Comments (19)
fwiw, optionals can make that more concise:
self.?status.?conditions.orValue([]).exists(c, c.type == 'QuotaReserved' && c.status == 'True')
from kubernetes.
/sig api-machinery
cc @cici37 @jpbetz
from kubernetes.
@IrvingMg, @trasc did I miss anything important?
from kubernetes.
What do you mean by Pod templates @alculquicondor?
One pattern I'd like to see used more: when you create something that embeds a Pod template, the controller for that kind tries to dry-run make a PodTemplate. That way you get one place to put customer validation (eg a ValidatingAdmissionPolicy), and it can apply to lots of API kinds without repetition.
from kubernetes.
One pattern I'd like to see used more: when you create something that embeds a Pod template, the controller for that kind tries to dry-run make a PodTemplate.
Interesting. I've never seen that. It sounds bullet proof from a validation perspective. Is there dry-run support in the apiserver? But then it would have to be called from the webhook?
from kubernetes.
Regexes for object names, label keys, values, container names, etc. I think this one is already in the works?
Yes, this one is progressing here: #123572 (cc @alexzielenski)
from kubernetes.
The ultimate validation: Pod templates, but worth starting with just containers :) Very useful for job CRDs.
We might do something special to validated embedded types like this that doesn't involved CEL. But yes, I agree there is a huge need here. Do you happen to have any references to specific use cases? I'm working on accumulating those.
from kubernetes.
Is there dry-run support in the apiserver?
yes, since 1.12: https://github.com/kubernetes/kubernetes/blob/release-1.12/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go#L485-L491
from kubernetes.
Re: dry-run support
I see. Still, that would imply that a webhook has to do an API call. Would you still recommend this?
Do you happen to have any references to specific use cases?
- All of the kubeflow job CRDs, to start. They will eventually fail at Pod or k8s Job creation, if the template is wrong, as they are not doing any validation.
- Kueue Workload objects https://kueue.sigs.k8s.io/docs/concepts/workload/. These are created out of existing Jobs, Pods, or arbitrary CRDs (like Kubeflow jobs). The only problematic case is the last one.
from kubernetes.
- JobSet validation (based on JobTemplates) kubernetes-sigs/jobset#422
from kubernetes.
@danielvegamyhre was looking into kubectl-validate as a way to validate templates as a library.
from kubernetes.
Not that I can think of. That's everything we need for now.
from kubernetes.
WRT conditions, right now, we have to do things like this:
has(self.status) && has(self.status.conditions) && self.status.conditions.exists(c, c.type == 'QuotaReserved' && c.status == 'True')
It would be good to have a simplified experience, similar to meta.IsConditionTrue
in golang.
I added a separate item for this.
from kubernetes.
/cc @cici37 @alexzielenski @jpbetz
/triage accepted
from kubernetes.
@alculquicondor is part of the issue that there isn't support for variables within CRD validations? I'm certain that the ValidatingAdmissionPolicy support for variables is instrumental in making the config as DRY as possible.
from kubernetes.
FWIW I have a draft KEP I was hoping to implement this release (maybe deferred to next) to add variables also to CRDs
from kubernetes.
I wasn't aware that CEL itself supported variables. That could help.
But, in general, there are common structs that multiple APIs might want to use, and we should have library validations for those.
from kubernetes.
But, in general, there are common structs that multiple APIs might want to use, and we should have library validations for those.
100% agree on this. I'd like it to feel to a CEL user like the language "understand" kubernetes resources and the types found within them. This includes quantities, durations, date-times, int-or-string, IPs, CIDRs, and all the name formats,. and maybe more sophisticated types like Conditions, selectors... We're have support for many of these and are actively working on some others, but we definitely have gaps.
from kubernetes.
I would love to add the map/list flatten support for sure :)
from kubernetes.
Related Issues (20)
- [Flaking test] capz-windows-master (unhealthy readiness and liveness probes) HOT 4
- Pod IP temporarily removed from status when pod transitions to a terminal state HOT 7
- Kubelet admission failures metric HOT 2
- Unstructured converter should produce int64 given uint input HOT 2
- Kubelet stop watching Pods from API-Server HOT 3
- [RFC] Remove Kubelet soft-admission HOT 6
- [FG:InPlacePodVerticalScaling] Race condition setting pod resize status HOT 1
- After the kubelet restarted, the ready state of the pod should not change. HOT 4
- kubectl --server-side apply replaces the live manifest instead of merging when migrating from clinet side apply to server side apply HOT 7
- [Flaking test] unit test TestStoreListResourceVersion HOT 12
- kubectl delete a large number of objects taking too long HOT 4
- High kubepods cgroup cpu.weight/shares starves kernel threads on many core systems HOT 4
- Job may get stuck repeatedly failing with Duplicate value message for uncountedTerminatedPods.failed HOT 14
- kubectl port-forward failing for named ports in native sidecar HOT 6
- [Flaking Test] k8s.io/apiserver/pkg/registry/generic/registry.registry HOT 6
- ExtendedResourceToleration adds tolerations even when the quantity of requested resources is "0" HOT 3
- When a deployment selects a node with the kubelet service not running as the nodeName, the Pods will remain in the pending state, then move to Terminating, and new Pods will be continuously created in a loop, resulting in a large number of Terminating Pods that cannot be terminated. HOT 3
- [Flaking Test] gce-cos-master-serial (etcd failure should recover from sigkill) HOT 3
- Incorrect error reporting in case of missing cgroup controllers HOT 4
- kubelet unbalanced affinity pod in different numa node HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes.