Skip to content

Commit b3db94e

Browse files
tallclairtallclair
committed
Address logicalhan feedback
1 parent b523276 commit b3db94e

File tree

1 file changed

+8
-6
lines changed
  • keps/sig-api-machinery/3716-webhook-predicates

1 file changed

+8
-6
lines changed

keps/sig-api-machinery/3716-webhook-predicates/README.md

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
- [API](#api)
1515
- [Risks and Mitigations](#risks-and-mitigations)
1616
- [Security](#security)
17-
- [Debugability](#debugability)
17+
- [Debuggability](#debuggability)
1818
- [Performance](#performance)
1919
- [Design Details](#design-details)
2020
- [Test Plan](#test-plan)
@@ -261,8 +261,9 @@ manipulating match rules, namespace selector, or object selector (or reroute the
261261

262262
**Risk: Logic error in match condition expression.**
263263

264-
Currently the match conditions must be encoded in the webhook backend itself. Moving the logic
265-
into a CEL expression does not materially increase the risk of a logic bug.
264+
Currently the match conditions must be encoded in the webhook backend itself. Moving the logic into
265+
a CEL expression adds a potential failure point. This can be mitigated by testing, but the CEL
266+
ecosystem currently lacks some of the tools that would make this easier.
266267

267268
Of particular significance are match conditions tied to non-functional properties of an object, such
268269
as using labels to decide whether to opt an object out of a policy. Without additional admition
@@ -275,7 +276,7 @@ is relevant.
275276
These risks are inherent to the feature being proposed and cannot be mitigated through technical
276277
means, but should be highlighted in the documentation.
277278

278-
#### Debugability
279+
#### Debuggability
279280

280281
We do not normally log, audit, or emit an event when a webhook is out-of-scope for a request, and
281282
the same will _mostly_ be true for match conditions.
@@ -519,8 +520,9 @@ remains unchanged.
519520
###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
520521

521522
Yes. Disabling the feature gate will ignore any `matchConditions` set, and return to the default
522-
behavior. This could increase the traffic to the webhook, and potentially increase the error rate if
523-
the webhook is down or rejects those requests.
523+
behavior. Disabling `AdmissionWebhookMatchConditions` could increase the traffic to the webhook, and
524+
potentially increase the error rate if the webhook fails to process the additional requests
525+
correctly.
524526

525527
###### What happens if we reenable the feature if it was previously rolled back?
526528

0 commit comments

Comments
 (0)