clarify attachment by two policies to the same object when one uses a sectionName #2442
Conversation
k8s-ci-robot
added
kind/documentation
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @maleck13! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @maleck13. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/XS
maleck13
force-pushed
the
clarify-section-name-attachment
branch
from
23b9dd1
to
d336c43
Compare
|
LGTM, will approve and hold for @robscott /approve |
k8s-ci-robot
added
do-not-merge/hold
geps/gep-713.md
Outdated
| the one with a `sectionName` is more specific, and so will have all its settings applied to the named target. The less-specific Policy will | ||
| still be applied but MUST not affect the named target. |
There was a problem hiding this comment.
This is surprising complex to get right, although this is a great improvement, I think there's actually still some ambiguity here. Consider the following example:
- AcmePolicy A targets just Gateway listener "http" and sets
spec.footo1 - AcmePolicy B targets the entire Gateway and sets
spec.footo2, andspec.barto3
What should the computed policy for the "http" listener be?
- {foo: 1}
- {foo: 1, bar: 3}
- {foo: 2, bar: 3}
1 might make sense if we say that each Directly Attached Policy can target exactly one level. IE AcmePolicy can only be used to target Gateway Listeners, other targets are invalid. The current wording in GEP-713 seems to imply that, but it's not clear how this interacts with SectionName:
A Direct Policy Attachment is tightly bound to one instance of a particular Kind within a single namespace (or to an instance of a single Kind at cluster scope), and only modifies the behavior of the object that matches its binding.
The number or scope of objects to be modified is limited or singular. Direct Policy Attachments must target one specific object.
2 might make sense if we say that each Directly Attached Policy can target either a full resource or a section within that resource. The GEP does not currently allow for that, but as noted above, it also doesn't have any wording that would prevent that.
One concern I have is that both 2 and 3 are starting to overlap with "Inherited Policy Attachment", with 2 effectively behaving as both policies set "defaults" and 3 behaving as both policies set "overrides". Importantly we've only allowed SectionName to be used with Direct Policy Attachment.
gateway-api/apis/v1alpha2/policy_types.go
Lines 62 to 64 in 3b87766
So all of the above actually leads me to think that 1 is the correct interpretation here (despite what I said in Slack). Interested in what others think here though. Looping in the people from the Slack thread for more discussion here:
There was a problem hiding this comment.
@robscott is foo and bar part of the AcmePolicy spec ? or are they targets . (foo has also been used as targets as well as policy names in this doc, so im confused :) )
There was a problem hiding this comment.
@arkodg good question, I updated my comment to be a bit more clear, they were both intended to be part of the spec.
There was a problem hiding this comment.
thanks @robscott , have to go with 1. entire spec is overridden for that section by AcmePolicy A
There was a problem hiding this comment.
I also tend to think that 1 is the intended behavior, but I think there are still some inconsistencies in the spec. For example:
When multiple Policies of the same type target the same object, one with a sectionName specified, and one without
Note that it says of the same type. This implies they must both be Inherited Policy Attachments, but that goes against:
Note that the sectionName is currently intended to be used only for Direct Policy Attachment
And there is also this:
Note also that it's not intended that Direct and Inherited Policies should overlap, so this should only come up in exceptional circumstances.
So, it's really not very clear, how and when this applies, but I think the answer to the original question is still that a less specific policy applies to all other sections, just not the one that the more specific policy attaches to.
The question about whether the specific policy completely overrides the less specific one for the specific section is IMO yes (option 1).
There was a problem hiding this comment.
Thinking about this, I also support option 1, and think that we should include @robscott's example in the godoc.
There was a problem hiding this comment.
I may be missing this so looking to clarify.
Option 1 looks correct to me also, and so the text suggested below is correct?
still be applied but MUST not affect the named target i.e. it will be applied to all other sections which have not been targeted by another Policy
There was a problem hiding this comment.
@maleck13 I think we should somehow insert entire spec of the Policy instead of it to add more clarity
There was a problem hiding this comment.
took another stab at this, let me know if it is clearer now
There was a problem hiding this comment.
I also support option 1. Also we should leave out Inherited Policy Attachment (with section names) to avoid the complexity. We can always add that later, right?
|
@robscott: GitHub didn't allow me to request PR reviews from the following users: david-martin, sanjaypujare. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Ack. Will take a look. (Hopefully this comment will add me as a reviewer.) |
Done. Looks good |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: arkodg, frankbu, maleck13, sanjaypujare, youngnick The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Thanks @maleck13! /lgtm |
k8s-ci-robot
removed
the
do-not-merge/hold
|
@maleck13 If you can rebase this one into the new format, we can merge - I'm about to start work on splitting up GEP-713, so it would be helpful to have this in first. |
… sectionName Co-authored-by: Nick Young <inocuo@gmail.com>
Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com>
maleck13
force-pushed
the
clarify-section-name-attachment
branch
from
052f623
to
bdf5947
Compare
k8s-ci-robot
added
do-not-merge/hold
|
Why has this suggested change been ignored? #2442 (comment) |
|
@frankbu I seem to have missed that. Updated now |
|
/retest |
|
The current test failure looked like a flake. Adding another LGTM so we can get this one in. /lgtm |
k8s-ci-robot
added
the
lgtm
|
@maleck13 do you mind adding a release note to this PR? Once you do, I think this should merge. /hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
done |
k8s-ci-robot
added
release-note
Signed-off-by: Nick Young <nick@isovalent.com>
Signed-off-by: Nick Young <nick@isovalent.com>
Signed-off-by: Nick Young <nick@isovalent.com>
Signed-off-by: Nick Young <nick@isovalent.com>
Signed-off-by: Nick Young <nick@isovalent.com>
Signed-off-by: Nick Young <nick@isovalent.com>
Signed-off-by: Nick Young <nick@isovalent.com>
…rited Policy (#2813) * Split GEP-713 into a Memorandum and separate GEPs for Direct and Inherited Policy Signed-off-by: Nick Young <nick@isovalent.com> * Fold in changes from #2442 and fix yamllint errors Signed-off-by: Nick Young <nick@isovalent.com> * Add more detail about listTypeMap merging Signed-off-by: Nick Young <nick@isovalent.com> * Last round of comment changes hopefully Signed-off-by: Nick Young <nick@isovalent.com> * Update GEP-2648 and GEP-2649 to provisional Signed-off-by: Nick Young <nick@isovalent.com> * Hopefully last round of PR comments Signed-off-by: Nick Young <nick@isovalent.com> --------- Signed-off-by: Nick Young <nick@isovalent.com>
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Clarifies how two policies targeting the same resource should work when one uses a
sectionNameand the other does notWhich issue(s) this PR fixes:
created based on Slack chat https://kubernetes.slack.com/archives/CR0H13KGA/p1695713117110159
Does this PR introduce a user-facing change?:
None
Release Note