Adding KEP 2365: IngressClass Namespaced Params

[robscott]

This proposes adding a new optional Namespace field to IngressClass Parameters references.

Enhancement Issue: #2365

/sig network
/cc @danehans @cmluciano @hbagdi @bowei
/assign @johnbelamaric @thockin

[thockin]

Proposal looks OK from an API POV

[thockin]

/lgtm

[bowei]

Does this need to be a pointer?

[robscott]

My understanding was that we only need a pointer when there is a distinction between a nil and empty value. In this case "" and nil would be interpreted in the same way. Wherever possible I try to avoid pointers because they can be a pain to work with. We can use omitempty to ensure that "" would be omitted from serialization here. This matches the approach we've taken with service-apis which I believe was inspired by upstream.

[thockin]

No. Convention is that all optional fields should be pointers. Yes, there's an optimization we could (and sometimes have) made when the Go zero-value is not a valid value or is the correct default, but until we have machinery that automates that (i.e. and IDL) I'd rather stick to convention, unless we have a good reason (e.g. scale) not to.

[hbagdi]

The confusion of +optional and pointers strikes again. 😁

[thockin]

@apelisse has spent time on this problem and @DirectXMan12 is thinking around IDL. No action needed, but something to think about - if we have an IDL should we make that optimization in all possible cases?

[robscott]

How broadly should we be applying this pattern? Should we adjust our types in service-apis as well to use pointers for all optional fields, even if nil and zero values are treated identically?

[lavalamp]

Please don't have an unset field mean cluster scoped. I recommend an explicit "scope: cluster/namespace" in addition to having the namespace field.

Unset fields are best used to indicate "I don't have an opinion". Our API sadly has lots of anti-examples.

[robscott]

Good call, I've expanded this to add a scope field as well. Is it still appropriate to consider the namespace field optional if it will be required when scope==cluster?

[thockin]

Yes, thank you! This is why I want an IDL

…

On Thu, Jan 28, 2021 at 11:54 PM Bowei Du ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In keps/sig-network/2365-ingressclass-namespaced-params/README.md <#2366 (comment)> : > +// IngressClassParametersReference identifies an API object. This can be used +// to specify a cluster-scoped or namespace-scoped resource. +type IngressClassParametersReference struct { + // APIGroup is the group for the resource being referenced. If APIGroup is not + // specified, the specified Kind must be in the core API group. For any other + // third-party types, APIGroup is required. + // +optional + APIGroup *string + // Kind is the type of resource being referenced. + Kind string + // Name is the name of resource being referenced. + Name string + // Namespace is the namespace of the resource being referenced. When empty, + // this reference will refer to a cluster-scoped resource. + // +optional + Namespace string Does this need to be a pointer? — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#2366 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKWAVGKBBFP4SYZRZ32B23S4JSSBANCNFSM4WYDYMUQ> .

[hbagdi]

Question: How is this going to be incorporated into IngressClassSpec struct in a non-breaking fashion?

	// Parameters is a link to a custom resource containing additional
	// configuration for the controller. This is optional if the controller does
	// not require extra parameters.
	// +optional
	Parameters *api.TypedLocalObjectReference

[robscott]

That's a great question. My understanding was that changes to underlying Go types were acceptable between releases. I could be wrong on that though. Maybe @thockin knows if changing Parameters *api.TypedLocalObjectReference to Parameters *IngressClassNamespacedParams would be a breaking change here.

[thockin]

The Go type is not really part of the API (though it does get exposed in client-go). I think this is why folks like @deads2k are giving guidance to COPY the type you want into your own scope.

I don't know the client-go rules on this sort of 'breaking" change, but ISTR it was somewhat looser than the k8s APIs.

@lavalamp ?

[thockin]

@DirectXMan12 - this might be something an IDL could automate - "clone a library type into my group" ?

[hbagdi]

The Go type is not really part of the API (though it does get exposed in client-go). I think this is why folks like @deads2k are giving guidance to COPY the type you want into your own scope.

TIL. I had wrongly assumed it to be part of the API.
I do recall to have ran into issues where breaking changes in client-go required some minor refactors in controllers using it. Although in my limited experience, the changes I've seen up to this point have been in client-go itself and not k8s API types.

EDIT: To be clear, I'm not against this change. I simply want to know the compat promise.

[lavalamp]

The thing we make promises about is the wire format of the API. So the question is what will old/new clients do with the new/old api? That probably works out OK (although I didn't review this super carefully).

Do we care about breaking the public go interface? kinda sorta. We often find a "good reason" to break it. :/ We don't typically consider that when looking at API changes. This would be less problematic if we ever managed to factor the client to split the api version into a separate package from all the logic.

[johnbelamaric]

Are there any security implications here? For example, this would allow user with only access to Namespace "a" to reference an IngressClass that has references to Namespace "b". Is there anyway that can be exploited?

[robscott]

That's a great question. We've thought of parameters as descriptive resources that should not include any sensitive information. Configuration might include the type of infrastructure provisioned for a resource and/or whether it should be exposed externally. In general, these resources should be difficult to write to but easy to read from.

Of course that's all how we intend for this resource to be used. A rather unfortunate consequence of this change is that it would be possible to reference secrets in another namespace. I would hope that controller implementations would not support this, but if this did happen, I think it would have significant security implications. Maybe better guidance for how Parameters resources should be used would suffice here?

[johnbelamaric]

Yes, probably documentation for controller authors is a good start. My initial concern, which maybe is totally unfounded, would be that some controller may treat IngressClass like a preset: that is, allow multiple ingress classes for their controller that preset some values for the Ingress, allowing teams to sort of independently attach to that preset...in particular the TLS cert. This is probably paranoia.

[robscott]

Yeah that's a real concern, certainly not the intent of this change but a real potential use of it. I think that specific example is not new here though. This would still be possible with cluster-scoped params since this would theoretically be a reference from params to a secret. I guess someone could embed a cert directly into the params, but of course that's not a good idea.

We will need some much improved documentation for how to use params resources, and especially how not to. I've added a note about this in the alpha release criteria.

[johnbelamaric]

PRR looks good but will hold off on approve as it will approve the whole thing.

[robscott]

@johnbelamaric @thockin I believe all comments have been resolved, PTAL.

[thockin]

API nits can be followups or just fix in code PR

[thockin]

constants start with Capitals - Cluster, Namespace.

[thockin]

...and not allowed when unset or set to Cluster

[thockin]

Will need to be a pointer, too

[thockin]

Thanks!

/lgtm
/approve

[johnbelamaric]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johnbelamaric, robscott, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [johnbelamaric]
• keps/sig-network/OWNERS [johnbelamaric,thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment