New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CEL runtime cost into CR validation #108482
Conversation
/triage accepted |
/triage accepted |
/cc @jpbetz |
staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/validation.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/validation.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
Show resolved
Hide resolved
other than needing testing of the string-prefix-detection branch ( once there's a test in place that fails if that prefix match doesn't catch a cost-exceeded error, this lgtm |
adf92b3
to
5420655
Compare
The test is in place for |
/test pull-kubernetes-e2e-kind-ipv6 |
e300bd8
to
50b9a0d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Non-blocking for this PR, but make sure there's follow up item to make the construction / detection of "budget exceeded" errors consistent with helper constructor/detector functions. Right now we're returning slightly different error messages in four places and detecting them with strings.Contains in at least 2-3 places
t.Errorf("expect err of running out of cost budget but did not find") | ||
} | ||
if meetErr != 3 { | ||
t.Errorf("expect 3 errs of running out of cost budget returned but get %v errs", meetErr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is surprising... once we exceed our budget, we should stop evaluating further rules, we should get back at most one "budget exceeded" error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this requires threading/propagating remainingCost
through the default validation function, I'm ok doing this in a follow-up, but it does need to be done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have updated to handle cel cost budget exceed error separately. Would you mind to check the latest commit to see if it makes sense? Thank you
744967d
to
74e3ae2
Compare
} | ||
|
||
// validate is the recursive step func for the validation. insideMeta is true if s specifies | ||
// TypeMeta or ObjectMeta. The SurroundingObjectFunc f is used to validate defaults of | ||
// TypeMeta or ObjectMeta fields. | ||
func validate(pth *field.Path, s *structuralschema.Structural, rootSchema *structuralschema.Structural, f SurroundingObjectFunc, insideMeta, requirePrunedDefaults bool) (field.ErrorList, error) { | ||
// If CEL validation cost budget exceeded, the error will be saved in returned arg error instead of allErrs. The caller could handle it separately if needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If CEL validation cost budget exceeded, the error will be saved in returned arg error instead of allErrs.
Is that accurate? This seems like it is propagating cost-exceeded errors in allErrs
:
if remainingCost < 0 {
return allErrs, nil, remainingCost
}
as an aside, if we did propagate a cost error in err
, that would propagate to callers of ValidateDefaults
, and would be handled by this block, which has a comment that we never expect to encounter an error:
} else if validationErrors, err := structuraldefaulting.ValidateDefaults(fldPath.Child("openAPIV3Schema"), ss, true, opts.requirePrunedDefaults); err != nil {
// this should never happen
allErrs = append(allErrs, field.Invalid(fldPath.Child("openAPIV3Schema"), "", err.Error()))
} else {
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the code (propagating cost errors in allErrs
) is actually what we want, and this godoc should change to match what we're actually doing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was left over from previous change. I have removed the incorrect comment. Sorry for that
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cici37, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is part of #107573. Based on PR: google/cel-go#494. Add runtime cost calculation of CEL into CR validation.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: