add: Support the deletion protection of service and ingress #1269
Conversation
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
2 times, most recently
from
32d5ece to
66ce4af
Compare
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
from
66ce4af to
0b8567f
Compare
|
Hi, I saw there are some CI ans E2E checks not successful. I checked my code and found there are indeed some bugs in my code. I'm working on to fix them, it's no need to review my code now. When I'm done, I will leave comment to require for code review. Thanks. |
|
@kevin1689-cloud tks very much, k8s community also have related PR, I have not yet figured out how to implement this. |
Got it, I'm reading Conversation of the mentioned k8s community PR, the concept of "Lien" is interesting. I‘ve been busy at my company work recently, I thought I could back to working on this pr about 2-3 weeks later and I will fix the bug in my code, read the k8s community PR carefully and give my opinion on that. |
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
4 times, most recently
from
95c0be5 to
43c376f
Compare
|
@kevin1689-cloud Should we discuss this at the community meeting next Thursday evening? |
@zmberg Hi, thanks for the invite, how about we discuss this at the community meeting after next Thursday? I have some company project issue to due with in next week, and I'm afraid can't attend the community meeting in time. By the next community meeting, I will be ready. |
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
from
43c376f to
dc63b5a
Compare
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
from
dc63b5a to
78db319
Compare
|
@zmberg Hi, as we discussed, the main scenarios of service&ingress deletion protection is:
So this time we only support the Please take a look. Thanks! |
| @@ -474,6 +474,27 @@ webhooks: | |||
| resources: | |||
| - imagepulljobs | |||
| sideEffects: None | |||
| - admissionReviewVersions: | |||
There was a problem hiding this comment.
add vingress.kb.io and vservice.kb.io in file
pkg/webhook/add_ingress.go
Outdated
| @@ -0,0 +1,25 @@ | |||
| /* | |||
| Copyright 2021 The Kruise Authors. | |||
| "context" | ||
| "net/http" | ||
|
|
||
| "github.com/openkruise/kruise/pkg/webhook/util/deletionprotection" |
| "context" | ||
| "net/http" | ||
|
|
||
| "github.com/openkruise/kruise/pkg/webhook/util/deletionprotection" |
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
from
78db319 to
ab3a2f7
Compare
|
@zmberg Done. Please take a look. |
|
/lgtm |
pkg/webhook/add_ingress.go
Outdated
| ) | ||
|
|
||
| func init() { | ||
| addHandlers(validating.HandlerMap) |
There was a problem hiding this comment.
you'd better use addHandlersWithGate
There was a problem hiding this comment.
Do not add the handler if corresponding feature-gate is not enabled.
There was a problem hiding this comment.
@veophi Done, did the same change as add_service.go.
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
from
ab3a2f7 to
880aaf9
Compare
kruise-bot
added
size/XL
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
pkg/webhook/add_ingress.go
Outdated
|
|
||
| func init() { | ||
| addHandlersWithGate(validating.HandlerMap, func() (enabled bool) { | ||
| if !utilfeature.DefaultFeatureGate.Enabled(features.ResourcesDeletionProtection) { |
There was a problem hiding this comment.
S1008: should use 'return utilfeature.DefaultFeatureGate.Enabled(features.ResourcesDeletionProtection)' instead of 'if !utilfeature.DefaultFeatureGate.Enabled(features.ResourcesDeletionProtection) { return false }; return true'
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
pkg/webhook/add_service.go
Outdated
|
|
||
| func init() { | ||
| addHandlersWithGate(validating.HandlerMap, func() (enabled bool) { | ||
| if !utilfeature.DefaultFeatureGate.Enabled(features.ResourcesDeletionProtection) { |
There was a problem hiding this comment.
S1008: should use 'return utilfeature.DefaultFeatureGate.Enabled(features.ResourcesDeletionProtection)' instead of 'if !utilfeature.DefaultFeatureGate.Enabled(features.ResourcesDeletionProtection) { return false }; return true'
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: kevin1689 <kevinyang1689@163.com>
kevin1689-cloud
force-pushed
the
service_ingress_deletion_protection
branch
from
880aaf9 to
aa32751
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1269 +/- ##
=========================================
Coverage ? 50.26%
=========================================
Files ? 157
Lines ? 23450
Branches ? 0
=========================================
Hits ? 11787
Misses ? 10460
Partials ? 1203
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zmberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Ⅰ. Describe what this PR does
This PR complete a feature: Support the deletion protection of service and ingress resources
Ⅱ. Does this pull request fix one issue?
fixs #1218
Ⅲ. Describe how to verify it
The Cascading judgement of Service and Ingress is whether there are any endpoints exist for the Service or Ingress. The verify steps is as show below:
Service Deleteion Protection
1.Create a Service and label it with "policy.kruise.io/delete-protection=Always"
2.Delete the Service should be rejected
3.Patch the Service with label "policy.kruise.io/delete-protection=Cascading"
4.Create endpoints of the Service
5.Delete the Service should be rejected
6.Delete all endpoints of the Service
7.The Service can be delete successfully
Ingress Deleteion Protection
1.Create a Ingress and label it with "policy.kruise.io/delete-protection=Always"
2.Delete the Ingress should be rejected
3.Patch the Ingress with label "policy.kruise.io/delete-protection=Cascading"
4.Create Service which menotioned in spec.rules.http.paths.backend.service of Ingress spec
5.Create endpoints of the Service
6.Delete the Ingress should be rejected
7.Delete all endpoints of the Service
8.The Ingress can be delete successfully
Ⅳ. Special notes for reviews
None