WRKLDS-728: Disable apiservers

[ingvagabund]

Extend the OA init code to explicitly disable individual apiservers. The change is important for explicitly disabling DeploymentConfigs and Builds API through capabilities. The controlplane configuration on-disk data type gets rendered by OA operator in openshift/cluster-openshift-apiserver-operator#532.

[openshift-ci-robot]

@ingvagabund: This pull request references WRKLDS-728 which is a valid jira issue.

Details

In response to this:

TBD

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ingvagabund]

/retest-required

[openshift-ci-robot]

@ingvagabund: This pull request references WRKLDS-728 which is a valid jira issue.

Details

In response to this:

Extend the OA init code to explicitly disable individual apiservers. The change is important for explicitly disabling DeploymentConfigs and Builds API through capabilities. The controlplane configuration on-disk data type gets rendered by OA operator in openshift/cluster-openshift-apiserver-operator#532.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ingvagabund]

Internal types do not need the json tags

[dgrisonnet]

I think we will need to touch some other parts of the codebase to truly be able to enable/disable APIs. The current change only stop serving the APIs, but the underneath logic will still be executed even when the APIs are disabled.

The first one that I can see is the post start hooks: https://github.com/openshift/openshift-apiserver/blob/master/pkg/cmd/openshift-apiserver/openshiftapiserver/openshift_apiserver.go#L444-L473. Some of these will not be needed if their API is disabled.

Another part that will need to be gated on the config are the various caches configurations in https://github.com/openshift/openshift-apiserver/blob/master/pkg/cmd/openshift-apiserver/openshiftapiserver/config.go. I don't think we should create the cache of an API that is disabled. Same goes for the controllers that are normally used to fill these cache and respond to the apiserver.

There might be some other parts of the code that will need to be tweaked, but I generally think we should also try to enable/disable the logic behind the APIs.

[ingvagabund]

When trying to disable an unsupported group:

$ oc logs -n openshift-apiserver apiserver-db6f9dff8-5hq5q
Defaulted container "openshift-apiserver" out of: openshift-apiserver, openshift-apiserver-check-endpoints, fix-audit-permissions (init)
Copying system trust bundle
I0719 08:46:03.241688       1 dynamic_serving_content.go:113] "Loaded a new cert/key pair" name="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key"
I0719 08:46:03.749924       1 requestheader_controller.go:244] Loaded a new request header values for RequestHeaderAuthRequestController
I0719 08:46:03.752332       1 plugins.go:84] "Registered admission plugin" plugin="NamespaceLifecycle"
I0719 08:46:03.752347       1 plugins.go:84] "Registered admission plugin" plugin="ValidatingAdmissionWebhook"
I0719 08:46:03.752352       1 plugins.go:84] "Registered admission plugin" plugin="MutatingAdmissionWebhook"
I0719 08:46:03.752356       1 plugins.go:84] "Registered admission plugin" plugin="ValidatingAdmissionPolicy"
I0719 08:46:03.752670       1 admission.go:48] Admission plugin "project.openshift.io/ProjectRequestLimit" is not configured so it will be disabled.
I0719 08:46:03.753088       1 plugins.go:158] Loaded 5 mutating admission controller(s) successfully in the following order: NamespaceLifecycle,build.openshift.io/BuildConfigSecretInjector,image.openshift.io/ImageLimitRange,image.openshift.io/ImagePolicy,MutatingAdmissionWebhook.
I0719 08:46:03.753098       1 plugins.go:161] Loaded 9 validating admission controller(s) successfully in the following order: OwnerReferencesPermissionEnforcement,build.openshift.io/BuildConfigSecretInjector,build.openshift.io/BuildByStrategy,image.openshift.io/ImageLimitRange,image.openshift.io/ImagePolicy,quota.openshift.io/ClusterResourceQuota,route.openshift.io/RequiredRouteAnnotations,ValidatingAdmissionWebhook,ResourceQuota.
F0719 08:46:03.753366       1 cmd.go:72] only [apps.openshift.io build.openshift.io] APIs can be configured, "route.openshift.io" is not supported

[ingvagabund]

/retest-required

[ingvagabund]

/retest-required

[dgrisonnet]

I like the change to have an allow list with the API that can be disabled today. That said we still have the same problem as before from #366 (comment) where the inner logic (controller, cache, ...) will still be executed even if an API is disabled no?

Also, I think it would be a great addition to add a log line and maybe even a metric telling which API is enabled and which one is disabled.

[ingvagabund]

I like the change to have an allow list with the API that can be disabled today. That said we still have the same problem as before from #366 (comment) where the inner logic (controller, cache, ...) will still be executed even if an API is disabled no?

Checking the PostStart hooks I don't see anything related to DCs/Builds under https://github.com/openshift/openshift-apiserver/blob/master/pkg/cmd/openshift-apiserver/openshiftapiserver/openshift_apiserver.go#L453-L484. There's also no DCs/Builds informer mentioned in https://github.com/openshift/openshift-apiserver/blob/master/pkg/cmd/openshift-apiserver/openshiftapiserver/openshift_apiserver.go#L98-L142 or https://github.com/openshift/openshift-apiserver/blob/master/pkg/cmd/openshift-apiserver/openshiftapiserver/informers.go#L90-L99.

[dgrisonnet]

This looks good to me overall, but we might also want to disable these admission plugins https://github.com/openshift/openshift-apiserver/blob/master/pkg/cmd/openshift-apiserver/openshiftadmission/register.go#L37-L38 no?

[ingvagabund]

Those are registering handlers, which should not get invoked at all. Plus, RegisterOpenshiftAdmissionPlugins is invoked in RegisterAllAdmissionPlugins which is invoked in init() function. Too late to read the config and disable the handler.

[dgrisonnet]

We could maybe leverage the admission options to disable them? https://github.com/openshift/openshift-apiserver/blob/master/pkg/cmd/openshift-apiserver/openshiftapiserver/config.go#L212

But as you mentioned it should be impossible to invoke them so disabling them doesn't bring much value

[dgrisonnet]

nit: could you move that code inside a function to make New more readable?

[dgrisonnet]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dgrisonnet, ingvagabund

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dgrisonnet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9801454 and 2 for PR HEAD 2af0149 in total

[openshift-ci]

@ingvagabund: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-cmd	2af0149	link	false	/test e2e-aws-ovn-cmd

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.