*No* merging of policies #10
Conversation
| # Motivation | ||
| [motivation]: #motivation | ||
|
|
||
| As per the specification, a given resource will always need to support multiple policies targeting it. |
There was a problem hiding this comment.
+1 to this description, clear and concise
| If two policies target the same `HTTPRouteRule`, one would take precedence over the other according to | ||
| the Gateway API's merging rules. | ||
|
|
||
| With these rules, Kuadrant can "easily" identify what policies apply to an `HTTPRoute`, possibly |
There was a problem hiding this comment.
one thing that occurred to me might be to actually reflect this in the status of the HTTPRoute in a condition
| for `color` precedes and as such `blue` will be enforced for _any_ `HTTPRoute` that ends up being wired | ||
| to this `Gateway`. | ||
|
|
||
| That policy tho has no traffic to police yet. Unless an `HTTPRoute` binds that `Gateway` to a |
|
|
||
| ## What actual use-cases does this address? | ||
|
|
||
| - An admin restricts all traffic using a `default` at the gateway to force application developers to |
There was a problem hiding this comment.
It also ensure no unlimited endpoints are exposed
|
|
||
| So there are a couple of things to consider here: | ||
|
|
||
| - status reporting on "not yet" existing `HTTPRouteRule`, e.g. a Policy declares a set of `matches` that |
There was a problem hiding this comment.
Yes I think reporting status in the RLP and in the HTTPRoute / Gateway is worth consideration
example on a condition of the HTTPRoute status we could add something like GVK name namspace enforced
| # Drawbacks | ||
| [drawbacks]: #drawbacks | ||
|
|
||
| - The use cases this approach doesn't address… |
There was a problem hiding this comment.
I think linking to kubernetes-sigs/gateway-api#1489 would make sense here also
| would be an alternative and provide finer grained control over how a policy applies, i.e. at the | ||
| `HTTPRouteRule` level, or even on a per `HTTPBackendRef` within an `HTTPRouteRule`. But today there is | ||
| no way (that I know of) for us to add a `HTTPRouteFilterType` to the list of supported | ||
| `HTTPRouteFilter` by a Gateway API implementor. |
There was a problem hiding this comment.
if there was a way to do this (for example if we proposed a GEP around third party filters), would this compliment the policy side? Does a filter at the gateway level make sense? I don't see how filters would solve the use case of wanting to set a default limit for all new endpoints
|
|
||
| - What use cases are we making "overly" complex, because of the duplication of `HTTPRoute`'s | ||
| `HTTPRouteMatch` ? | ||
| - Is it fine for the `matches` section to be at the same level as `default`, `override` and `targetRef`? |
There was a problem hiding this comment.
I think the fact it is an optional complexity is the perfect balance at least until we hear otherwise via new use cases. You have the "target all of a resource by default" and given a way to cover more advanced use cases and targeting. I also like the fact that the default section stays focused on the actual domain (RL) and leaves the targeting as a separate piece
| apply to other matches. So that traffic to `bar-svc` on port `8080` would be colored `green` as per the | ||
| `PaintPolicy` attached to `my-gw`. | ||
|
|
||
| The resolving of _Policies_ to enforce occurs at the `HTTPRoute` or within individual `HTTPRouteRule` |
There was a problem hiding this comment.
