Allow enabling admission plugins (with configurations) via DefaultAdmissionConfig and stop passing DefaultAdmissionConfig to admission plugins. #16505
Conversation
openshift-ci-robot
added
the
size/M
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aveshagarwal Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test cmd |
pkg/cmd/server/api/latest/helpers.go
Outdated
| func IsAdmissionPluginActivated(reader io.Reader, defaultValue bool) (bool, error) { | ||
| // It also returns true if configapi.DefaultAdmissionConfig is passed or false if the admission plugin's | ||
| // configuration is passed to avoid passing configapi.DefaultAdmissionConfig to admission plugins. | ||
| func IsAdmissionPluginActivated(reader io.Reader, defaultValue bool) (bool, bool, error) { |
There was a problem hiding this comment.
What about making this an enumerated string?
- EnabledWithDefaultAdmissionConfig
- EnabledWithCustomConfig
- Disabled
right now you have four possible cases and one of them isn't useful.
pkg/cmd/server/api/latest/helpers.go
Outdated
|
|
||
| // SplitStream reads the stream bytes and constructs two copies of it. | ||
| // This is copied from kubernetes | ||
| func SplitStream(config io.Reader) (io.Reader, io.Reader, error) { |
There was a problem hiding this comment.
move to point of use and make private
| } | ||
|
|
||
| func IsAdmissionPluginActivated(name string, config io.Reader) bool { | ||
| func IsAdmissionPluginActivated(name string, config io.Reader) (bool, bool) { |
There was a problem hiding this comment.
Thsi looks really similar to the upstream method now that we've pushed changes upstream. Any chance we can do a more invasive refactor to figure out what we want?
| } | ||
|
|
||
| func IsAdmissionPluginActivated(name string, config io.Reader) bool { | ||
| func IsAdmissionPluginActivated(name string, config io.Reader) (bool, bool) { |
There was a problem hiding this comment.
godoc, the name looks really similar to below. I'd like to know the diffference.
| return nil, err | ||
| } | ||
|
|
||
| if enabled { |
There was a problem hiding this comment.
if !enabled {continue} to reduce nesting?
There was a problem hiding this comment.
Why to send disabled plugin all the way down when what we get in return is just plugin as nil.
There was a problem hiding this comment.
Why to send disabled plugin all the way down when what we get in return is just plugin as nil.
I'm trying to see why its important to skip this and return in the next if instead of eliminating this nesting in keeping with golang style.
| return false, nil, err | ||
| } | ||
|
|
||
| enabled, isDefault := IsAdmissionPluginActivated(name, input) |
There was a problem hiding this comment.
this one in register.go does not return error.
| @@ -675,11 +675,20 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu | |||
| return nil, err | |||
| } | |||
|
|
|||
| plugin, err = admissionregistry.OriginAdmissionPlugins.InitPlugin(pluginName, pluginConfigReader, admissionInitializer) | |||
| plugin = nil | |||
| @@ -675,11 +675,20 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu | |||
| return nil, err | |||
| } | |||
|
|
|||
| plugin, err = admissionregistry.OriginAdmissionPlugins.InitPlugin(pluginName, pluginConfigReader, admissionInitializer) | |||
| plugin = nil | |||
| enabled, pluginConfigReaderCopy, err := admissionregistry.IsAdmissionPluginEnabled(pluginName, pluginConfigReader) | |||
There was a problem hiding this comment.
Why isn't this the upstream admission.PluginEnabledFn ?
There was a problem hiding this comment.
How would you avoid passing DefaultAdmissionConfig to admission plugins if you did that? Also by doing this here gives us 2 advantages as I understand:
- we do not need to override upstream admission.PluginEnabledFn
- We do not need to send disabled plugins all the way down as I said above.
There was a problem hiding this comment.
We do not need to send disabled plugins all the way down as I said above.
What do you mean by "all the way down"?
we do not need to override upstream admission.PluginEnabledFn
We created that for exactly this purpose.
There was a problem hiding this comment.
What do you mean by "all the way down"?
I mean to avoid InitPlugin->getPlugin-> (splitstream, PluginEnabledFn) inside kubernetes.
We created that for exactly this purpose.
I agree but how would you avoid DefaultAdmissionConfig passing to admission plugins if we used that. We need a way to process DefaultAdmissionConfig and a plugin's own config differently.
openshift-merge-robot
added
the
needs-rebase
|
@aveshagarwal can you update this? |
|
@sjenning will update soon. |
…issionConfig and stop passing DefaultAdmissionConfig to admission plugins.
aveshagarwal
force-pushed
the
master-admission-issues
branch
from
8054912
to
914cbef
Compare
openshift-merge-robot
removed
the
needs-rebase
|
@aveshagarwal: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
We eventually want to call https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 . I think that #16639 aligns more cleanly. Compare it with this? |
Automatic merge from submit-queue (batch tested with PRs 16657, 16607, 16647, 16639, 16655). filter out 'turn this on' config structs for admission Alternative to #16505 to allow our enablement of config. I think this aligns more closely with a goal of calling the "normal" https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 path.
Automatic merge from submit-queue (batch tested with PRs 16657, 16607, 16647, 16639, 16655). filter out 'turn this on' config structs for admission Alternative to openshift/origin#16505 to allow our enablement of config. I think this aligns more closely with a goal of calling the "normal" https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/admission.go#L78 path. Origin-commit: 105055ed88d0029dfb69d43eefedae45005044b7
In OpenShift, admission plugins can be enabled and disabled by using DefaultAdmissionConfig.
However enabling of admission plugins with configurations (like ResourceQuota, PodTolerationRestriction etc) via DefaultAdmissionConfig as follows:
fails with following error:
F0922 09:36:24.937280 5768 start_master.go:115] Couldn't init admission plugin "PodTolerationRestriction": no kind "DefaultAdmissionConfig" is registered for version "v1"The reason for this error is that DefaultAdmissionConfig is being passed to admission plugins which dont understand it, and so the error. This error does not happen with admission plugins that do not accept any configurations.
Though admission plugins with configurations can also be enabled by passing their own configurations, it might be confusing for users why some plugins can be enabled by DefaultAdmissionConfig and some not.
This PR addresses the above issue.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1492999
@sjenning @deads2k