Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid CEL transition rules on unmergeable CRD subschemas. #108013

Merged
merged 1 commit into from Mar 3, 2022
Merged

Forbid CEL transition rules on unmergeable CRD subschemas. #108013

merged 1 commit into from Mar 3, 2022

Conversation

benluddy
Copy link
Contributor

@benluddy benluddy commented Feb 8, 2022
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Implements CRD schema validation for transition rules based on https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/2876-crd-validation-expression-language#transition-rules.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

CRD writes will generate validation errors if a CEL validation rule references the identifier "oldSelf" on a part of the schema that does not support it.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/tree/0ad0fc8269165ca300d05ca51c7ce190a79976a5/keps/sig-api-machinery/2876-crd-validation-expression-language#transition-rules

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 8, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @benluddy. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 8, 2022
@benluddy
Copy link
Contributor Author

benluddy commented Feb 8, 2022

/sig api-machinery
/cc @sttts @liggitt @jpbetz

@leilajal
Copy link
Contributor

leilajal commented Feb 8, 2022

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 8, 2022
@benluddy benluddy mentioned this pull request Feb 11, 2022
Merged
@benluddy
Copy link
Contributor Author

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 11, 2022
@benluddy benluddy force-pushed the cel-transition-rule-schema-validation branch 3 times, most recently from ef6637d to f10e2cf Compare February 11, 2022 18:09
@benluddy benluddy changed the title WIP: forbid transition rules on unmergeable subschemas Forbid CEL transition rules on unmergeable CRD subschemas. Feb 11, 2022
@jpbetz
Copy link
Contributor

jpbetz commented Feb 24, 2022

/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 24, 2022
@benluddy
Copy link
Contributor Author

/test pull-kubernetes-node-e2e-containerd

liggitt
liggitt reviewed Feb 24, 2022
View reviewed changes
staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go Show resolved Hide resolved
@benluddy benluddy force-pushed the cel-transition-rule-schema-validation branch from 7f27488 to 6ecf140 Compare February 25, 2022 16:46
@benluddy benluddy force-pushed the cel-transition-rule-schema-validation branch 3 times, most recently from f133da4 to 33cd78c Compare March 2, 2022 21:05
@liggitt liggitt moved this from Assigned to In progress in API Reviews Mar 3, 2022
@benluddy benluddy force-pushed the cel-transition-rule-schema-validation branch from 33cd78c to 1b76bab Compare March 3, 2022 14:29
@benluddy
Copy link
Contributor Author

benluddy commented Mar 3, 2022

/retest

liggitt
liggitt reviewed Mar 3, 2022
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a few nits/clarifications, then lgtm

staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go Outdated Show resolved Hide resolved
@benluddy benluddy force-pushed the cel-transition-rule-schema-validation branch from 1b76bab to f1c89a4 Compare March 3, 2022 16:06
@liggitt liggitt moved this from In progress to Changes requested in API Reviews Mar 3, 2022
@benluddy
Forbid CEL transition rules on unmergeable CRD subschemas.
fedaa23 
Transition rules (i.e. validation rules whose expressions reference
existing state) are not allowed on schemas, or the descendants of
schemas, that are unmergeable according to server-side apply
semantics. Today, this means that only objects with map-type
"granular" (or unspecified) and arrays with list-type "map" support
transition rules on their property/item subschemas.
@benluddy benluddy force-pushed the cel-transition-rule-schema-validation branch from f1c89a4 to fedaa23 Compare March 3, 2022 16:15
@benluddy
Copy link
Contributor Author

benluddy commented Mar 3, 2022
edited

@liggitt Addressed your latest comments, PTAL when you have a chance.

@liggitt
Copy link
Member

liggitt commented Mar 3, 2022

/lgtm
/approve

@liggitt liggitt moved this from Changes requested to API review completed, 1.24 in API Reviews Mar 3, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 3, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 3, 2022
@benluddy
Copy link
Contributor Author

benluddy commented Mar 3, 2022

/retest

@benluddy benluddy mentioned this pull request Mar 3, 2022
Merged
@k8s-ci-robot k8s-ci-robot merged commit 59fad3c into kubernetes:master Mar 3, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Mar 3, 2022
@github-actions github-actions bot mentioned this pull request Mar 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TristonianJones TristonianJones TristonianJones left review comments

@liggitt liggitt liggitt left review comments

@deads2k deads2k deads2k left review comments

@roycaihw roycaihw Awaiting requested review from roycaihw

@yujuhong yujuhong Awaiting requested review from yujuhong

@jpbetz jpbetz Awaiting requested review from jpbetz

@sttts sttts Awaiting requested review from sttts

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@liggitt liggitt

@deads2k deads2k

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
API Reviews
Status: API review completed, 1.24
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@benluddy @k8s-ci-robot @leilajal @k8s-triage-robot @jpbetz @liggitt @TristonianJones @deads2k