Change resource key logic for k8s #4916
Conversation
ffjlabo
force-pushed
the
change-resource-key-logic-for-k8s
branch
from
1b0b3f7
to
d617a06
Compare
The Overview of the fixrefine the namespace by
remove the logic to determine the namespace from
|
ffjlabo
requested review from
nghialv,
khanhtc1202,
kentakozuka and
t-kikuc
as code owners
|
@khanhtc1202 @t-kikuc |
|
@ffjlabo some testcases are failed 👀 |
|
@khanhtc1202 Sorry, I fixed some of them. 🙏 |
|
/review |
PR AnalysisMain themeEnhancement and Refactoring PR summaryThis PR introduces enhancements and refactoring to various components that interact with Kubernetes resources, such as planners, appliers, and detection mechanisms. It involves propagating the knowledge of namespaced versus non-namespaced resources through the system. Type of PREnhancement, Refactoring PR Feedback:General suggestionsThis PR contains quite a large set of changes across multiple components, focusing on ensuring that the system properly respects namespaced and cluster-wide resources in Kubernetes. While the PR introduces a central mechanism to define whether a Code feedback
Security concerns:no The code changes introduced in this PR do not seem to introduce any obvious security concerns such as SQL injection, XSS, or CSRF vulnerabilities. The updates mostly deal with internal configuration and state management concerning Kubernetes resources. However, the security of the mechanism used to determine the namespaced status of Kubernetes resources should be considered to ensure that it cannot be misused or lead to incorrect assumptions about resource accessibility and isolation. |
|
@ffjlabo Please rebase this PR due to pipedv1 package change 👀 |
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Details: - [feat] get the resource info from the actual cluster in the deployExecutor.Execute - [faet] implement the loader.refineNamespace to infer the namespace from the manifests and app.pipecd.yaml stored in the git repo - [refactor] fix loader.NewLoader to pass isNamespacedResource - deployExecutor - rollbackExecutor - [refactor] fix to pass isNamespacedResource on detector - [memo] detector checks the diff by 1 minute. It might think about the amount of the traffic to the k8s cluster. - [refactor] fix to pass isNamespacedResource on planner - [refactor] fix to pass isNamespacedResource on planpreview - [refactor] remove the logic to fix the namespace when craeting the resource key on MakeResourceKey - maybe this is the refactoring for livestatestore - [refactor] use the actual resource key, not the annotation's one. Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
ffjlabo
force-pushed
the
change-resource-key-logic-for-k8s
branch
from
f07abcb
to
9ac0a78
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4916 +/- ##
==========================================
- Coverage 29.33% 29.31% -0.03%
==========================================
Files 322 323 +1
Lines 40868 40984 +116
==========================================
+ Hits 11989 12014 +25
- Misses 27919 28008 +89
- Partials 960 962 +2 ☔ View full report in Codecov by Sentry. |
|
The failing test is solved by this PR 🙏 #4926 |
| e.LogPersister.Errorf("failed to fetch preferred resources: %v", zap.Error(err)) | ||
| return model.StageStatus_STAGE_FAILURE | ||
| } | ||
| e.LogPersister.Info(fmt.Sprintf("successfully preferred resources that contains for %d groups", len(groupResources))) |
There was a problem hiding this comment.
| e.LogPersister.Info(fmt.Sprintf("successfully preferred resources that contains for %d groups", len(groupResources))) | |
| e.LogPersister.Infof("successfully preferred resources that contains for %d groups", len(groupResources)) |
And remove "fmt" package
| // 1. The namespace set in the application configuration. | ||
| // 2. The namespace set in the manifest. | ||
| // 3. The default namespace. | ||
| func (l *loader) refineNamespace(m *Manifest) error { |
There was a problem hiding this comment.
Should it be named determineResourceNamespace or determineNamespace? 🤔
There was a problem hiding this comment.
Thanks! fixed as determineNamespace 5d22c75
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
| // determineNamespace fix the namespace of the given manifest. | ||
| // The priority is as follows: | ||
| // If the resource is cluster-scoped, it returns an empty string. | ||
| // Otherwise, it is the namespace-scoped resource and the namespace is determined by the following order: | ||
| // 1. The namespace set in the application configuration. | ||
| // 2. The namespace set in the manifest. | ||
| // 3. The default namespace. | ||
| func (l *loader) determineNamespace(m *Manifest) error { | ||
| namespaced, ok := l.isNamespacedResources[m.u.GroupVersionKind()] | ||
| if !ok { | ||
| return fmt.Errorf("unknown resource kind %s", m.u.GroupVersionKind().String()) | ||
| } | ||
| for i := range manifests { | ||
| manifests[i].Key.Namespace = namespace | ||
|
|
||
| namespace := "" // empty if cluster-scoped resource | ||
|
|
||
| if namespaced { | ||
| namespace = "default" | ||
|
|
||
| if ns := m.u.GetNamespace(); ns != "" { | ||
| namespace = ns | ||
| } | ||
|
|
||
| if l.input.Namespace != "" { | ||
| namespace = l.input.Namespace | ||
| } | ||
| } | ||
|
|
||
| m.Key.Namespace = namespace | ||
| m.u.SetNamespace(namespace) | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
📝 Check the current logic
What this PR does / why we need it:
This fix will solve the problem that the cluster-scoped resource can't be deleted when we set the namespace in app.pipecd.yaml.
context: #4269 (comment)
expected behavior
livestate side
When reading the manifests from git
spec.input.namespacein app.pipecd.yaml if it is set.defaultif both ofspec.input.namespaceand the namespace are not setCurrently, we use the resource key to identify each k8s resource.
It is created by
MakeResourceKey, and the rule is below.livestate side
defaultwhen the resource obj doesn't have the namespace.When reading the manifests from git
spec.input.namespacein app.pipecd.yaml if it is set.defaultwhen the namespace on the manifest is "".This rule doesn't consider the cluster-scoped resource.
So for example, cluster-scoped resource don't have any namespace, but if we set the
spec.input.namespacein the app.pipecd.yaml, it sets the value as the namespace to the resource key.This causes the problem that can't prune the resource because the resource key can't identify the resource correctly.
So I fixed the the logic like below.
livestate side
When reading the manifests from git
spec.input.namespacein app.pipecd.yaml if it is set.defaultif both ofspec.input.namespaceand the namespace are not setWhich issue(s) this PR fixes:
Part of #4269
Does this PR introduce a user-facing change?:
How are users affected by this change:
Is this breaking change:
How to migrate (if breaking change):