Reset managedFields corrupted by admission controllers

[kwiesmueller]

What type of PR is this?
/kind bug

What this PR does / why we need it:
When a mutating admission controller changes managedFields in a way that causes them to be invalid, this change will reset them to their state before the admission chain modified them.

Which issue(s) this PR fixes:

Fixes #96688

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

The apiserver now resets managedFields that got corrupted by a mutating admission controller.

/sig api-machinery
/wg api-expression
/cc @apelisse

[kwiesmueller]

For a reason I still don't understand the webhook tests fail for me locally with unable to sync kubernetes service: Endpoints "kubernetes" is invalid: subsets[0].addresses[0].ip: Invalid value: "127.0.0.1": may not be in the loopback range (127.0.0.0/8).
Let's hope it works in CI.

[fedebongio]

/triage accepted

[kwiesmueller]

/retest

[kwiesmueller]

I don't really understand what I could have done to cause this specific error.
/retest

[apelisse]

Conformance test fail specifically on admission webhooks, that might be related ;-)
bazel-test fails on endpoint, I haven't looked but I'm sure you've changed something there.

[apelisse]

A few questions based on our discussion:

1. Why is the result of mutating webhooks not validated? I bet it is, why is this specific field not properly validated?
2. Since this is around the whole admission rather than per plugin, should we send an invalid fields set by a plugin to the following plugins?
3. What happens if we don't validate the whole "FieldSet", how do we treat these errors in general?

[kwiesmueller]

/retest

[apelisse]

Rather than making this into a "admission wrapper", would it make sense to apply this right after admission instead in the DefaultUpdatedObjectInfo function, e.g. https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go#L596-L604?

[apelisse]

I still need to look at the changes to the internal decoding functions.

[apelisse]

Maybe make a test that shows that corrupting the "FieldsV1" isn't good

[kwiesmueller]

Actually this test is no longer testing what it did before.
All tests fail for the same reason, something is missing from the managedFields entry.
The manager name is not even covered by the reset anymore but still gets reset.

The test just makes sure a reset happens if anything is invalid.
The details are tested in the decoding tests. I'll simplify this one.

[kwiesmueller]

Changed the test quite a bit and it should actually do what it's supposed to do now.

[apelisse]

I haven't look at internal yet, but can we get rid of the indirection here? I'd rather avoid having too many "DecodeManagedFields" functions if possible :-)

[kwiesmueller]

I looked at it for a bit, but I didn't want to move too much outside the internal package if not needed.
There are a few internal types and decoding functions right now, but in theory we could move everything I think.
We would be splitting up decoding and encoding though, or move encoding as well. But I'm not sure if I want to also expose encoding.
Have a look and tell me what you think, I can do it either way.

[apelisse]

Yes, but somewhat unrelated, shouldn't we do something useful if the managedfields is invalid here?

Should we replace emptyManagedFieldsOnErr method with a decodeManagedFieldsOrEmpty, which could be used here?

[kwiesmueller]

Shouldn't we keep returning the error here if decoding fails (it is apply)?
What would we want to happen if live is corrupted?
It could only happen if somebody updates it and then applies would fail in the future. I'd say we then should prevent invalid managedFields from getting persisted, what this PR tries to at least make harder.

[apelisse]

Right, if the managed fields are corrupted in the apiserver, then someone can't apply anymore. The right thing to do is to restart fresh I would say.

[apelisse]

This always returns nil error, does it need to return that?

[kwiesmueller]

Yeah, I made it this way for ease of use so it can just wrap the function call for providing the same return values.
So no additional error check or anything is required.

[apelisse]

That's good, thanks!

[apelisse]

Beside the new validation that I think you have to revert, mostly nits, thanks!

[apelisse]

/lgtm

Thanks Kevin!

[lavalamp]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kwiesmueller, lavalamp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apimachinery/pkg/OWNERS [lavalamp]
• staging/src/k8s.io/apimachinery/pkg/apis/OWNERS [lavalamp]
• staging/src/k8s.io/apiserver/OWNERS [lavalamp]
• test/integration/apiserver/OWNERS [lavalamp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment