You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-api-machinery/3488-cel-admission-control/README.md
+10-6Lines changed: 10 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1949,12 +1949,16 @@ in back-to-back releases.
1949
1949
1950
1950
#### Beta
1951
1951
1952
-
- add tests which registers a validation policy for everything and iterates through all groups/versions/resources/subresources
1953
-
and ensures they get intercepted and work properly with a CEL validation policy([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013596456))
1954
-
- set `paramKind` in a ValidatingAdmissionPolicy results in starting a new informer
1955
-
that watches all instances of that object using a new unstructured informer which is inefficient([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013331221))
1956
-
- switch to a lock-free implementation to address lock having to wait for all existing admission evaluations
1957
-
to complete and blocking all new admission evaluations until this completes.([comment1](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013318103),[comment2](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013305167))
1952
+
- benchmark and resolve optimization issues, including:
1953
+
- add tests which registers a validation policy for everything and iterates through all groups/versions/resources/subresources
1954
+
and ensures they get intercepted and work properly with a CEL validation policy([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013596456))
1955
+
- set `paramKind` in a ValidatingAdmissionPolicy results in starting a new informer
1956
+
that watches all instances of that object using a new unstructured informer which is inefficient([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013331221))
1957
+
- switch to a lock-free implementation to address lock having to wait for all existing admission evaluations
1958
+
to complete and blocking all new admission evaluations until this completes.([comment1](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013318103),[comment2](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013305167))
1959
+
- Perform minimal possible number of conversions when evaluating multiple admission policies for a request resource.
1960
+
If multiple admission policies require the same conversion, convert only once.
1961
+
From @liggitt: "webhook code loops up one level, first accumulates all the validation webhooks we'll run, then converts to the versions needed by those webhooks then evaluates in parallel"
1958
1962
- authz check to the specific resource referenced in the policy's paramKind. ([comment](https://github.com/kubernetes/kubernetes/pull/113314#discussion_r1013135860))
0 commit comments