Skip to content

Commit 119187e

Browse files
authored
Merge pull request #4435 from ivelichkovich/3716-ga
KEP-3716: graduate to stable for 1.30
2 parents 841b76c + 135106b commit 119187e

File tree

3 files changed

+44
-28
lines changed

3 files changed

+44
-28
lines changed

keps/prod-readiness/sig-api-machinery/3716.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,3 +6,5 @@ alpha:
66
approver: "@deads2k"
77
beta:
88
approver: "@deads2k"
9+
stable:
10+
approver: "@deads2k"

keps/sig-api-machinery/3716-admission-webhook-match-conditions/README.md

Lines changed: 40 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -261,7 +261,7 @@ be performed in the webhook, and are out of scope for this proposal.
261261

262262
**Risk: Attacker adds or changes a match condition to weaken an admission policy.**
263263

264-
This is does not represent a new threat, as doing so would require update access to the admission
264+
This does not represent a new threat, as doing so would require update access to the admission
265265
registration object, and with that permission an attacker could already disable the policy through
266266
manipulating match rules, namespace selector, or object selector (or reroute the webhook entirely).
267267

@@ -299,13 +299,9 @@ iterate as necessary.
299299
#### Performance
300300

301301
The CEL expression evaluation will leverage the same [Resource Constraints](https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/2876-crd-validation-expression-language#resource-constraints)
302-
used by CEL CRD Validation & CEL Admission Control. All the match conditions for a given webhook will
303-
share the same resource budget.
302+
used by CEL CRD Validation & CEL Admission Control. The runtime cost budgets are defined here [CEL Runtime Cost](https://github.com/kubernetes/kubernetes/blob/445869a59bdbd1c587b72b52c5da94c1d1c316a1/staging/src/k8s.io/apiserver/pkg/apis/cel/config.go#L22).
304303

305-
<<[UNRESOLVED resource constraints ]>>
306-
_NON-BLOCKING for Alpha_
307-
Details TBD.
308-
<<[/UNRESOLVED]>>
304+
The per call limit is shared with Validating Admission Policy CEL expressions and set at roughly 0.1 second for each expression evaluation call. The total budget per object (i.e. per ValidatingWebhook) for CEL match conditions is roughly .25 seconds and 1/4 the budget of Validating Admission Policy limit.
309305

310306
## Design Details
311307

@@ -329,7 +325,7 @@ when drafting this test plan.
329325
[testing-guidelines]: https://git.k8s.io/community/contributors/devel/sig-testing/testing.md
330326
-->
331327

332-
[ ] I/we understand the owners of the involved components may require updates to
328+
[X] I/we understand the owners of the involved components may require updates to
333329
existing tests to make this code solid enough prior to committing the changes necessary
334330
to implement this enhancement.
335331

@@ -342,25 +338,24 @@ implementing this enhancement to ensure the enhancements have also solid foundat
342338

343339
##### Unit tests
344340

345-
TBD - unit tests will be added as this feature is implemented.
346-
347341
##### Integration tests
348342

349343
Test cases to add:
350344

351-
- [ ] Feature gate enablement / disablement is a no-op when no `matchConditions` are set
352-
- [ ] Feature gate enablement / disablement works as expected when `matchConditions` are set
353-
- [ ] Single match condition:
354-
- [ ] Request out of scope without `matchConditions`
355-
- [ ] Request in scope without `matchConditions`, but not matching
356-
- [ ] Request in scope without `matchConditions`, and also matching
357-
- [ ] Multiple match conditions, covering the same cases as the single-condition case
345+
- [X] Feature gate enablement / disablement is a no-op when no `matchConditions` are set (until graduation to GA as feature gate will go away)
346+
- [X] Feature gate enablement / disablement works as expected when `matchConditions` are set
347+
(until graduation to GA as feature gate will go away)
348+
- [X] Single match condition:
349+
- [X] Request out of scope without `matchConditions`
350+
- [X] Request in scope without `matchConditions`, but not matching
351+
- [X] Request in scope without `matchConditions`, and also matching
352+
- [X] Multiple match conditions, covering the same cases as the single-condition case
358353

359354
##### e2e tests
360355

361356
We will test the edge cases mostly in integration tests and unit tests.
362357

363-
Once the feature is default enabled in beta, a single E2E test covering hte single-match-condition
358+
Once the feature is default enabled in beta, a single E2E test covering the single-match-condition
364359
cases outlined above will be added.
365360

366361
### Graduation Criteria
@@ -379,9 +374,15 @@ cases outlined above will be added.
379374

380375
#### GA
381376

382-
<<[UNRESOLVED resource constraints ]>>
383-
GA requirements TBD
384-
<<[/UNRESOLVED]>>
377+
- Promote appropriate E2E tests to conformance
378+
- https://github.com/kubernetes/kubernetes/blob/master/test/e2e/apimachinery/webhook.go
379+
- "should be able to create and update validating webhook configurations with match conditions"
380+
- "should be able to create and update mutating webhook configurations with match conditions"
381+
- "should reject validating webhook configurations with invalid match conditions"
382+
- "should reject mutating webhook configurations with invalid match conditions"
383+
- "should mutate everything except 'skip-me' configmaps"
384+
385+
- Cover any missing test coverage
385386

386387
### Upgrade / Downgrade Strategy
387388

@@ -467,9 +468,7 @@ feature gate after having objects written with the new field) are also critical.
467468
You can take a look at one potential example of such test in:
468469
https://github.com/kubernetes/kubernetes/pull/97058/files#diff-7826f7adbc1996a05ab52e3f5f02429e94b68ce6bce0dc534d1be636154fded3R246-R282
469470
-->
470-
471-
[Registry tests](https://github.com/kubernetes/kubernetes/blob/c4ebbeeb747cd3e2b1d83733a14d367a65723a45/pkg/registry/core/pod/strategy_test.go)
472-
will verify the drop disabled fields logic is correctly implemented.
471+
We will add tests that verify the functionality is turned off when feature gate is toggled off and turned on when toggled on.
473472

474473
### Rollout, Upgrade and Rollback Planning
475474

@@ -525,6 +524,21 @@ Metric name: `webhook_admission_match_condition_exclusions_total`
525524
Labels:
526525
- `name`: webhook name
527526
- `type`: `validate` or `admit`
527+
- `kind`: match condition on a `webhook` or `policy`
528+
- `operation`: the admission operation
529+
530+
Metric name: `webhook_admission_match_condition_evaluation_errors_total`
531+
Labels:
532+
- `name`: webhook name
533+
- `type`: `validate` or `admit`
534+
- `kind`: match condition on a `webhook` or `policy`
535+
- `operation`: the admission operation
536+
537+
Metric name: `webhook_admission_match_condition_evaluation_seconds`
538+
Labels:
539+
- `name`: webhook name
540+
- `type`: `validate` or `admit`
541+
- `kind`: match condition on a `webhook` or `policy`
528542
- `operation`: the admission operation
529543

530544
<!--
@@ -542,8 +556,8 @@ checking if there are objects with field X set) may be a last resort. Avoid
542556
logs or events for this purpose.
543557
-->
544558

545-
The metric `webhook_admission_match_condition_exclusions_total` should indicate if the precondition
546-
is used to exclude objects from invoking webhooks.
559+
The metric `webhook_admission_match_condition_evaluation_seconds` should indicate if the match conditions
560+
are being used and being evaluated for invoking webhooks.
547561

548562
###### How can someone using this feature know that it is working for their instance?
549563

keps/sig-api-machinery/3716-admission-webhook-match-conditions/kep.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,13 +35,13 @@ stage: beta
3535
# The most recent milestone for which work toward delivery of this KEP has been
3636
# done. This can be the current (upcoming) milestone, if it is being actively
3737
# worked on.
38-
latest-milestone: "v1.28"
38+
latest-milestone: "v1.30"
3939

4040
# The milestone at which this feature was, or is targeted to be, at each stage.
4141
milestone:
4242
alpha: "v1.27"
4343
beta: "v1.28"
44-
stable: "TBD"
44+
stable: "v1.30"
4545

4646
# The following PRR answers are required at alpha release
4747
# List the feature gate name and the components for which it must be enabled

0 commit comments

Comments
 (0)