Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding SectionName to PolicyTargetReference #2283

Merged

Conversation

zhaohuabing
Copy link
Contributor

@zhaohuabing zhaohuabing commented Aug 10, 2023

This allows attaching policies to a specific section within the targeted object.

Related issue: #2147

What type of PR is this?
/kind feature

What this PR does / why we need it:

What this PR does:

This PR allows attaching policies to a specific section within the targeted object.

Why we need it:

Lacking SectionName in PolicyTargetReference is blocking my current work. I'm implementing a direct policy attachment and need to target a specific listener inside a gateway.

NONE

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 10, 2023
@k8s-ci-robot
Copy link
Contributor

Welcome @zhaohuabing!

It looks like this is your first PR to kubernetes-sigs/gateway-api 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gateway-api has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 10, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @zhaohuabing. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@zhaohuabing zhaohuabing force-pushed the policyTargetReferenceSectionName branch from 1063517 to 474a6f4 Compare August 10, 2023 04:08
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Aug 10, 2023
@zhaohuabing zhaohuabing force-pushed the policyTargetReferenceSectionName branch from 474a6f4 to ae71661 Compare August 10, 2023 04:12
@zhaohuabing zhaohuabing marked this pull request as draft August 11, 2023 04:10
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 11, 2023
@zhaohuabing zhaohuabing force-pushed the policyTargetReferenceSectionName branch from ae71661 to e5d2ac8 Compare August 11, 2023 04:22
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 11, 2023
@robscott
Copy link
Member

Hey @zhaohuabing, thanks for working on this! If I'm understanding correctly, it looks like you're trying to take on a couple of separate issues:

  1. Adding SectionName to PolicyTargetReference (Update TargetREf in Policy GEP #2147)
  2. Adding Name to Route Rules (GEP: Add Name to HTTPRouteRule and HTTPRouteMatch #995)

I think we mostly have consensus on 1, but we're waiting for #2128 to merge before moving forward. On 2, I don't think we quite have enough consensus to move forward yet. Maybe once #2128 merges you can check in with @arkodg to see if he needs any help with the implementation of #2147.

It may also be helpful to take a look at our documentation for the GEP process. All API changes have to go through that process so we can't start directly with a PR to change the API itself without first having an approved GEP in an "implementable" state.

@zhaohuabing
Copy link
Contributor Author

zhaohuabing commented Aug 11, 2023

@robscott Thanks for the guidelines! What I really need is to have a SectionName field in the PolicyTargetReference API. Right now, its absence is causing a bit of a roadblock for me as I'm trying to set up a direct policy attachment and want to target a specific listener within a gateway.

Since the community have already reached agreement on 1, could we consider adding this field as a first step? This matter is quite time-sensitive for me, and I'm a bit worried that it will take a while to get #2128 merged. Moreover, PR 2128 is mainly about the discoverability and isn't related to the SectionName field at all, so it shouldn't block adding this field.

For the GEP process, since GEP-713 already mentions SectionName in the Apply Policies to Sections of a Resource (Future Extension) section, is it ok that I modify this part to reflect this change if the above approach is acceptable?

@zhaohuabing zhaohuabing force-pushed the policyTargetReferenceSectionName branch from e5d2ac8 to 9fe398a Compare August 11, 2023 06:08
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 11, 2023
@arkodg
Copy link
Contributor

arkodg commented Aug 11, 2023

hey @zhaohuabing can you also edit

### Apply Policies to Sections of a Resource (Future Extension)
to now account for SectionName . Imo, since this PR is in draft mode, it shouldn't distract others from reviewing the Policy Discoverability PR first

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 14, 2023
@zhaohuabing zhaohuabing force-pushed the policyTargetReferenceSectionName branch from e25f9ce to 9c2a145 Compare August 14, 2023 13:08
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 14, 2023
@youngnick
Copy link
Contributor

Yes, we use "most specific wins" in other places, so I am very much in favor.

@zhaohuabing, sorry, but you'll need to include some information in the SectionName part of GEP-713 about this behavior. Something like:

When multiple Policies of the same type target the same object, one with a SectionName specified, and one without, the one with a SectionName is more specific, and so will have all its settings apply. The less-specifc Policy will not attach to the target.

I'll also take a note to add or extend conflict-resolution rules for direct policy attachment further up, with the "more specific wins" rule. (I have more updates to do to GEP-713 already, this will add to the pile).

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@youngnick
Copy link
Contributor

Thanks for that last change @zhaohuabing, this LGTM.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 4, 2023
@youngnick
Copy link
Contributor

Ping @robscott for one more check, then we can remove the hold.

@zhaohuabing
Copy link
Contributor Author

/retest-required

@k8s-ci-robot
Copy link
Contributor

@zhaohuabing: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest-required

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@youngnick
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 4, 2023
@youngnick
Copy link
Contributor

@zhaohuabing, you'll need to rerun make generate and commit the result for CI to pass.

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 5, 2023
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the work on this @zhaohuabing! As much as I'm hesitant to add additional complexity here, this does feel inevitable. Have a few nits, but this looks good overall. In general just trying to at least make sure we have some guidance in here that ensures this is only used when it's actually necessary.

Would also appreciate some feedback from @kflynn on this because they've raised some important concerns about the complexity of our existing policy attachment model, so want to be careful when adding more.

geps/gep-713.md Outdated Show resolved Hide resolved
apis/v1alpha2/policy_types.go Outdated Show resolved Hide resolved
apis/v1alpha2/policy_types.go Show resolved Hide resolved
apis/v1alpha2/policy_types.go Outdated Show resolved Hide resolved
apis/v1alpha2/policy_types.go Outdated Show resolved Hide resolved
@zhaohuabing zhaohuabing force-pushed the policyTargetReferenceSectionName branch 2 times, most recently from 1e547eb to 9260e31 Compare September 5, 2023 06:54
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the policyTargetReferenceSectionName branch from 9260e31 to d426c47 Compare September 5, 2023 09:46
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@robscott
Copy link
Member

robscott commented Sep 7, 2023

Thanks @zhaohuabing!

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 7, 2023
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 7, 2023
@robscott robscott added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Sep 7, 2023
@k8s-ci-robot k8s-ci-robot merged commit 386e9ec into kubernetes-sigs:main Sep 7, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants