with no indications of any unknown or duplicate fields.
kevindelgado
force-pushed
the
validation-unify-all
branch
from
bea263b
to
e50e2bb
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
What type of PR is this?
/kind feature
What this PR does / why we need it:
Performs strict server side schema validation via the
fieldValidation=[Strict,Warn,Ignore]query parameter.It introduces the
fieldValidationquery parameter that when set toStrictcauses requests to error when unknown fields are present, when set toWarnsucceeds the request but returns a warning, and when set toIgnoreit ignores unknown fields.For create/update requests, we use strict json unmarshalling to determine the unknown fields and error/warn based on those fields.
For JSON Patch requests (i.e. CRDs), we use the prune mechanism in the customresource handler to resolve any unknown fields.
For SMP Patch request, we use the the unstructured converter to resolve unknown fields.
Apply Patch requests already require strict schemas and will error on unknown fields.
Which issue(s) this PR fixes:
First step in solving #39434 and #5889
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
KEP-2885