Account for mutating webhooks with side effects when batch dry-run server-side apply

[timothysmith0609]

This PR adds some smarts to the batch dry-runner. In particular, it cross-references the supplied list of resources with those that have mutating admission webhooks which are not dry-run safe. Resources that we know will fail batch dry-running are thus pre-emptively added to the legacy dry-run flow.

[timothysmith0609]

This is a straightforward implementation of the rules defined here.

[dturn]

Any idea how to ask the api server what GVKs it knows to convert between? Not saying we use them, but this adds to our list of things that break with non-unique kinds.

[timothysmith0609]

Any idea how to ask the api server what GVKs it knows to convert between?

From my understanding, the Equivalent condition simply disregards gv (I'm tempted to open an upstream issue since this can have undesirable side-effects as we've found). I don't think this is something for Krane to deal with.

From the official reference:

Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.

[timothysmith0609]

This does not fail the dry-run, as I would have thought, even though the Secret resource is not part of the dry-run apply (and is not present on the cluster beforehand). I will try a few more failure scenarios to see if I can actually induce this type of transitive failure

[timothysmith0609]

As discussed, we still fall back to per-resource dry-running if the batch fails

[dturn]

Some small thoughts but looking like its on the right direction.

[dturn]

This makes me think we want a MutatingWebhookConfigurations class instead of putting all of the logic in this function.

[timothysmith0609]

I made a few attempts at this. Modelling it as a KubernetesResource didn't seem right, but neither did modelling it in the top-level namespace. If I had to make a choice, I'm tempted to do the latter.

[dturn]

Maybe its time for an Internal namespace for objects that are K8s objects but aren't designed for having deploy logic?

[timothysmith0609]

I'm loath to make the separation... ultimately this is still just a kubernetes object. For now, I've made it a subclass of KubernetesResource and added the appropriate overrides should one of these ever be deployed.

[dturn]

Any idea how to ask the api server what GVKs it knows to convert between? Not saying we use them, but this adds to our list of things that break with non-unique kinds.

[dturn]

I can never remember the pass by semantics of ruby but, Is resources a copy or does this impact validate_resources

[timothysmith0609]

It's pass by reference, however the -= operator returns a new object, not a mutation of the old one. If we used, e.g. <<, then we would mutate the incoming object. As a matter of caution, I'll dup the resources array to avoid any issues in the future.

[dturn]

Some questions about the tests, code looks good

[dturn]

Why not actually deploy this into the cluster?

[timothysmith0609]

I didn't realize I could just set failurePolicy: ignore with a small timeout to circumvent the need for an actual webhook server. I've changed the tests to actually deploy a real MutatingWebhookConfiguration and use that to test things out.

Worth noting that the partitioning logic is only really necessary for v1beta1 resources, since v1 only allows (and requires) either None or NoneOnDryRun to be specified for the sideEffects field.

[dturn]

I'm not seeing how this test verifies are_not_batched

[timothysmith0609]

I've fleshed out this test a bit more

[dturn]

👍

[karanthukral]

sorry for the delayed review