Migrate Admission Controller Validation to CEL #7690
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/M
|
I've tested it locally and it works, but I still need to add integration tests. Can you check if it looks good to you? |
|
Whoa! That is neat! Two questions:
|
Yup! Regarding point 1, I need to explore how to configure it, but kubebuilder annotations do support this. |
Yup, I see https://book.kubebuilder.io/reference/markers/crd-validation has these listed |
Signed-off-by: Omer Aplatony <[email protected]>
Now it was generated by kubebuilder. |
|
Tests are failing because of the change I made in the admission controller, so we should migrate those tests into e2e/integration tests. |
Signed-off-by: Omer Aplatony <[email protected]>
k8s-ci-robot
added
size/L
| @@ -324,7 +325,11 @@ spec: | |||
| Name of the container or DefaultContainerResourcePolicy, in which | |||
| case the policy is used by the containers that don't have their own | |||
| policy specified. | |||
| pattern: ^[a-zA-Z0-9-_]+$ | |||
There was a problem hiding this comment.
I don't think you can introduce new CRD validations without increasing the apiVersion.
Additionally, containerName: '*' is explicitly supported as a catch-all solution, see
autoscaler/vertical-pod-autoscaler/pkg/utils/vpa/api.go
Lines 216 to 218 in adda3d4
There was a problem hiding this comment.
- Yes you are right it's just WIP at the moment.
- Thanks, I will adjust :)
| @@ -112,25 +112,8 @@ func parseVPA(raw []byte) (*vpa_types.VerticalPodAutoscaler, error) { | |||
|
|
|||
| // ValidateVPA checks the correctness of VPA Spec and returns an error if there is a problem. | |||
| func ValidateVPA(vpa *vpa_types.VerticalPodAutoscaler, isCreate bool) error { | |||
| if vpa.Spec.UpdatePolicy != nil { | |||
| mode := vpa.Spec.UpdatePolicy.UpdateMode | |||
| if mode == nil { | |||
There was a problem hiding this comment.
I don't see any checks added regarding updatePolicy.updateMode – is this intentional and those checks are implicitly done somewhere else now? Or do we need to add them as CEL validations as well?
There was a problem hiding this comment.
In the CRD itself I saw this:
https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/deploy/vpa-v1-crd-gen.yaml#L456
So added in here: ea90c23
k8s-ci-robot
added
the
approved
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: omerap12 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
removed
the
approved
Signed-off-by: Omer Aplatony <[email protected]>
Signed-off-by: Omer Aplatony <[email protected]>
|
I'm opening this draft PR for review to trigger the e2e tests (just to ensure everything is working), and then I plan to update the apiVersion. /hold |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
| ContainerPolicies []ContainerResourcePolicy `json:"containerPolicies,omitempty" patchStrategy:"merge" patchMergeKey:"containerName" protobuf:"bytes,1,rep,name=containerPolicies"` | ||
| } | ||
|
|
||
| // ContainerResourcePolicy controls how autoscaler computes the recommended | ||
| // resources for a specific container. | ||
| // +kubebuilder:validation:XValidation:rule="!has(self.mode) || !has(self.controlledValues) || self.mode != 'Off' || self.controlledValues != 'RequestsAndLimits'",message="ControlledValues shouldn't be specified if container scaling mode is off" |
There was a problem hiding this comment.
I have a question about this. If I wanted to turn my VPA "On" and Off in my workload, either for testing purposes or whatever the case may be, would this change force me to remove containerResourcePolicies before doing so in order to apply because of cel validation?
There was a problem hiding this comment.
This rule is saying that it's invalid to have both mode set to "Off" and controlledValues set to "RequestsAndLimits" at the same time. You don't necessarily need to remove the entire containerResourcePolicies before turning the VPA off. You only need to ensure that when you set mode to "Off", you're not also specifying controlledValues as "RequestsAndLimits" for the same container.
So If you're just toggling the mode between "On" and "Off" and you're not using controlledValues: RequestsAndLimits, you can do so freely without modifying other parts of your configuration.
If you have controlledValues: RequestsAndLimits set and you want to turn the VPA off, you would need to either remove the controlledValues field or set it to a different value before setting mode: Off.
I need to add tests for this behavior of course.
There was a problem hiding this comment.
Got it thanks for the explanation 💯
| @@ -183,18 +186,23 @@ type PodResourcePolicy struct { | |||
| // +optional | |||
| // +patchMergeKey=containerName | |||
| // +patchStrategy=merge | |||
| // +kubebuilder:validation:MaxItems=100 | |||
There was a problem hiding this comment.
Is max 100 items documented somewhere or just an arbitrary number?
There was a problem hiding this comment.
It's still a work in progress - I just wanted to show what we can do with CEL validation, so I didn't document anything yet. I added this because of the runtime cost of CEL validation (https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget). I don’t think anyone will use more than 100 resource policies (right?)
There was a problem hiding this comment.
Let's not introduce new validations in this PR, but rather convert the existing ones.
If we want to introduce new validations, we can discuss this in a new issue/PR.
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR migrates the admission controller validation to use CEL (Common Expression Language) for improved flexibility and consistency in validation logic at the API server level.
Which issue(s) this PR fixes:
Fixes #7665
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: