Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GameServer definition validation #10

Closed
markmandel opened this issue Dec 7, 2017 · 20 comments · Fixed by #106
Closed

GameServer definition validation #10

markmandel opened this issue Dec 7, 2017 · 20 comments · Fixed by #106
Assignees
Labels
area/user-experience Pertaining to developers trying to use Agones, e.g. SDK, installation, etc kind/design Proposal discussing new features / fixes and how they should be implemented kind/feature New features for Agones
Milestone

Comments

@markmandel
Copy link
Member

markmandel commented Dec 7, 2017

Currently there is no validation on a GameServer

Once Kubernetes 1.9 is available on GKE, this can be implemented in the master branch.

We will likely need a combination of CRD validation, as well as webhook validation on creation and mutation.

List of validations

  • Container should refer to an existing container in the PodTemplateSpec, optional if only one container is defined otherwise mandatory.
  • PortPolicy should be either static or dynamic, optional, defaults to dynamic
  • ContainerPort should be a valid tcp/udp port 0-65535, required.
  • HostPort should be a valid port 0-65535, should only be passed if PortPolicy == static
  • Protocol should be TCP or UDP only, optional - defaults to UDP
  • A valid PodTemplate....
  • health
    • disabled: boolean
    • PeriodSeconds, InitialDelaySeconds, FailureThreshold valid positive integer (max 2**31) - all optional as they have defaults and/or not required if health is disabled

Research

@markmandel markmandel added kind/design Proposal discussing new features / fixes and how they should be implemented kind/feature New features for Agones labels Dec 7, 2017
markmandel added a commit that referenced this issue Jan 11, 2018
When running `kubectl describe` on GameServers, this will
now display records of major events in the lifecycle of
the GameServer.

This was setup work for reporting issue for #10 (validation)

Closes #32
@markmandel markmandel added the area/user-experience Pertaining to developers trying to use Agones, e.g. SDK, installation, etc label Feb 3, 2018
@markmandel markmandel added this to the 0.1 milestone Feb 5, 2018
@cyriltovena
Copy link
Collaborator

cyriltovena commented Feb 9, 2018

So we should add validations inside the install.yaml at the CRD level using OpenAPI spec ?

List of required validations :

  • Container should refer to an existing container in the PodTemplateSpec, optional if only one container is defined otherwise mandatory.
  • PortPolicy should be either static or dynamic, optional ?
  • ContainerPort should be a valid udp port 0-65535, required.
  • HostPort should be a valid port 0-65535, should only be passed if PortPolicy == dynamic
  • Protocol should be TCP or UDP only, required.
  • A valid PodTemplate....
  • health if enabled.
    • PeriodSeconds, InitialDelaySeconds, FailureThreshold valid positive integer (max 2**31)

Anything else ?

Also I see that you listed webhooks and admission controller, I guess you want to use the validation one for complex scenarios ?

@markmandel
Copy link
Member Author

You got most of it - updated the description above to be the canonical reference.

Regarding the validation webhook - I'd be surprised if the OpenAPI spec can cover all of the above scenarios - e.g. "Container should refer to an existing container in the PodTemplateSpec, optional if only one container is defined otherwise mandatory.", so leaning on the validation webhook seems like the appropriate response.

These features are only available on 1.9 - I started a bit of work on this branch - but I'm currently blocked by #57 (although I could turn off RBAC if need be, at least for development).

That being said, if you wanted to start on the OpenSpec part of this, we test it and keep it in reserve until the support for 1.9 is fully integrated.

@cyriltovena
Copy link
Collaborator

I wanted to also tackle the validation webhook, but I could not find a documentation on how to self host your own api in the api-server which seems the best option.

They mostly documented what to use and how to setup the webhook.

@markmandel
Copy link
Member Author

@Kuqd yeah, it's not well documented.

My task for next week is to build a basic MutatingWebhookConfiguration to set the default value on the GameServer when it first gets created (I need to work through some of the undocumented features with some members from sig-apimachinery) - but once I've got that done, that will setup the infrastructure for this ticket and also #70 .

markmandel added a commit that referenced this issue Feb 12, 2018
This is setup work for #10 and #70, since the service for
webhooks need to be namespaced.

Closes #89
@cyriltovena
Copy link
Collaborator

found some documentation https://github.com/openshift/generic-admission-server if that can help

@markmandel
Copy link
Member Author

I've got (the receiving) of a basic MutatingWebhookConfiguration in this gameserver-mutate-webhook - which should be the same structure as the ValidatingWebhookConfiguration

I'm in the process of making a small library to make adding new webhook configurations simpler without having to build as much of the plumbing yourself - it's getting there.

I'm not sure how to candle the ca certs, but for now - keeping things simple and keeping them in the repo.

@markmandel
Copy link
Member Author

Kubernetes 1.9 is now merged - so we can at least now start on the CRD/yaml part of the validation.

markmandel added a commit that referenced this issue Feb 16, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
markmandel added a commit that referenced this issue Feb 16, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
markmandel added a commit that referenced this issue Feb 16, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
markmandel added a commit that referenced this issue Feb 17, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
markmandel added a commit that referenced this issue Feb 17, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
markmandel added a commit that referenced this issue Feb 20, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
markmandel added a commit that referenced this issue Feb 20, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
markmandel added a commit that referenced this issue Feb 21, 2018
Webhook library to make k8s webhooks easy(er) to use,
as well as setting default values on GameServers via it
for when they are first created.

Some refactoring of GameServer sync in the controller
was required and a new PortAllocation state was created.

This is also makes #70 and #10 possible to implement.
@cyriltovena
Copy link
Collaborator

cyriltovena commented Feb 22, 2018

@markmandel Do you expect OpenAPI to also validate the PodSpecTemplate ? if yes I guess the bare minimun ? Which is one container with a name and image.

@markmandel
Copy link
Member Author

markmandel commented Feb 22, 2018

You ask a good question. I'm leaning towards "no" just for simplicity sake. The template should be required though. WDYT?

If the pod template is bad, the GameServer will go into an Error state, and have an event attached with a message, so if there is an issue, it will be caught by the system.
https://github.com/googleprivate/agones/blob/master/pkg/gameservers/controller.go#L456

As an aside - I swear I found a github repo witth all of the standard Kubernetes resources as OpenAPI specs, but I can't find it now.

@cyriltovena
Copy link
Collaborator

I might be able to reference it if you do ! At least I could try.

@markmandel
Copy link
Member Author

Ah this was what I found - https://github.com/garethr/kubernetes-json-schema

Not sure if it's actually helpful. It seems to reference existing OpenAPI schemas, but I'm not sure where they are. I'm having a bit of an ask around to see what I can find.

I wonder if there is a way to reference the existing schema?

@cyriltovena
Copy link
Collaborator

cyriltovena commented Feb 22, 2018

it's there https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/swagger.json
but I tried and go this

The CustomResourceDefinition "gameservers.stable.agones.dev" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[template].$ref: Forbidden: $ref is not supported

@markmandel
Copy link
Member Author

Erk 😞

I'll ping some people on my end, see if I can find any information - but sounds like we're going to skip the PodTemplate for now 😢

@cyriltovena
Copy link
Collaborator

cyriltovena commented Feb 22, 2018

I can copy the most important part which is the containers part right ?

@cyriltovena
Copy link
Collaborator

cyriltovena commented Feb 22, 2018

I'm having issue with arrays.
Never mind dam yaml tabulation.

@markmandel
Copy link
Member Author

Sounds reasonable to me 👍

@markmandel
Copy link
Member Author

Just found out - refs are coming, just not there yet -
kubernetes/kubernetes#54579

@markmandel
Copy link
Member Author

@Kuqd for organisation sake, should we assign this ticket to you? (are you working on the webhook side of things as well?)

@cyriltovena
Copy link
Collaborator

Yes assign it to me.

My plan was to add more validation in the mutating webhook like you started is it ok ?

@markmandel
Copy link
Member Author

Yep - was just chatting with @dzlier-gcp about who was working on what, so just wanted to make sure.

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/user-experience Pertaining to developers trying to use Agones, e.g. SDK, installation, etc kind/design Proposal discussing new features / fixes and how they should be implemented kind/feature New features for Agones
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants