OCPBUGS-62726: add CEL expression to enforce name cluster on singletons #834
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
jira/valid-reference
|
@ehearne-redhat: This pull request references Jira Issue OCPBUGS-62726, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ehearne-redhat The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Will test change on 4.20 cluster through custom built image and update description on how to test change tomorrow. |
There was a problem hiding this comment.
You'll need to also regenerate the CustomResourceDefinition.
Looks like make regen-crd is what you'll need [1].
cluster-kube-descheduler-operator/Makefile
Lines 41 to 45 in ccddc66
ehearne-redhat
force-pushed
the
OCPBUGS-62726-cel-enforce-singleton-naming
branch
from
0784906 to
c3027f1
Compare
|
Had some build issues - will update tomorrow. |
|
/retest |
|
Hello - can confirm that the CEL expression works in console and through cli Console
CLIehearne-mac:cluster-kube-descheduler-operator ehearne$ oc apply -f file.yaml
The KubeDescheduler "not-cluster" is invalid: <nil>: Invalid value: "object": kubedescheduler is a singleton, .metadata.name must be 'cluster'For some reason, |
|
@ehearne-redhat: This pull request references Jira Issue OCPBUGS-62726, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
ehearne-redhat
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@ingvagabund kindly requesting your review on this PR as validation steps complete :) |
|
@everettraven would you have any thoughts on the strange error format seen in an above comment? |
|
Generating the CRD is a semi automatic step here. I suppose this could be improved, yet there's still something new to learn about the generators. Besides those few comments this looks good. Thank you for improving this :) |
ehearne-redhat
force-pushed
the
OCPBUGS-62726-cel-enforce-singleton-naming
branch
from
c3027f1 to
f3c037b
Compare
@ehearne-redhat It is likely because of where the validation is placed (i.e KubeDescheduler is an openapi "object"). If you wanted to have a more granular error message, I believe you can set a field path to point directly to the field that is in error. See https://book.kubebuilder.io/reference/markers/crd-validation for more information. It is easiest to find if you search the page for |
|
So it looks like from discussions here that it is not possible to use CEL expression to include To have a cleaner error message would involve using a validation webhook. Otherwise the user would see this unclear message when creating the kubedescheduler instance with an invalid name through CLI and on Console. Is having |
|
/retest |
|
@ehearne-redhat Even if you specify |
|
If there's a way it's better to replace nil with a more readable alternative. |
|
@everettraven @ingvagabund I will try this out and update you shortly. |
|
@ehearne-redhat: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@everettraven so I can add ehearne-mac:cluster-kube-descheduler-operator ehearne$ oc apply -f manifests/kube-descheduler-operator.crd.yaml
Warning: resource customresourcedefinitions/kubedeschedulers.operator.openshift.io is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
The CustomResourceDefinition "kubedeschedulers.operator.openshift.io" is invalid: spec.validation.openAPIV3Schema.x-kubernetes-validations[0].fieldPath: Invalid value: "metadata.name": fieldPath must be a valid pathI have checked other operators built with similar logic to this, such as Kueue Operator, which also has this similar error: I was able to track when they first implemented similar logic here . However, I could not find any comment about this behaviour there. So, it looks like this way of implementing the enforcement of name cluster on singletons is quite common within OpenShift . It still seems strange that we would allow I am happy to implement a better solution using a validation webhook if preferred, but given the following information I will leave it to you @ingvagabund to decide on that. :) |
|
@ehearne-redhat I wonder if it is considering that path invalid because it is missing the leading dot? Looking at the tests for path validation in https://github.com/kubernetes/apiextensions-apiserver/blob/4c7c8214a2fa680ac4f485e8ed8c52a248bafb7a/pkg/apiserver/schema/cel/validation_test.go#L3750-L3756 it looks like it wants a leading dot in the path. Does using |
|
If not, I don't think it is a huge deal. It is pretty standard practice for us to have this check for cluster singletons and I don't think going down the path of a validating webhook is worth it for this small of an issue. |
|
@everettraven I should have mentioned that I did try different combinations for I think that makes sense, because it is so commonly used anyways. |
4 participants
See https://issues.redhat.com/browse/OCPBUGS-62726 for reference .
What:
nameasclusteron kubedescheduler instances.How:
pkg/apis/descheduler/v1/types_descheduler.goto enforcemetadata.name==clusterWhy:
nameis notcluster, there is no error to handle it to the user. This ensures the user knows why exactly their kubedescheduler instance did not start if thenamewas notcluster.How to test
OCPBUGS-62726-cel-enforce-singleton-namingbranch.Test via Console
Kube Descheduler Operatorfrom OperatorHub. You can find this inEcosystem-->Software Catalogand then search forkube descheduler.manifests/kube-descheduler-operator.crd.yamlto the cluster via the CLI -->oc apply -f manifests/kube-descheduler-operator.crd.yaml.a. Go to
Ecosystem-->Installed Operators.b. Change the project to
openshift-kube-descheduler-operator.c. Click on the
Kube Descheduler Operator.d. Click on the
Kube Deschedulertab, then click on the blueCreate KubeDeschedulerbutton .e. Change the
Namefield to something other thancluster. E.g.not-cluster. Scroll to the bottom and click Create.f. You should see the following error message:
g. Now try to create the instance using the name
cluster. The instance should create as normal. Delete the instance and test via CLI below.Test via CLI
.metadata.nameto something other thancluster.oc apply -f <your yaml filename>.yaml.The KubeDescheduler "not-cluster" is invalid: <nil>: Invalid value: "object": kubedescheduler is a singleton, .metadata.name must be 'cluster'.metadata.nametoclusterand reapply using the same command as above.kubedescheduler.operator.openshift.io/cluster created.