I like that we can describe this relatively simply. That said I thnk we would want a good range of "example" policies to cover common use cases similar to how it is done for https://github.com/kubernetes-sigs/gateway-api/tree/main/examples/standard
|
Looking good, indeed. |
|
I'd suggest trying the same Policy Attachment exercise based on this approach as well, i.e. without merges. My guts say that it's going to be significantly easier... at least for Kuadrant 🙂 |
Update: My guts were wrong! I'm trying to solve use cases 1-5 of the exercise without merges and my head hurts a little. In the first example here, the What if I didn't want to change from an override to a default in the first PaintPolicy targeting the Gateway, but to create an additional kind: PaintPolicy
spec:
override:
color: blue
default:
color: yellow
when:
- special case
targetRef:
kind: Gateway
name: my-gwI would expect then What happens if I create that route-level policy? kind: PaintPolicy
spec:
default:
color: green
targetRef:
kind: HTTPRoute
name: foo-routeI imagine it would be a noop, because of the gw-level override still holding? So to be able to get kind: PaintPolicy
spec:
default:
color: green
when:
- special case
targetRef:
kind: HTTPRoute
name: foo-routeSo the owner of the HTTPRoute needs to be aware of the details in the first PaintPolicy attached to the GW, so it can be reasoned that in fact what's going to happen is: kind: PaintPolicy
spec:
override: # the part that cannot be changed as enforced by the gw override policy
color: blue
default: # the part that the gw default policy allows to be overridden
color: green
when:
- special case
targetRef:
kind: HTTPRoute
name: foo-route? |
|
@guicassolato ... to your yellow/green question: yes. |
|
@alexsnaps, I'm probably overthinking this but I still have to go through... Apologies in advance. What step 5 of the Policy Attachment exercise asks is actually even simpler (tho possibly harder to solve) than what I exemplified here with the PaintPolicy, because it does not involve conditions. At steps 1 and 2, an override policy is set at the level of the Gateway. No conditions there. Then, at step 5, a specific policy targeting an entire HTTPRoute is set. There's no conditions there either. I still don't know how to fix this. It looks like, without merging and without conditions, once you set an override at the level of the Gateway, there's no point in setting anything else at the level of the HTTPRoute, yes? And if there, for an entire HTTPRoute, a legit exception to an override set at the level of a Gateway, that exception needs to be specified in the policy that targets the Gateway. We don't want to remove the override, so it won't fall apart for the other HTTPRoutes where the override still holds. This in itself already means the problem cannot be solved without conditions... Some sort of condition. Because it's going to be, for a given route, either the policy that targets the Gateway or the policy that targets the HTTPRoute – i.e. all in, no merging –, it won't suffice a condition that says "this override, except in case X" and then specify what the policy is when "case X" in a separate policy targeting the HTTPRoute. What to apply for "case X" needs to go in the policy targeting Gateway as well, thus not leveraging hierarchy. To be fair, this is not a problem inherent of merging or not merging, but a problem inherent of how we identify the bits of a policy that can be overridden and the bits that cannot. No merging of policies I guess only means less granularity to those bits, maybe? Anyway, this thing that identify the bits seems to be pointing so far to the "conditions", but not any kind of condition; only the ones the control plane can reason about, practically ruling out what we've been calling "soft conditions". Back to the case of the default set at the level of the Gateway and the attempt to override it with a policy targeting the HTTPRoute, which seems a problem easier to solve than the problem of the override with one exception without condition... To me, it doesn't make sense to have a You said:
Do you mean adding a kind of kind: PaintPolicy
spec:
override:
color: blue
when:
- !special case
default:
color: yellow
when:
- special case
targetRef:
kind: Gateway
name: my-gwThen you said:
There are two possibilities here: a "hard" (route-related) condition and a "soft" (non route-related) condition. If If This raises a hypothesis that, for all that matters, to the control plane, soft conditions are just like having no conditions at all. Imagine the HTTPRoute exists but no policy was attached to it; it's only that one policy targeting the Gateway, with one I imagine it's the latter case, i.e. overrides and defaults only having meaning when dealing with conflicts between policies, but nothing between them within a same policy. So, now, if we do create the second policy (And from here I refer back to the beginning of my comment where |
* rfc: RateLimitPolicy v2 * add spec.limits.matches * Added drawbacks * Added implementation details for each example * Example section headers moved one level up * Future possibilities * Prior art * Added date and issue refs * Added pr #10 to the watchlist * fix: header name :host -> :authority * remove the concept of increment from the rfc - it deserves its own proposal to be discussed separately * fix unique hash route matcher identifiers * Atomic targeting of HTTPRouteRules * Back to matching any subset of HTTPRouteMatches as the way to select the HTTPRouteRules to be bound to a limit + Limit's name becomes a first-class citizen * Soft conditions do not accept expressions related to attributes of the HTTP request * Update the example of the Mechanics of generating RL descriptor actions for one that does not involve HTTP attributes used in 'soft' conditions * Fix example 1 so it's clear the HTTPRouteMatch does not have to entirely stated within the trigger matches, but only a portion of it will do (if that portion is enough to scope the limit)
|
superseded by #58 |
This aims at providing a much simpler model than what #4 is proposing. It comes pretty close to using
HTTPRouteFilter, as it lets you target the same granular "resource". It gets rid of merging policies, so thatdefault&overrides are merely a way to stack policies and use the one that ends up "on top" of the stack, according to all the resolve rules of the Policy Attachment hierarchy.