github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/plugin/pkg
History
k8s-merge-robot 5303794ef0 Merge pull request #25787 from liggitt/update-admission 
Automatic merge from submit-queue

plumb Update resthandler to allow old/new comparisons in admission

Rework how updated objects are passed to rest storage Update methods (first pass at https://github.com/kubernetes/kubernetes/pull/23928#discussion_r61444342)

* allows centralizing precondition checks (uid and resourceVersion)
* allows admission to have the old and new objects on patch/update operations (sets us up for field level authorization, differential quota updates, etc)
* allows patch operations to avoid double-GETting the object to apply the patch

Overview of important changes:
* pkg/api/rest/rest.go
  * changes `rest.Update` interface to give rest storage an `UpdatedObjectInfo` interface instead of the object directly. To get the updated object, the storage must call `UpdatedObject()`, passing in the current object
* pkg/api/rest/update.go
  * provides a default `UpdatedObjectInfo` impl
  * passes a copy of the updated object through any provided transforming functions and returns it when asked
  * builds UID preconditions from the updated object if they can be extracted
* pkg/apiserver/resthandler.go
  * Reworks update and patch operations to give old objects to admission
* pkg/registry/generic/registry/store.go
  * Calls `UpdatedObject()` inside `GuaranteedUpdate` so it can provide the old object

Todo:
- [x] Update rest.Update interface:
  * Given the name of the object being updated
  * To get the updated object data, the rest storage must pass the current object (fetched using the name) to an `UpdatedObject(ctx, oldObject) (newObject, error)` func. This is typically done inside a `GuaranteedUpdate` call.
- [x] Add old object to admission attributes interface
- [x] Update resthandler Update to move admission into the UpdatedObject() call
- [x] Update resthandler Patch to move the patch application and admission into the UpdatedObject() call
- [x] Add resttest tests to make sure oldObj is correctly passed to UpdatedObject(), and errors propagate back up

Follow-up:
* populate oldObject in admission for delete operations?
* update quota plugin to use `GetOldObject()` in admission attributes
* admission plugin to gate ownerReference modification on delete permission
* Decide how to handle preconditions (does that belong in the storage layer or in the resthander layer?)
 		2016-05-24 08:41:31 -07:00
..
admission Change rest storage Update interface to retrieve updated object 2016-05-23 21:09:26 -04:00
auth Add LRU Expire cache to webhook authorizer. 2016-05-21 14:50:50 -07:00
client/auth add tests for the OIDC WrapTransport 2016-05-18 17:03:12 -07:00
scheduler Refactor scheduler to expose predicates to cluster autoscaler 2016-05-24 09:04:31 +02:00
webhook Pull common webhook code into generic webhook plugin. 2016-05-10 14:41:14 -07:00