-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add global() selector #1229
Add global() selector #1229
Conversation
1) Implement a Token Global for handling `global'
07be0bd
to
5b6faa8
Compare
Add support for rules and selector for global keyword and add unit test case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need some validation that global()
isn't specified in regular selectors, since IIUC it won't function properly in that case, right?
e.g.,
spec.Selector will never select non-namespaced things, so it should be imposible to put global()
in that field.
lib/apis/v3/policy.go
Outdated
@@ -137,6 +137,9 @@ type EntityRule struct { | |||
// For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting | |||
// only workload endpoints in the same namespace as the NetworkPolicy. | |||
// | |||
// For NetworkPolicy, `global` NamespaceSelector implies that the Selector is limited to selecting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
global -> "global()"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but we need validation to make sure that this selector is not used except in the NamespaceSelector
field for NetworkPolicy, and/or main selector in GNPs, since IIUC it's not valid for use in the other selector fields.
@lmm please check with @krishgobinath about adding validation - he's planning to add this in the next week or so. |
@lmm Is there already a doc PR for this? I'd quite like to review that too, preferably before or at the same time as this one. (Or a design doc?) Specifically, as well as what @caseydavenport says, I'm wondering if |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am I right that this is mostly copied from our Enterprise code? Please can you list or identify the changes that are additional to that? (Because I think there's less value in reviewing Enterprise-copied code.)
If there isn't already a design or doc that says this, please can you also summarise, for me, where global()
is allowed, and why?
Thanks @neiljerram . The first 2 commits are cherry-picked from enterprise code. The last commit is newly added. The docs PR (also cherry-picked) is here: projectcalico/calico#3643
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one piece of validation+test missing, I think, and a possible text markup.
lib/validator/v3/validator.go
Outdated
reflect.ValueOf(spec.Selector), | ||
"NetworkPolicySpec.Selector", | ||
"", | ||
reason(fmt.Sprintf("%s can only be used in a GlobalNetworkPolicy EntityRule", globalSelector)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add "namespaceSelector" ? (And similarly in all other occurrences below.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
}, | ||
}, | ||
}, true, | ||
), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to add test and validation for disallowing global()
in EntityRule selector field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
global() and projectcalico.org/name == '<value>' cannot be used with other selectors.
@neiljerram this is ready for another look. One comment re:
I had a chat with @doublek about this and the intent of the all(), global(), and projectcalico.org/name namespaceSelectors is that they should be used on their own and not in combination. I've added validation for this for global() and projectcalico.org/name. But I left all() untouched as we already do some canonicalization where all() && some-other-selector results in the selector parser to reduce that to all(), and maybe we want to preserve that behaviour? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved because I don't want to block this. I'm not sure about the projectcalico.org/name addition, but happy to leave that to you.
@@ -66,6 +67,13 @@ var ( | |||
// Hostname have to be valid ipv4, ipv6 or strings up to 64 characters. | |||
prometheusHostRegexp = regexp.MustCompile(`^[a-zA-Z0-9:._+-]{1,64}$`) | |||
|
|||
// global() cannot be used with other selectors. | |||
andOr = `(&&|\|\|)` | |||
globalSelectorRegex = regexp.MustCompile(fmt.Sprintf(`%v global\(\)|global\(\) %v`, andOr, andOr)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should the RE have *
after the space, to allow for any amount of whitespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I see you already have a test for "global()||all()"
, so perhaps
in the RE already stands for any amount of whitespace? (Otherwise, how is that test passing?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We parse the selector string first and use the String() from that result for the validation matching. The parsing will trim out all of the whitespace.
lib/validator/v3/validator.go
Outdated
globalSelectorRegex = regexp.MustCompile(fmt.Sprintf(`%v global\(\)|global\(\) %v`, andOr, andOr)) | ||
|
||
// projectcalico.org/name cannot be used with other selectors. | ||
namespaceSelectorRegex = regexp.MustCompile(fmt.Sprintf(`%v projectcalico.org/name == ".*"|projectcalico.org/name == ".*" %v`, andOr, andOr)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks plausible to me, but:
- is it right to add this validation into the current PR? is there a particular motivation for that?
- what about, for example,
projectcalico/name in {"red", "blue", ...}
- which I think should be allowed on its own, but probably not combined with anything else.
Unless there's a strong reason to include, I think it might be better to split the projectcalico.org/name
validation out into another PR, so we can discuss its motivation and details more there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you're right - I'll remove the projectcalico.org/name
bits
Comments covered by follow-up commits
Description
This PR adds support for the
global()
keywordTodos
Release Note