-
Notifications
You must be signed in to change notification settings - Fork 795
Add support for MatchExpressions #5201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
e97d9eb
19b2fe7
a87138c
6e4dab1
37a8d2d
604548f
a52eb93
c2fa492
76e5731
863905c
21f3d00
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,6 +6,7 @@ | |
| package v1alpha1 | ||
|
|
||
| import ( | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" | ||
| gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" | ||
| ) | ||
|
|
@@ -37,7 +38,14 @@ type TargetSelector struct { | |
| Kind gwapiv1.Kind `json:"kind"` | ||
|
|
||
| // MatchLabels are the set of label selectors for identifying the targeted resource | ||
| MatchLabels map[string]string `json:"matchLabels"` | ||
| // +optional | ||
| MatchLabels map[string]string `json:"matchLabels,omitempty"` | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure if it's safe to add
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. cc @arkodg
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wouldn't this scenario be fine? eg. a nil map is still a valid map
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure how openapi's
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ah good point - also these APIs are marked alpha - so I wonder if there even is a guarantee that downgrades work
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, so I see it as more about the rule on this project; whether/how much we consider downgrade scenarios. But, I believe, at least ideally, we should care the downgrading scenario for alpha APIs as well. Especially this change's blast radius could (i.e., we need to check) be terrible since we're not sure how kube-apiserver behaves with CRD update (in our case, version downgrade) that puts The obvious safer way here is to introduce this change at v1alpha2. (but, again, I'd defer to how other maintainers think and how we define the policy within the project)
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. thanks for raising this concern @sanposhiho
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, then let's go with this current change and future changes for alpha APIs as well. But, we need to watch out, generally speaking, some changes at CRD could break kube-apiserver layer (like you wouldn't be able to operate resources) when reviewing this kind of API changes. |
||
|
|
||
| // MatchExpressions is a list of label selector requirements. The requirements are ANDed. | ||
| // | ||
| // +optional | ||
| // +listType=atomic | ||
| MatchExpressions []metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty"` | ||
| } | ||
|
|
||
| func (p PolicyTargetReferences) GetTargetRefs() []gwapiv1a2.LocalPolicyTargetReferenceWithSectionName { | ||
|
|
||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -533,10 +533,22 @@ type targetRefWithTimestamp struct { | |
| CreationTimestamp metav1.Time | ||
| } | ||
|
|
||
| func selectorFromTargetSelector(selector egv1a1.TargetSelector) labels.Selector { | ||
| l, err := metav1.LabelSelectorAsSelector(&metav1.LabelSelector{ | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I also didn't see an opportunity to 'cache' the parsing here - if there's a way to do that with envoy gateway code (like some in memory temporal state) let me know |
||
| MatchLabels: selector.MatchLabels, | ||
| MatchExpressions: selector.MatchExpressions, | ||
| }) | ||
| if err != nil { | ||
| // TODO - how do we we bubble this up | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I didn't see a validation phase after cel but before translation. So for now if we can't parse the selector we match nothing.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you open a follow-up issue so that we don't forget this? If users get trapped in this, it's going to be hard for them to figure out why their change isn't working. So, we should report it somewhere, probably at the resource's status ideally. |
||
| return labels.Nothing() | ||
| } | ||
| return l | ||
| } | ||
|
|
||
| func getPolicyTargetRefs[T client.Object](policy egv1a1.PolicyTargetReferences, potentialTargets []T) []gwapiv1a2.LocalPolicyTargetReferenceWithSectionName { | ||
| dedup := sets.New[targetRefWithTimestamp]() | ||
| for _, currSelector := range policy.TargetSelectors { | ||
| labelSelector := labels.SelectorFromSet(currSelector.MatchLabels) | ||
| labelSelector := selectorFromTargetSelector(currSelector) | ||
| for _, obj := range potentialTargets { | ||
| gvk := obj.GetObjectKind().GroupVersionKind() | ||
| if gvk.Kind != string(currSelector.Kind) || | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: empty
MatchLabelsand and emptyMatchExpressionswill match everythingUh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this previous behavior with MatchLabels? if not, let's add a release note for a breaking change.
Also, in general, let's document these semantics in the top-level struct.
What's the behavior if both are set? If this is not allowed, maybe we should:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah - nil/empty set matches everything - see ref
They can be used in conjunction with each other - like a regular metav1.LabelSelector. This is similar behaviour to the namespaceSelector on various k8s types.
You can see it in the parsing logic here - https://github.com/kubernetes/apimachinery/blob/a19f1f813776bd4a90401b63a96e07ed847f88d0/pkg/apis/meta/v1/helpers.go#L36