Merge pull request kubernetes#3644 from cici37/celUpdate

k8s-ci-robot · web-flow · commit 4ded6c421164 · 2022-11-04T16:56:14.000-07:00
Add beta graduation criteria for CEL in Admission Control
diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md
@@ -73,6 +73,7 @@
       - [e2e tests](#e2e-tests)
   - [Graduation Criteria](#graduation-criteria)
     - [Alpha](#alpha)
+    - [Beta](#beta)
   - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
   - [Version Skew Strategy](#version-skew-strategy)
 - [Production Readiness Review Questionnaire](#production-readiness-review-questionnaire)
@@ -1946,6 +1947,20 @@ in back-to-back releases.
 - Feature implemented behind a feature flag
 - Ensure proper tests are in place.
 
+#### Beta
+
+- benchmark and resolve optimization issues, including:
+  - add tests which registers a validation policy for everything and iterates through all groups/versions/resources/subresources 
+  and ensures they get intercepted and work properly with a CEL validation policy([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013596456))
+  - set `paramKind` in a ValidatingAdmissionPolicy results in starting a new informer 
+  that watches all instances of that object using a new unstructured informer which is inefficient([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013331221))
+  - switch to a lock-free implementation to address lock having to wait for all existing admission evaluations 
+  to complete and blocking all new admission evaluations until this completes.([comment1](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013318103),[comment2](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013305167))
+  - Perform minimal possible number of conversions when evaluating multiple admission policies for a request resource. 
+  If multiple admission policies require the same conversion, convert only once. 
+  From @liggitt: "webhook code loops up one level, first accumulates all the validation webhooks we'll run, then converts to the versions needed by those webhooks then evaluates in parallel"
+- authz check to the specific resource referenced in the policy's paramKind. ([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013135860))
+
 ### Upgrade / Downgrade Strategy
 
 <!--
