Add CEL runtime cost into CR validation

[cici37]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This is part of #107573. Based on PR: google/cel-go#494. Add runtime cost calculation of CEL into CR validation.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added CEL runtime cost calculation into CustomerResource validation. CustomerResource validation will fail if runtime cost exceeds the budget.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[leilajal]

/triage accepted

[leilajal]

/triage accepted

[fedebongio]

/cc @jpbetz

[liggitt]

other than needing testing of the string-prefix-detection branch (strings.HasPrefix(err.Error(), "operation cancelled: actual cost limit exceeded"), this looks good. can go ahead and squash down.

once there's a test in place that fails if that prefix match doesn't catch a cost-exceeded error, this lgtm

[cici37]

go ahead and squash do

The test is in place for the string-prefix-detection branch (strings.HasPrefix(err.Error(), "operation cancelled: actual cost limit exceeded"). It will still pass because all the err got from cel validation will be caught and returned. The only different for this specific err is we wrapped with message call cost exceeds limit for rule. I have updated the message compare in test and now it is working as expected. Thank you for your patience

[cici37]

/test pull-kubernetes-e2e-kind-ipv6

[liggitt]

Non-blocking for this PR, but make sure there's follow up item to make the construction / detection of "budget exceeded" errors consistent with helper constructor/detector functions. Right now we're returning slightly different error messages in four places and detecting them with strings.Contains in at least 2-3 places

[liggitt]

this is surprising... once we exceed our budget, we should stop evaluating further rules, we should get back at most one "budget exceeded" error

[liggitt]

if this requires threading/propagating remainingCost through the default validation function, I'm ok doing this in a follow-up, but it does need to be done

[cici37]

I have updated to handle cel cost budget exceed error separately. Would you mind to check the latest commit to see if it makes sense? Thank you

[liggitt]

If CEL validation cost budget exceeded, the error will be saved in returned arg error instead of allErrs.

Is that accurate? This seems like it is propagating cost-exceeded errors in allErrs:

if remainingCost < 0 {
	return allErrs, nil, remainingCost
}

as an aside, if we did propagate a cost error in err, that would propagate to callers of ValidateDefaults, and would be handled by this block, which has a comment that we never expect to encounter an error:

} else if validationErrors, err := structuraldefaulting.ValidateDefaults(fldPath.Child("openAPIV3Schema"), ss, true, opts.requirePrunedDefaults); err != nil {
	// this should never happen
	allErrs = append(allErrs, field.Invalid(fldPath.Child("openAPIV3Schema"), "", err.Error()))
} else {

[liggitt]

I think the code (propagating cost errors in allErrs) is actually what we want, and this godoc should change to match what we're actually doing

[cici37]

It was left over from previous change. I have removed the incorrect comment. Sorry for that

[liggitt]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cici37, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiextensions-apiserver/OWNERS [liggitt]
• staging/src/k8s.io/apiextensions-apiserver/pkg/apis/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment