Admission Webhook to GA #736
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
kind/kep
|
@deads2k wrote:
I agree and setup a follow up meeting for that. But for the holding part, the KEP process encourages to merge the KEP as soon as possible and iterate on it. The status of the KEP would be |
The intent is to capture iterative consensus. A spot in the doc listing open questions would temper the "this is the agreed-on list for GA" impression. |
mbohlool
force-pushed
the
gandalf
branch
2 times, most recently
from
5ed473c to
892b412
Compare
Added open questions to the Graduation section. |
mbohlool
force-pushed
the
gandalf
branch
4 times, most recently
from
970fa55 to
9f530a0
Compare
k8s-ci-robot
removed
the
do-not-merge/blocked-paths
Merging early works, but only if we strip out all bits with comments. We did that with Chao's storage migration one and it worked well. In this case, we're up against a deadline. |
deadline for merging and marking implementable got extended to monday because the originally documented requirements were unclear. let's work to resolve the open questions today/tomorrow |
| * AdmissionReview version selection: Add a API field to set the AdmissionReview versions a webhook can understand. | ||
| * Pass existing objects to delete admission webhooks | ||
| * re-run mutating plugins if any webhook changed object to fix the plugin ordering problem | ||
| * pass OperationOption (such as CreateOption/DeleteOption) to the webhook |
There was a problem hiding this comment.
Add: Webhook Configuration should not require users/admins to understand every possible way a user can write an object (e.g., you must hook both apps/deployment and extensions/deployment).
There was a problem hiding this comment.
I remember I discussed this early on with @liggitt and he recommended we do not make this item a requirement for GA. Let's add this item in a follow up PR if we wanted to do it.
There was a problem hiding this comment.
We discussed this on Wednesday, and I think it's worth attempting for GA.
All the pros are for webhook authors and are significant:
- you could write/register a simpler webhook for a single version of a resource
- you don't have to worry about a security-related webhook missing a new version of a resource you thought you were protecting
All the cons are for the apiserver authors
- performance cost of converting up to 2n times in order to dispatch to n webhooks (where today we convert zero times between webhooks)
- complexity of some of those conversions possibly being done by CRD conversion webhooks
- ...
I'm ok adding it as a planned item, but there are some interesting edges to work through before this bit would be implementable. If it proves untenable (either because of complexity or performance), I'd be comfortable GAing without it.
| * AdmissionReview version selection: Add a API field to set the AdmissionReview versions a webhook can understand. | ||
| * Pass existing objects to delete admission webhooks | ||
| * re-run mutating plugins if any webhook changed object to fix the plugin ordering problem | ||
| * pass OperationOption (such as CreateOption/DeleteOption) to the webhook |
There was a problem hiding this comment.
Add: define whether or not admission plugins are allowed to modify "user set" fields; also, do the actions of prior webhooks count as "user set"?
There was a problem hiding this comment.
define whether or not admission plugins are allowed to modify "user set" fields
yes, much of their power comes from this
do the actions of prior webhooks count as "user set"
yes
There was a problem hiding this comment.
As this is the behaviour today (Jordan's yeses) I assume we don't have an action item in this comment unless @lavalamp disagrees :)
| * port configuration: Add a configuration field to change the service port from the default 443. | ||
| * AdmissionReview version selection: Add a API field to set the AdmissionReview versions a webhook can understand. | ||
| * Pass existing objects to delete admission webhooks | ||
| * re-run mutating plugins if any webhook changed object to fix the plugin ordering problem |
There was a problem hiding this comment.
I know we talked this to death on the call but I'm increasingly unsatisfied with this.
- Imagine a linear acyclic chain of webhooks where each makes a decision based on the previous one, which I think is a reasonable thing for a webhook to do. The optimal ordering requires a single pass. The pessimal ordering (run them in the opposite order) requires N passes.
- There are many arrangements of webhooks that need more than 2 passes if we consider cycles.
- We can deliberately construct pathological webhook sets requiring obscene numbers of passes no matter what order they are run in. I think we can mostly exclude these from consideration as it should be hard to accidentally produce one.
So, I'd like to see:
- If there is an ordering for a set of webhooks such that they quiesce in 1 or 2 passes, is there anything we can do to actually run them in that order and not the order that takes N passes?
- If there's a cycle that needs 3 or more passes, how do users realize that they're not getting the correct final state?
- Can we collect any evidence supporting (or refuting) my assumption that most webhook sets are not pathological?
- Let me re-emphasize that we need to let webhooks opt-out of the double run, and probably default off in the beta. E.g., @yliaog wasn't confident that the Istio sidecar webhook would behave well if double-called.
The below is probably not a good idea, but maybe it will help someone think of one that is: One way of finding the optimal order for things that have an optimal order: allow webhooks to return in the AdmissionReview object the set of fields they examined before mutating the fields they did. We can tell the set of fields they changed by looking at what they did. With these pieces of information, we can form a graph with all webhooks that need to be run a second time, and then choose the order to run them in by topologically sorting. Unfortunately, this is onerous from the webhook developer's perspective. It also doesn't solve pathological cases at all, but I think that's a non-goal--I'm pretty sure we can construct webhook sets which encode NP complete problems.
There was a problem hiding this comment.
I think the current proposal ("just re-call") is both:
- the simplest thing that could work (covers the reported issues)
- required as an option even in the presence of more intelligent/complex optimizations
Justification for 2: the apiserver computing an order requires knowledge of the inputs and outputs to the webhook. In a future world where a webhook could express its inputs and outputs, it would always need a way to express "I pay attention to all fields, and have the potential to modify all fields" (for example, a programmable opa-based admission webhook), and if there were two webhooks that both inspect and potentially modify the same fields, the possibility of needing to re-call is present.
Unfortunately, this is onerous from the webhook developer's perspective.
I think anything sufficiently expressive to be useful is going to be painfully verbose, and that most webhook configs would either opt out entirely or choose to just get unconditionally re-called.
Let me re-emphasize that we need to let webhooks opt-out of the double run, and probably default off in the beta. E.g., @yliaog wasn't confident that the Istio sidecar webhook would behave well if double-called.
Agreed. I'd expect a way for the webhook config to indicate it is idempotent / safe to re-call, defaulted to false in v1beta1, and possibly undefaulted and required in v1. I would leave the number of potential re-calls unspecified to allow for future optimizations.
I'd recommend waiting for more evidence of a need for apiserver-driven sorting before pursuing it, and don't see that as a blocker to GA.
There was a problem hiding this comment.
... a way to express "I pay attention to all fields ...
I think anything sufficiently expressive to be useful is going to be painfully verbose, and that most webhook configs would either opt out entirely or choose to just get unconditionally re-called.
I think you misread; in the meeting I was talking about the configuration object but just now I was talking about the admission review response. I.e. the webhook writes down the fields it actually did look at; there's never a need to say "everything" unless it literally did look at everything. (Imagine: an unstructured object that logs every Get request.) This doesn't help the first pass but would help subsequent passes.
I agree multiple passes (hopefully calling fewer webhooks every pass) is likely to be an ingredient in a good solution :/
There was a problem hiding this comment.
I noted in the KEP that this feature would be opt-in. We can continue discussing this and document the result in this KEP using a follow up PR.
|
/lgtm still provisional, but at a good spot for iterating follow up PR #806 addresses:
to be resolved:
to be added to existing documentation:
|
k8s-ci-robot
added
the
lgtm
|
/lgtm This is getting big, let's lock in progress. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lavalamp, liggitt, mbohlool The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Admission Webhook to GA
Enhancement proposal to promote Admission Webhooks to GA.
@deads2k @liggitt @sttts @erictune @caesarxuchao @roycaihw @fedebongio @lavalamp