Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add classNamespace to topology #11352
base: main
Are you sure you want to change the base?
✨ Add classNamespace to topology #11352
Changes from 5 commits
1dea02a
ccc32d1
65db336
5d9542b
b4b6131
e16aa76
3639364
1a88697
f8e49a0
902e582
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if we should default to current namespace ...
Pros: it is explicit and consistent to what we do for other references
Cons: it add "noises" to the containing struct while we don't have a clean nesting yet
A compromise might be to keep it empty for now and start defaulting when we will introduce a nested struct
@JoelSpeed opinions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The namespace of the object can never change, so, defaulting this value to the current namespace would make sense, and make the API explicit. I can't foresee us ever, in the future, wanting to default this to a specific namespace, as we have no concept of a core namespace.
That said, I could see a use case where a cluster admin wants to default this field themselves. In the future they could leverage MutatingAdmissionPolicy to set the namespace always to a certain namespace where they keep their classes. Could defaulting this (since it would have to be a webhook, or MAP) then cause interference with any logic the cluster admin has there? They'd have to make sure that their defaulting went before ours 🤔
I think I would err on the side here, or not defaulting it and just explaining that the empty namespace means that the namespace of the cluster is leveraged, as it is now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a minimum and maximum length to all raw string types, since this is a namespace, it follows DNS1123Subdomain and should also be validated as such (there's a regex for this). The maximum length is 253 and the minimum is 1.
Since you have
omitempty
, you can safely add theMinLength
, it will prevent anyone using an unstructured client from persistingclassNamespace: ""
which would then otherwise not round trip through a structured requestThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Above we are returning when c.Spec.Topology == nil
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be I'm wrong, but I did not found a place where we are enforcing "Changing
classNamespace
is not supported".Also, out of curiosity, why are we introducing this limitation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That’s mainly due to tests performed on that operation locally. It seems when changing
classNamespace
, many referenced template components change namespace too, as they have to preserve ownership references, and instead ofrebase
performing minimal modifications of the resource, it has to switch resources entirely. This seemed as a larger scope change.I’ll add a validation on the field modifications.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks clarification
It would be great if we can add the same note as a godoc explanation for check above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I composed a clarification message on the field. It seems there is no need for additional tests as
TestLocalObjectTemplatesAreCompatible
is already covering template namespace changes.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
besides the on admission check which is nice, do we have any rbac recommendation for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
VAP supports secondary authz for added RBAC control, and VAP binding can be used with label selectors, which addresses #5673 (comment). From the proposal itself, it seems using the policy for added restriction on top of RBAC is within the scope.
Webhook allows to use paramRef of any kind, which can be potentially explored with specific CRD to further restrict access beyond admission, with a controller acting on that resource.
Currently, this is just an example of how an on top policy can be defined (if needed) in k8s 1.30+, where a user may decide to use different policy mechanisms to further restrict access, including a more granular RBAC. I’m thinking to showcase it as an option, but to not enforce any specific solution within this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is also an RBAC recommendation in https://kccncna2024.sched.com/event/1hoyX, if a talk considered to be one.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if we should update the index, so it contains both namespace and name of the cluster class
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking a little bit more about this, I think we change this index so performance in the webhook are optimized and also the resulting code will be more readable (both here and in clusterClassToCluster)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems to me that in this method there is not enough information to know cluster namespace due to duality of the namespace reference.
If an index is added, there will be another
Client.List
call forclient.MatchingFields{index.ClusterClassNamespaceField: clusterClass.Namespace}
, and here I’m not sure how would an empty field be treated - matching an empty string or matching no selector at all?If the first one the case, then the method will combine two list responses, and it will be more readable. If not, it will only increase the number of calls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, seems it is not an issue, as the index can use
GetClass()
method which resolves ambiguity. Should be added now.