Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CEL rules to Workload #2008

Merged
merged 10 commits into from
Apr 26, 2024
Merged

Add CEL rules to Workload #2008

merged 10 commits into from
Apr 26, 2024

Conversation

IrvingMg
Copy link
Contributor

@IrvingMg IrvingMg commented Apr 18, 2024
edited
Loading

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

It replaces some of the validations executed by webhooks for the Workload type with CRD validation rules.

Which issue(s) this PR fixes:

Fixes #463

Special notes for your reviewer:

Only validation rules with a cost within the API server limits have been added.

Does this PR introduce a user-facing change?

Added CRD validation rules to Workload.

ACTION REQUIRED: Requires Kubernetes 1.25 or newer

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 18, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @IrvingMg. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 18, 2024
@netlify Netlify
Copy link

netlify bot commented Apr 18, 2024
edited
Loading

Deploy Preview for kubernetes-sigs-kueue canceled.

Name Link
🔨 Latest commit 415523a
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-kueue/deploys/662bfb2a0feede000804799f

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Apr 18, 2024
@IrvingMg IrvingMg marked this pull request as ready for review April 18, 2024 18:55
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 18, 2024
@trasc
Copy link
Contributor

trasc commented Apr 19, 2024

/ok-to-test
/assign

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 19, 2024
trasc
trasc reviewed Apr 19, 2024
View reviewed changes
pkg/webhooks/workload_webhook_test.go Outdated Show resolved Hide resolved
test/integration/webhook/workload_test.go Outdated Show resolved Hide resolved
test/integration/webhook/workload_test.go Outdated Show resolved Hide resolved
test/integration/webhook/workload_test.go Outdated Show resolved Hide resolved
test/integration/webhook/workload_test.go Outdated Show resolved Hide resolved
trasc
trasc reviewed Apr 23, 2024
View reviewed changes
Copy link
Contributor

@trasc trasc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 23, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 7f9bd6f6022944ae873a72fa9ea393f4f55c5dab

alculquicondor
alculquicondor reviewed Apr 23, 2024
View reviewed changes
test/integration/webhook/workload_test.go Outdated Show resolved Hide resolved
test/integration/webhook/workload_test.go Outdated Show resolved Hide resolved
apis/kueue/v1beta1/workload_types.go Outdated
@@ -336,6 +359,11 @@ const (
// +kubebuilder:resource:shortName={wl}

// Workload is the Schema for the workloads API
// +kubebuilder:validation:XValidation:rule="has(self.spec) && has(self.status) && has(self.status.conditions) && self.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True') && has(self.status.admission) ? size(self.spec.podSets) == size(self.status.admission.podSetAssignments) : true", message="podSetAssignments must have the same number of podSets as the spec"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spec and status always exist. Apply the same for all rules.

.conditions.exist should already cover for has, I would think.

Suggested change
// +kubebuilder:validation:XValidation:rule="has(self.spec) && has(self.status) && has(self.status.conditions) && self.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True') && has(self.status.admission) ? size(self.spec.podSets) == size(self.status.admission.podSetAssignments) : true", message="podSetAssignments must have the same number of podSets as the spec"
// +kubebuilder:validation:XValidation:rule="self.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True') && has(self.status.admission) ? size(self.spec.podSets) == size(self.status.admission.podSetAssignments) : true", message="podSetAssignments must have the same number of podSets as the spec"

Copy link
Contributor Author

@IrvingMg IrvingMg Apr 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dropping has(self.status) check causes most of the workload tests to fail due to unexisting status field. For example this is one of the test cases which fails when skipping the status check.

An alternative could be using CEL optional types, that way we can leave just has(oldSelf.?status.conditions). However, optional types require Kubernetes 1.29.

Maybe we can just remove the spec checks for now and for status add this issue to #1986?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. I guess it's because of the omitempty for status. But yes, let's drop has(self.spec) and has (self.status.conditions)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed has(self.spec) successfully, however, it seems we still need has (self.status.conditions) since self.status.conditions.exists() returns the error no such key: conditions when conditions are empty.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah gotcha.

I still see has(oldSelf.spec), however.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated rules without the spec check should be visible now :)

pkg/webhooks/workload_webhook.go Outdated Show resolved Hide resolved
pkg/webhooks/workload_webhook.go Show resolved Hide resolved
pkg/webhooks/workload_webhook.go Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 24, 2024
@k8s-ci-robot k8s-ci-robot requested a review from trasc April 24, 2024 15:54
alculquicondor
alculquicondor reviewed Apr 25, 2024
View reviewed changes
apis/kueue/v1beta1/workload_types.go Outdated
@@ -336,6 +359,11 @@ const (
// +kubebuilder:resource:shortName={wl}

// Workload is the Schema for the workloads API
// +kubebuilder:validation:XValidation:rule="has(self.spec) && has(self.status) && has(self.status.conditions) && self.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True') && has(self.status.admission) ? size(self.spec.podSets) == size(self.status.admission.podSetAssignments) : true", message="podSetAssignments must have the same number of podSets as the spec"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. I guess it's because of the omitempty for status. But yes, let's drop has(self.spec) and has (self.status.conditions)

test/integration/webhook/workload_test.go Outdated Show resolved Hide resolved
test/integration/webhook/workload_test.go
PodSets(
*testing.MakePodSet("first", 1).Obj(),
*testing.MakePodSet("second", 1).Obj(),
).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not pass the admission check through the wrapper?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're using the function workload.SetAdmissionCheckState(), I haven´t found a wrapper that returns a kueue.AdmissionCheckState. As I see in other cases, to set an admission check state, we pass the object directly as an argument.

@IrvingMg IrvingMg mentioned this pull request Apr 25, 2024
Closed
11 tasks
@IrvingMg
Copy link
Contributor Author

/test pull-kueue-test-e2e-main-1-29

alculquicondor
alculquicondor reviewed Apr 26, 2024
View reviewed changes
Copy link
Contributor

@alculquicondor alculquicondor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thanks!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 26, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 3eb6bcc3ce5cdd6e75f5292102b96fe8d69ba42a

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alculquicondor, IrvingMg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 26, 2024
@k8s-ci-robot k8s-ci-robot merged commit 5401a3b into kubernetes-sigs:main Apr 26, 2024
15 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v0.7 milestone Apr 26, 2024
@IrvingMg IrvingMg mentioned this pull request Apr 29, 2024
Open
@IrvingMg IrvingMg deleted the add-workload-cel-rules branch May 8, 2024 09:48
kannon92 pushed a commit to openshift-kannon92/kubernetes-sigs-kueue that referenced this pull request Nov 19, 2024
@IrvingMg @kannon92
Add CEL rules to Workload (kubernetes-sigs#2008)
7236cad 
* Add CEL rules to Workload

* Remove workload defaulter

* Remove test cases validated by CEL rules

* Update test descriptions

* Refactoring integration tests

* Restore validateAdmissionUpdate function

* Restore defaulting for minCount

* Simplify error checks

* Update workload cel rules

* Restore podSets immutability validation via webhook
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alculquicondor alculquicondor alculquicondor left review comments

@mimowo mimowo Awaiting requested review from mimowo

@kerthcet kerthcet Awaiting requested review from kerthcet

@trasc trasc Awaiting requested review from trasc

Assignees

@alculquicondor alculquicondor

@trasc trasc

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v0.7
Development

Successfully merging this pull request may close these issues.

Migrate some validations to CEL
4 participants
@IrvingMg @k8s-ci-robot @trasc @alculquicondor