-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow enabling admission plugins (with configurations) via DefaultAdmissionConfig and stop passing DefaultAdmissionConfig to admission plugins. #16505
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aveshagarwal Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test cmd |
pkg/cmd/server/api/latest/helpers.go
Outdated
func IsAdmissionPluginActivated(reader io.Reader, defaultValue bool) (bool, error) { | ||
// It also returns true if configapi.DefaultAdmissionConfig is passed or false if the admission plugin's | ||
// configuration is passed to avoid passing configapi.DefaultAdmissionConfig to admission plugins. | ||
func IsAdmissionPluginActivated(reader io.Reader, defaultValue bool) (bool, bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about making this an enumerated string?
- EnabledWithDefaultAdmissionConfig
- EnabledWithCustomConfig
- Disabled
right now you have four possible cases and one of them isn't useful.
pkg/cmd/server/api/latest/helpers.go
Outdated
|
||
// SplitStream reads the stream bytes and constructs two copies of it. | ||
// This is copied from kubernetes | ||
func SplitStream(config io.Reader) (io.Reader, io.Reader, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move to point of use and make private
} | ||
|
||
func IsAdmissionPluginActivated(name string, config io.Reader) bool { | ||
func IsAdmissionPluginActivated(name string, config io.Reader) (bool, bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thsi looks really similar to the upstream method now that we've pushed changes upstream. Any chance we can do a more invasive refactor to figure out what we want?
} | ||
|
||
func IsAdmissionPluginActivated(name string, config io.Reader) bool { | ||
func IsAdmissionPluginActivated(name string, config io.Reader) (bool, bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
godoc, the name looks really similar to below. I'd like to know the diffference.
return nil, err | ||
} | ||
|
||
if enabled { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if !enabled {continue}
to reduce nesting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why to send disabled plugin all the way down when what we get in return is just plugin as nil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why to send disabled plugin all the way down when what we get in return is just plugin as nil.
I'm trying to see why its important to skip this and return in the next if instead of eliminating this nesting in keeping with golang style.
return false, nil, err | ||
} | ||
|
||
enabled, isDefault := IsAdmissionPluginActivated(name, input) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eating the error here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this one in register.go does not return error.
@@ -675,11 +675,20 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu | |||
return nil, err | |||
} | |||
|
|||
plugin, err = admissionregistry.OriginAdmissionPlugins.InitPlugin(pluginName, pluginConfigReader, admissionInitializer) | |||
plugin = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks extraneous
@@ -675,11 +675,20 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu | |||
return nil, err | |||
} | |||
|
|||
plugin, err = admissionregistry.OriginAdmissionPlugins.InitPlugin(pluginName, pluginConfigReader, admissionInitializer) | |||
plugin = nil | |||
enabled, pluginConfigReaderCopy, err := admissionregistry.IsAdmissionPluginEnabled(pluginName, pluginConfigReader) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why isn't this the upstream admission.PluginEnabledFn
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would you avoid passing DefaultAdmissionConfig to admission plugins if you did that? Also by doing this here gives us 2 advantages as I understand:
- we do not need to override upstream admission.PluginEnabledFn
- We do not need to send disabled plugins all the way down as I said above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do not need to send disabled plugins all the way down as I said above.
What do you mean by "all the way down"?
we do not need to override upstream admission.PluginEnabledFn
We created that for exactly this purpose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean by "all the way down"?
I mean to avoid InitPlugin->getPlugin-> (splitstream, PluginEnabledFn) inside kubernetes.
We created that for exactly this purpose.
I agree but how would you avoid DefaultAdmissionConfig passing to admission plugins if we used that. We need a way to process DefaultAdmissionConfig and a plugin's own config differently.
@aveshagarwal can you update this? |
@sjenning will update soon. |
…issionConfig and stop passing DefaultAdmissionConfig to admission plugins.
8054912
to
914cbef
Compare
@aveshagarwal: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
We eventually want to call https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 . I think that #16639 aligns more cleanly. Compare it with this? |
Automatic merge from submit-queue (batch tested with PRs 16657, 16607, 16647, 16639, 16655). filter out 'turn this on' config structs for admission Alternative to #16505 to allow our enablement of config. I think this aligns more closely with a goal of calling the "normal" https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 path.
Automatic merge from submit-queue (batch tested with PRs 16657, 16607, 16647, 16639, 16655). filter out 'turn this on' config structs for admission Alternative to openshift/origin#16505 to allow our enablement of config. I think this aligns more closely with a goal of calling the "normal" https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 path. Origin-commit: 105055ed88d0029dfb69d43eefedae45005044b7
In OpenShift, admission plugins can be enabled and disabled by using DefaultAdmissionConfig.
However enabling of admission plugins with configurations (like ResourceQuota, PodTolerationRestriction etc) via DefaultAdmissionConfig as follows:
fails with following error:
F0922 09:36:24.937280 5768 start_master.go:115] Couldn't init admission plugin "PodTolerationRestriction": no kind "DefaultAdmissionConfig" is registered for version "v1"
The reason for this error is that DefaultAdmissionConfig is being passed to admission plugins which dont understand it, and so the error. This error does not happen with admission plugins that do not accept any configurations.
Though admission plugins with configurations can also be enabled by passing their own configurations, it might be confusing for users why some plugins can be enabled by DefaultAdmissionConfig and some not.
This PR addresses the above issue.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1492999
@sjenning @deads2k