Add some more answers into PRR review in EndPort kep #2199
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
sig/network
|
/uncc @dcbw @caseydavenport Will assign a PRR approver as soon as I get someone to approve this :) |
|
/assign @wojtek-t |
rikatz
force-pushed
the
port-range-review-prr
branch
from
668e14a to
5095f41
Compare
| Nothing happens, this is a new Network Policy API Field | ||
|
|
||
| * **What specific metrics should inform a rollback?** | ||
| None |
There was a problem hiding this comment.
Increased 4xx/5xx http error count on network policies endpoints maybe?
There was a problem hiding this comment.
Hum, seems a reasonable metric for me. We can have 5xx errors against netpol endpoints if some validation fails yeap. I'm afraid that 4xx http error can represent something not quite a metric error (like forbidden access to netpol object per RBAC, or maybe a not found object when getting it). but 5xx seems a good metric to me
rikatz
force-pushed
the
port-range-review-prr
branch
from
5095f41 to
56fcbb3
Compare
|
@wojtek-t thank you for the kind review :) I've added your suggestions, and left two items to deal later:
Don't know if we can move forward with those changes, otherwise I compromise myself to review this weekend, or not later then next tuesday. |
rikatz
force-pushed
the
port-range-review-prr
branch
from
56fcbb3 to
f65c69c
Compare
|
@wojtek-t Thank you again, corrected the small nits as requested, squashed commits so we don't polute the repo with small commits. Thanks! |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Already pinged them in slack :) Thanks! |
k8s-ci-robot
removed
the
lgtm
|
@caseydavenport @thockin made some changes, but left the question about what should happen when the feature gate is disabled, the old object differs from the new one only on the EndPort value :) Thanks |
|
@wojtek-t so I've added in a2e29d29 the Feature Enable/Disable/Enable test. Hopefully this is what you expect :) I think I'll need to maybe refactor that and create a helper function instead of keep doing Update and verify in everything (it's pretty ugly now, I think) but let me know if this works as a test. EDIT: I've just refactored and created a helper function for this operation! @thockin @caseydavenport I've also added the check of if the field is already present, do not drop it. If this is OK to you folks, maybe the KEP can be updated and we can continue working on the EndPort PR :) Thank you! |
Yes - this is great, thanks! |
| @@ -232,20 +232,45 @@ _This section must be completed when targeting alpha to a release._ | |||
|
|
|||
| * **Can the feature be disabled once it has been enabled (i.e. can we roll back | |||
| the enablement)?** | |||
| Yes, but CNIs relying on the new field wont recognize it anymore | |||
| Yes, fields created before feature being disabled will not be changed/dropped | |||
| if the old value is kept on the updated object. If the user removes the field | |||
There was a problem hiding this comment.
It's probably because of my english, but I think I'm not fully parsing this sentence.
Maybe let's say:
Yes. One caveat here is that NetworkPolicy objects create with EndPort field set when the features was enabled will continue to have that field set when the feature is disabled, but will not have any effect.
WDYT?
[i.e. change this whole paragraph to what I wrote]
There was a problem hiding this comment.
hum, my concern here is that it actually will have effect, if the CNI knows the field.
As an example, let's say Calico is using the last client-go which knows the EndPort field. Once I disable the Feature Gate, per PrepareForCreate and PrepareForUpdate I will not be able to add a new EndPort field (if the EndPort field is not in use in that object), but existing EndPort fields can be changed or removed. So, disabling the FeatureGate only blocks users to add/change on objects that does not have this field, but does not block the CNI to consume this, or even the user to Update or Delete it.
Before reaching your comment here, I've re-written the paragraph as the following:
Yes, fields created before feature gate being disabled will not be dropped unless the user removes it from the object.
If the user removes the field from the object it will be dropped and the
field can only be re-inserted if feature gate is enabled again.
How does this sounds?
|
@wojtek-t @thockin @caseydavenport added a new commit with some more corrections :) Thanks |
| @@ -232,20 +232,40 @@ _This section must be completed when targeting alpha to a release._ | |||
|
|
|||
| * **Can the feature be disabled once it has been enabled (i.e. can we roll back | |||
| the enablement)?** | |||
| Yes, but CNIs relying on the new field wont recognize it anymore | |||
| Yes, fields created before feature gate being disabled will not be dropped unless the user removes it from the object. | |||
There was a problem hiding this comment.
This isn't exactly true - if the feature is disabled there shouldn't be a way to drop the field even...
There was a problem hiding this comment.
Hum, okay, thinking here loudly (sorry for being too verbose!)
By the impl, when we edit an object that have the NetPol EndPort, but with the FG disabled, the EndPort field appears there (like in kubectl edit)
When I remove the field, PrepareForUpdate will run, and skip the dropEndPort because the field is in use, so it will follow its normal flow. (https://github.com/kubernetes/kubernetes/blob/f0601ac64d39c601a66f8f6e6f69d55995c2b32a/pkg/registry/networking/networkpolicy/strategy.go#L62-L64)
The normal flow is to take the old object, and if it's changed add +1 into Generation and then apply the desired changes.
So probably I'll need to also add into something after the PrepareForUpdate to not drop the EndPort field, even if the user has removed it?
There was a problem hiding this comment.
This is a tricky topic - I think I didn't realize one thing when writing this comment.
Looking into other examples across the codebase, the only thing we're doing is we're preventing from setting the field when the FG is switched on and silently dropping it if it was set. We allow to explicitly dropping it at any time.
So, I just actually suggest a simple nit:
Yes. One caveat here is that NetworkPolicies created with EndPort fiel set when the feature was enabled will continue to have that field set when the feature is disabled unless user removes it from the object.
[The sentence below kind-of duplicates the message]
There was a problem hiding this comment.
Great :)
I've improved the sentence here consolidating your suggestion and improving mine (I don't know where was my head when I wrote the next sentence, but it took me 3 reads to understand what I wanted to say).
Made another commit here
|
/lgtm @thockin @caseydavenport for SIG approval |
|
@rikatz - also please squash commits |
k8s-ci-robot
added
the
lgtm
rikatz
force-pushed
the
port-range-review-prr
branch
from
b82ef7a to
31239a9
Compare
k8s-ci-robot
removed
the
lgtm
|
Squashed, pinged Tim on slack so he can take a look when gets some time :) |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| If the value is dropped with the FeatureGate disabled, the field can only | ||
| be re-inserted if feature gate is enabled again. | ||
|
|
||
| Rolling back the Kubernetes API Server that does not have this field |
There was a problem hiding this comment.
Maybe clarify: The net impact of a rollback is that a port-range reverts to a single port. This may break users, but that is inevitable in such a case. It satisfies the fail-closed requirement.
Signed-off-by: Ricardo Pchevuzinske Katz <[email protected]>
rikatz
force-pushed
the
port-range-review-prr
branch
from
31239a9 to
0a942c3
Compare
k8s-ci-robot
removed
the
lgtm
|
@thockin The change is done. I've already rebased but the only change was what you've suggested on lines 243:249. Thanks! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rikatz, thockin, wojtek-t The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Signed-off-by: Ricardo Pchevuzinske Katz [email protected]