Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clarify attachment by two policies to the same object when one uses a sectionName #2442

Merged
merged 4 commits into from
Feb 27, 2024
Merged

clarify attachment by two policies to the same object when one uses a sectionName #2442

merged 4 commits into from
Feb 27, 2024

Conversation

maleck13
Copy link
Contributor

@maleck13 maleck13 commented Sep 28, 2023
edited by robscott
Loading

What type of PR is this?

/kind documentation

What this PR does / why we need it:

Clarifies how two policies targeting the same resource should work when one uses a sectionName and the other does not

Which issue(s) this PR fixes:
created based on Slack chat https://kubernetes.slack.com/archives/CR0H13KGA/p1695713117110159

Does this PR introduce a user-facing change?:
None

Release Note

clarify policy attachment by two of the same policy types when using section names.

@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Sep 28, 2023
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 28, 2023
@k8s-ci-robot
Copy link
Contributor

Welcome @maleck13!

It looks like this is your first PR to kubernetes-sigs/gateway-api 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gateway-api has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 28, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @maleck13. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Sep 28, 2023
youngnick
youngnick reviewed Oct 3, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small change, then this LGTM.

geps/gep-713.md Outdated Show resolved Hide resolved
@maleck13 maleck13 force-pushed the clarify-section-name-attachment branch from 23b9dd1 to d336c43 Compare October 3, 2023 06:41
@youngnick
Copy link
Contributor

LGTM, will approve and hold for @robscott

/approve
/hold

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 4, 2023
robscott
robscott reviewed Oct 4, 2023
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this @maleck13! Unfortunately I think this one ended up being more complex than I initially thought it would be, added a long comment with more detail.

geps/gep-713.md Outdated
Comment on lines 1341 to 1342
the one with a `sectionName` is more specific, and so will have all its settings applied to the named target. The less-specific Policy will
still be applied but MUST not affect the named target.
Copy link
Member

@robscott robscott Oct 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is surprising complex to get right, although this is a great improvement, I think there's actually still some ambiguity here. Consider the following example:

  • AcmePolicy A targets just Gateway listener "http" and sets spec.foo to 1
  • AcmePolicy B targets the entire Gateway and sets spec.foo to 2, and spec.bar to 3

What should the computed policy for the "http" listener be?

  1. {foo: 1}
  2. {foo: 1, bar: 3}
  3. {foo: 2, bar: 3}

1 might make sense if we say that each Directly Attached Policy can target exactly one level. IE AcmePolicy can only be used to target Gateway Listeners, other targets are invalid. The current wording in GEP-713 seems to imply that, but it's not clear how this interacts with SectionName:

A Direct Policy Attachment is tightly bound to one instance of a particular Kind within a single namespace (or to an instance of a single Kind at cluster scope), and only modifies the behavior of the object that matches its binding.

The number or scope of objects to be modified is limited or singular. Direct Policy Attachments must target one specific object.

2 might make sense if we say that each Directly Attached Policy can target either a full resource or a section within that resource. The GEP does not currently allow for that, but as noted above, it also doesn't have any wording that would prevent that.

One concern I have is that both 2 and 3 are starting to overlap with "Inherited Policy Attachment", with 2 effectively behaving as both policies set "defaults" and 3 behaving as both policies set "overrides". Importantly we've only allowed SectionName to be used with Direct Policy Attachment.

gateway-api/apis/v1alpha2/policy_types.go

Lines 62 to 64 in 3b87766

// Note: This should only be used for direct policy attachment when references
// to SectionName are actually needed. In all other cases, PolicyTargetReference
// should be used.

So all of the above actually leads me to think that 1 is the correct interpretation here (despite what I said in Slack). Interested in what others think here though. Looping in the people from the Slack thread for more discussion here:

/cc @arkodg @david-martin @frankbu @sanjaypujare @youngnick

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@robscott is foo and bar part of the AcmePolicy spec ? or are they targets . (foo has also been used as targets as well as policy names in this doc, so im confused :) )

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arkodg good question, I updated my comment to be a bit more clear, they were both intended to be part of the spec.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @robscott , have to go with 1. entire spec is overridden for that section by AcmePolicy A

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also tend to think that 1 is the intended behavior, but I think there are still some inconsistencies in the spec. For example:

When multiple Policies of the same type target the same object, one with a sectionName specified, and one without

Note that it says of the same type. This implies they must both be Inherited Policy Attachments, but that goes against:

Note that the sectionName is currently intended to be used only for Direct Policy Attachment

And there is also this:

Note also that it's not intended that Direct and Inherited Policies should overlap, so this should only come up in exceptional circumstances.

So, it's really not very clear, how and when this applies, but I think the answer to the original question is still that a less specific policy applies to all other sections, just not the one that the more specific policy attaches to.

The question about whether the specific policy completely overrides the less specific one for the specific section is IMO yes (option 1).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about this, I also support option 1, and think that we should include @robscott's example in the godoc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I may be missing this so looking to clarify.

Option 1 looks correct to me also, and so the text suggested below is correct?
still be applied but MUST not affect the named target i.e. it will be applied to all other sections which have not been targeted by another Policy

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maleck13 I think we should somehow insert entire spec of the Policy instead of it to add more clarity

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

took another stab at this, let me know if it is clearer now

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also support option 1. Also we should leave out Inherited Policy Attachment (with section names) to avoid the complexity. We can always add that later, right?

@k8s-ci-robot
Copy link
Contributor

@robscott: GitHub didn't allow me to request PR reviews from the following users: david-martin, sanjaypujare.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

This is surprising complex to get right, although this is a great improvement, I think there's actually still some ambiguity here. Consider the following example:

  • AcmePolicy A attaches to Gateway listener "http" and sets foo to 1
  • AcmePolicy B attaches to Gateway and sets foo to 2, and bar to 3

What should the computed policy for the "http" listener be?

  1. {foo: 1}
  2. {foo: 1, bar: 3}
  3. {foo: 2, bar: 3}

1 might make sense if we say that each Directly Attached Policy can target exactly one level. IE AcmePolicy can only be used to target Gateway Listeners, other targets are invalid. The current wording in GEP-713 seems to imply that, but it's not clear how this interacts with SectionName:

A Direct Policy Attachment is tightly bound to one instance of a particular Kind within a single namespace (or to an instance of a single Kind at cluster scope), and only modifies the behavior of the object that matches its binding.

The number or scope of objects to be modified is limited or singular. Direct Policy Attachments must target one specific object.

2 might make sense if we say that each Directly Attached Policy can target either a full resource or a section within that resource. The GEP does not currently allow for that, but as noted above, it also doesn't have any wording that would prevent that.

One concern I have is that both 2 and 3 are starting to overlap with "Inherited Policy Attachment", with 2 effectively behaving as both policies set "defaults" and 3 behaving as both policies set "overrides". Importantly we've only allowed SectionName to be used with Direct Policy Attachment.

gateway-api/apis/v1alpha2/policy_types.go

Lines 62 to 64 in 3b87766

// Note: This should only be used for direct policy attachment when references
// to SectionName are actually needed. In all other cases, PolicyTargetReference
// should be used.

So all of the above actually leads me to think that 1 is the correct interpretation here (despite what I said in Slack). Interested in what others think here though. Looping in the people from the Slack thread for more discussion here:

/cc @arkodg @david-martin @frankbu @sanjaypujare @youngnick

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

arkodg
arkodg reviewed Oct 4, 2023
View reviewed changes
geps/gep-713.md Outdated Show resolved Hide resolved
@sanjaypujare
Copy link
Contributor

@robscott: GitHub didn't allow me to request PR reviews from the following users: david-martin, sanjaypujare.

Ack. Will take a look. (Hopefully this comment will add me as a reviewer.)

arkodg
arkodg approved these changes Oct 13, 2023
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for adding this clarity !
/approve

@sanjaypujare
Copy link
Contributor

@robscott: GitHub didn't allow me to request PR reviews from the following users: david-martin, sanjaypujare.

Ack. Will take a look. (Hopefully this comment will add me as a reviewer.)

Done. Looks good

sanjaypujare
sanjaypujare approved these changes Oct 14, 2023
View reviewed changes
Copy link
Contributor

@sanjaypujare sanjaypujare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

frankbu
frankbu reviewed Oct 20, 2023
View reviewed changes
geps/gep-713.md Outdated Show resolved Hide resolved
frankbu
frankbu approved these changes Oct 23, 2023
View reviewed changes
Copy link
Contributor

@frankbu frankbu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: arkodg, frankbu, maleck13, sanjaypujare, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@robscott
Copy link
Member

Thanks @maleck13!

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 24, 2023
@youngnick
Copy link
Contributor

@maleck13 If you can rebase this one into the new format, we can merge - I'm about to start work on splitting up GEP-713, so it would be helpful to have this in first.

@maleck13 maleck13 force-pushed the clarify-section-name-attachment branch from 052f623 to bdf5947 Compare January 11, 2024 08:39
@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/gep PRs related to Gateway Enhancement Proposal(GEP) and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jan 11, 2024
@frankbu
Copy link
Contributor

frankbu commented Jan 11, 2024
edited
Loading

Why has this suggested change been ignored? #2442 (comment)

@maleck13
Copy link
Contributor Author

@frankbu I seem to have missed that. Updated now

@robscott
Copy link
Member

/retest

@robscott
Copy link
Member

The current test failure looked like a flake. Adding another LGTM so we can get this one in.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 22, 2024
@robscott
Copy link
Member

@maleck13 do you mind adding a release note to this PR? Once you do, I think this should merge.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 23, 2024
@maleck13
Copy link
Contributor Author

done

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Feb 27, 2024
@k8s-ci-robot k8s-ci-robot merged commit 72f679c into kubernetes-sigs:main Feb 27, 2024
8 checks passed
youngnick added a commit to youngnick/gateway-api that referenced this pull request Feb 27, 2024
@youngnick
Fold in changes from kubernetes-sigs#2442 and fix yamllint errors
e06fa3d 
Signed-off-by: Nick Young <[email protected]>
@youngnick youngnick mentioned this pull request Feb 27, 2024
Merged
youngnick added a commit to youngnick/gateway-api that referenced this pull request Feb 27, 2024
@youngnick
Fold in changes from kubernetes-sigs#2442 and fix yamllint errors
a01cdd6 
Signed-off-by: Nick Young <[email protected]>
youngnick added a commit to youngnick/gateway-api that referenced this pull request Feb 29, 2024
@youngnick
Fold in changes from kubernetes-sigs#2442 and fix yamllint errors
93cb69e 
Signed-off-by: Nick Young <[email protected]>
youngnick added a commit to youngnick/gateway-api that referenced this pull request Feb 29, 2024
@youngnick
Fold in changes from kubernetes-sigs#2442 and fix yamllint errors
40a7589 
Signed-off-by: Nick Young <[email protected]>
youngnick added a commit to youngnick/gateway-api that referenced this pull request Mar 5, 2024
@youngnick
Fold in changes from kubernetes-sigs#2442 and fix yamllint errors
87efcb6 
Signed-off-by: Nick Young <[email protected]>
youngnick added a commit to youngnick/gateway-api that referenced this pull request Mar 6, 2024
@youngnick
Fold in changes from kubernetes-sigs#2442 and fix yamllint errors
f9acc42 
Signed-off-by: Nick Young <[email protected]>
robscott pushed a commit to youngnick/gateway-api that referenced this pull request Apr 10, 2024
@youngnick @robscott
Fold in changes from kubernetes-sigs#2442 and fix yamllint errors
1e4b950 
Signed-off-by: Nick Young <[email protected]>
k8s-ci-robot pushed a commit that referenced this pull request Apr 10, 2024
@youngnick
Split GEP-713 into a Memorandum and separate GEPs for Direct and Inhe…
c1d306b 
…rited Policy (#2813)

* Split GEP-713 into a Memorandum and separate GEPs for Direct and Inherited Policy

Signed-off-by: Nick Young <[email protected]>

* Fold in changes from #2442 and fix yamllint errors

Signed-off-by: Nick Young <[email protected]>

* Add more detail about listTypeMap merging

Signed-off-by: Nick Young <[email protected]>

* Last round of comment changes hopefully

Signed-off-by: Nick Young <[email protected]>

* Update GEP-2648 and GEP-2649 to provisional

Signed-off-by: Nick Young <[email protected]>

* Hopefully last round of PR comments

Signed-off-by: Nick Young <[email protected]>

---------

Signed-off-by: Nick Young <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robscott robscott robscott left review comments

@david-martin david-martin david-martin left review comments

@sanjaypujare sanjaypujare sanjaypujare approved these changes

@frankbu frankbu frankbu approved these changes

@arkodg arkodg arkodg approved these changes

@howardjohn howardjohn Awaiting requested review from howardjohn

@youngnick youngnick Awaiting requested review from youngnick

Assignees

@robscott robscott

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. kind/gep PRs related to Gateway Enhancement Proposal(GEP) lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@maleck13 @k8s-ci-robot @youngnick @sanjaypujare @robscott @arkodg @frankbu @david-martin