Implements GEP 709 - ReferencePolicy #741
Conversation
k8s-ci-robot
added
kind/feature
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: youngnick The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
| ``` | ||
| ### Conformance Level | ||
|
|
||
| ReferencePolicy support is a "CORE" coformance level for the following |
There was a problem hiding this comment.
| ReferencePolicy support is a "CORE" coformance level for the following | |
| ReferencePolicy support is a "Core" conformance level for the following |
There was a problem hiding this comment.
I'm not sure which is better here, but we should be consistent. Our docs around conformance levels use all caps, but usually the spec does not. Do we have a strong preference one way or the other?
There was a problem hiding this comment.
I lifted this phrasing from one of the other GEPs - I don't mind changing, but if so, we should change the others as well.
| // +kubebuilder:object:root=true | ||
| // +kubebuilder:resource:categories=gateway-api,shortName=refpol | ||
| // +kubebuilder:storageversion | ||
| // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` |
There was a problem hiding this comment.
We can revisit this, but the age doesn't seem particularly useful?
There was a problem hiding this comment.
I think it's a pretty standard column for k8s resources. I think it could be helpful to know when a resource was created.
There was a problem hiding this comment.
+1, should be on all resources.
| 1. Resource names are intentionally excluded from this policy for simplicity and because they rarely provide any meaningful protection. | ||
| A user that is able to write to resources of a certain kind within a namespace can always rename | ||
| resources or change the structure of the resources to match a given policy. | ||
| 1. A single Namespace is allowed per "From" struct. |
There was a problem hiding this comment.
is "all"/"any" not a common use case? I see the concerns of making it too permissive but generally APIs offer some way to be fairly permissive, even if its not easy.
There was a problem hiding this comment.
I think that's probably something we'll want to add in the future, but I'd rather start with something more restrictive that we can choose to open up if it's absolutely needed.
There was a problem hiding this comment.
+1 to both the comments above
| These references are only considered valid if a ReferencePolicy in the target namespace explicitly allows it. | ||
|
|
||
| The following example shows how a HTTPRoute in namespace `foo` can reference a Service in namespace `bar`. | ||
| In this example a ReferencePolicy in the `bar` namespace explicitly allows references to Services from HTTPRoutes in the `foo` namespace. |
There was a problem hiding this comment.
Nit: Much of our markdown is wrapped at 80 chars. I don't think this is a firm requirement, but the shorter lines can make reviews slightly easier.
| 1. Resource names are intentionally excluded from this policy for simplicity and because they rarely provide any meaningful protection. | ||
| A user that is able to write to resources of a certain kind within a namespace can always rename | ||
| resources or change the structure of the resources to match a given policy. | ||
| 1. A single Namespace is allowed per "From" struct. |
There was a problem hiding this comment.
I think that's probably something we'll want to add in the future, but I'd rather start with something more restrictive that we can choose to open up if it's absolutely needed.
| @@ -1,7 +1,7 @@ | |||
| # GEP-709: Cross Namespace References from Routes | |||
|
|
|||
| * Issue: [#709](https://github.com/kubernetes-sigs/gateway-api/issues/709) | |||
| * Status: Implementable | |||
| * Status: Implemented | |||
| // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` | ||
|
|
||
| // ReferencePolicy identifies kinds of resources in other namespaces that are | ||
| // trusted to reference the specified kinds of resources in the local namespace. |
There was a problem hiding this comment.
local is good but same might reduce the scope of confusion.
| // trusted to reference the specified kinds of resources in the local namespace. | |
| // trusted to reference the specified kinds of resources in the same namespace as the policy. |
| 1. Resource names are intentionally excluded from this policy for simplicity and because they rarely provide any meaningful protection. | ||
| A user that is able to write to resources of a certain kind within a namespace can always rename | ||
| resources or change the structure of the resources to match a given policy. | ||
| 1. A single Namespace is allowed per "From" struct. |
There was a problem hiding this comment.
+1 to both the comments above
|
Okay, thanks for the reviews everyone, updated. I think I got all the actions I could. Please take another look! |
| // | ||
| // Support: Core | ||
| // | ||
| // +kubebuilder:validation:MinLength=1 |
There was a problem hiding this comment.
Nit: I missed this in the GEP, but we can't enforce a min length of 1 for Group. We have to support "" for core.
| // * HTTPRoute | ||
| // * TCPRoute | ||
| // * TLSRoute | ||
| // * UDPRoute |
There was a problem hiding this comment.
Maybe we should remove these until we actually implement Route inclusion?
apis/v1alpha2/shared_types.go
Outdated
| // Support: Custom | ||
| // | ||
| // +optional | ||
| BackendRef *LocalObjectReference `json:"backendRef,omitempty"` | ||
| BackendRef *ObjectReference `json:"backendRef,omitempty"` |
There was a problem hiding this comment.
This is on a collision course with GEP #718, but since there's not an implementation PR for that one yet, I think this one will likely make it in first.
|
A few small things but otherwise LGTM, thanks @youngnick! |
| // ObjectReference identifies an API object including its namespace. | ||
| type ObjectReference struct { | ||
| // Group is the group of the referent. | ||
| // When empty, the "core" API group is inferred. |
There was a problem hiding this comment.
So interestingly, when the field is empty, it doesn't show up in 'kubectl get'. Just leaving a note here. No action required.
| // to be an additional place that references can be valid from, or to put | ||
| // this another way, entries must be combined using OR. |
There was a problem hiding this comment.
nit: I personally got more confused. Feel free to reject.
| // to be an additional place that references can be valid from, or to put | |
| // this another way, entries must be combined using OR. | |
| // to be an additional place that references can be valid from. |
There was a problem hiding this comment.
I've gone back and forth on this, agree it's a bit confusing, but think the specific "combined using OR" may end up being helpful. Either way, we can clean this up later if it ends up being a point of confusion.
| // To describes the resources that may be referenced by the resources | ||
| // described in "From". Each entry in this list must be considered to be an | ||
| // additional place that references can be valid to, or to put this another | ||
| // way, entries must be combined using OR. |
| // * HTTPRoute | ||
| // * TCPRoute | ||
| // * TLSRoute | ||
| // * UDPRoute |
|
Fixes #582 |
k8s-ci-robot
added
the
needs-rebase
Signed-off-by: Nick Young <ynick@vmware.com>
Signed-off-by: Nick Young <ynick@vmware.com>
Signed-off-by: Nick Young <ynick@vmware.com>
Signed-off-by: Nick Young <ynick@vmware.com>
youngnick
force-pushed
the
gep-709-referencepolicy
branch
from
37884a1
to
0ad53af
Compare
k8s-ci-robot
added
size/XL
k8s-ci-robot
removed
the
needs-rebase
youngnick
force-pushed
the
gep-709-referencepolicy
branch
2 times, most recently
from
31e2f68
to
4c9e188
Compare
Signed-off-by: Nick Young <ynick@vmware.com>
youngnick
force-pushed
the
gep-709-referencepolicy
branch
from
4c9e188
to
e4bfd3a
Compare
There was a problem hiding this comment.
Thanks for all the work on this @youngnick! Have a bunch of tiny nits, most are non-blocking though. Otherwise LGTM.
| // | ||
| // Note that when a namespace is specified, a ReferencePolicy object | ||
| // is required in the referent namespace to allow that namespace's | ||
| // owner to accept the reference. See the ReferencePolicy object for details. |
There was a problem hiding this comment.
| // owner to accept the reference. See the ReferencePolicy object for details. | |
| // owner to accept the reference. See the ReferencePolicy documentation for details. |
| // +optional | ||
| // +kubebuilder:default="" | ||
| // +kubebuilder:validation:MaxLength=253 | ||
| Group *string `json:"group"` |
There was a problem hiding this comment.
| Group *string `json:"group"` | |
| Group *string `json:"group,omitempty"` |
| // +kubebuilder:default=Service | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=253 | ||
| Kind *string `json:"kind"` |
There was a problem hiding this comment.
| Kind *string `json:"kind"` | |
| Kind *string `json:"kind,omitempty"` |
| // to be an additional place that references can be valid from, or to put | ||
| // this another way, entries must be combined using OR. |
There was a problem hiding this comment.
I've gone back and forth on this, agree it's a bit confusing, but think the specific "combined using OR" may end up being helpful. Either way, we can clean this up later if it ends up being a point of confusion.
|
|
||
|
|
There was a problem hiding this comment.
Can probably remove these new lines.
| kind: HTTPRoute | ||
| namespace: foo | ||
| to: | ||
| - group: core |
There was a problem hiding this comment.
Now that we're allowing "" to represent core, we should probably update our examples to match.
| - group: core | |
| - group: "" |
| Other "ImplementationSpecific" objects and references MUST also use this flow | ||
| for cross-namespace references, except as noted in the Exceptions section | ||
| above. |
There was a problem hiding this comment.
More a note for me, but when I implement the Route-Gateway binding GEP, I'll need to update this to discuss the uniqueness of that relationship.
| When discussing the process of creating cross-namespace object references, this | ||
| document and the documentation on the API itself refers to the object being | ||
| referred to as "the referent object", using the meaning of "referent" to be | ||
| "the person, thing, or idea that a word, phrase, or object refers to".[1](https://dictionary.cambridge.org/dictionary/english/referent) |
There was a problem hiding this comment.
This footnote looks a bit off in the deploy preview. Maybe either use <sup> tag or a full word like (source).
https://deploy-preview-741--kubernetes-sigs-gateway-api.netlify.app/v1alpha2/references/cross-namespace-references/
| @@ -0,0 +1,127 @@ | |||
| # Cross namespace references and ReferencePolicy | |||
|
|
|||
| ### Terminology note | |||
There was a problem hiding this comment.
This feels a bit out of place. Not sure how this would render with mkdocs, but maybe something like a blockquote or callout format with this content added in the Intro section right before/after "Referent" is mentioned for the first time.
There was a problem hiding this comment.
Yeah, I didn't like it there either, but couldn't think of the right place to put it. I'll see how we can do a blockquote or something more inline instead.
There was a problem hiding this comment.
I think I found a "Note" syntax that should work, I'll check the deploy preview.
There was a problem hiding this comment.
I added in an "admonitions" extension, that we can use with:
!!! admonition
blockquote text is indented by four spaces
There was a problem hiding this comment.
This looks perfect! Thanks for adding it in
Signed-off-by: Nick Young <ynick@vmware.com>
Signed-off-by: Nick Young <ynick@vmware.com>
youngnick
force-pushed
the
gep-709-referencepolicy
branch
from
61078d8
to
677a3c0
Compare
|
Thanks for all the work on this! /lgtm |
k8s-ci-robot
added
the
lgtm
What type of PR is this?
/kind feature
/kind documentation
What this PR does / why we need it:
This implements the design from GEP 709.
It adds a couple of extra things we missed in the GEP, that I noticed while implementing:
ObjectReferencetype for cross-namespace references, to keep the existingLocalObjectReferencetype more similar to the core one.Which issue(s) this PR fixes:
Fixes #709
Does this PR introduce a user-facing change?: