Updating GEP-2648 to support multiple target refs #2966
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
the
cncf-cla: yes
|
@robscott: GitHub didn't allow me to request PR reviews from the following users: guicassolato. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
do-not-merge/hold
robscott
force-pushed
the
policy-targetrefs
branch
from
6d82760 to
381de51
Compare
| // in different namespaces. For more information on how this policy attachment | ||
| // model works, and a sample Policy resource, refer to the policy attachment | ||
| // documentation for Gateway API. | ||
| type NamespacedPolicyTargetReference struct { |
There was a problem hiding this comment.
I'm not sure if it's needed, but it looks like this type may be missing from some places where PolicyTargetReference has been swapped to LocalPolicyTargetReference like apis/applyconfiguration/internal/internal.go?
There was a problem hiding this comment.
Good catch - that was an intentional omission for now, basically leaving out NamespacedPolicyTargetReferenceWithSectionName until we're very sure we need it. It should be easy for us to add in the future or for someone else to recreate on their own if needed, just generally think that namespaced targets in policies should be a rare exception. Happy to change though if you'd prefer I add all the types up front.
There was a problem hiding this comment.
Make sense, agreed keeping this simpler unless/until we have an actual need is best!
robscott
force-pushed
the
policy-targetrefs
branch
from
381de51 to
16c2d12
Compare
Based on kubernetes-sigs/gateway-api#2966. Note that we do not HAVE to follow the GatewayAPI here; we can make our own decision. There is, however, a general desire to allow multiple for ergonomics. In this proposal, I hide `targetRef`, but the API will remain + be implemented forever. Implementation cost here is near zero, as we can easily translate it to a single `targetRefs`; we just hide from docs to push users toward the new ones.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: howardjohn, mikemorris, robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM |
|
|
||
| ### Multiple | ||
|
|
||
| In some cases, it may be desirable for a policy to target more than one resource |
There was a problem hiding this comment.
@robscott have you considered allowing multiple targetRefs ONLY for inherited policies, and disallowing in direct attach policies? I thought the spirit of direct attach policies was that they were one-to-one and the ancestor status was clear.
There was a problem hiding this comment.
I personally see value in supporting multiple targetRefs at both, Direct and Inherited policies. Rationale:
- One who targets multiple HTTPRoutes with a Direct policy can potentially manage only one policy object instead of also many, less repetition, etc.
- Simplicity, the only difference between the two would continue to be, as of today, the
sectionName.
Especially the latter I believe to be consistent in the long run with the possibility of Direct vs Inherited being reduced to different merge strategies, and not necessarily two big classes of policies – see #2927 (comment).
There was a problem hiding this comment.
I just added a separate response that I think is related to this question too. Essentially I agree that we're headed in that direction with #2927, but I'm trying to focus this on the smallest set of changes required to enable changes to our Backend policies in v1.1, which both happen to be direct. I think once someone has time to formally propose the rest of the changes discussed in #2927 and make the corresponding updates to the GEP, all of this will apply equally to direct and inherited policies.
| * The number or scope of objects is exactly _one_ object. No label selectors or | ||
| lists of `targetRef` are allowed. |
There was a problem hiding this comment.
I think this rule should stay for Direct Attached. It is the Inherited policy that should reference multiple objects.
There was a problem hiding this comment.
Good point, I'm looking at this PR as the smallest subset of #2927 that is required for v1.1. Since both BackendTLSPolicy and BackendLBPolicy are considered "direct" policies, that seemed like the most important type of policy to extend with this capability. With that said, I think there's broad consensus as part of the discussion around #2927 that both direct and inherited will effectively be merged when the full set of changes described there are merged, so this will eventually affect all policies.
Even with that background, I think the primary differentiator between direct and inherited is if policies could affect multiple layers (ie Route and Gateway) or not. In the case of our Backend policies, they still can only affect the backend layer, so I think we're still meeting the original goals of direct policies.
* policy attachment: allow `targetRefs` Based on kubernetes-sigs/gateway-api#2966. Note that we do not HAVE to follow the GatewayAPI here; we can make our own decision. There is, however, a general desire to allow multiple for ergonomics. In this proposal, I hide `targetRef`, but the API will remain + be implemented forever. Implementation cost here is near zero, as we can easily translate it to a single `targetRefs`; we just hide from docs to push users toward the new ones. * codegen * Align documentation * consistency
|
|
||
| #### Migration from Single to Multiple Targets | ||
|
|
||
| Existing policies with a single `targetRef` may want to transition to supporting |
There was a problem hiding this comment.
happy to see the focus on trying to solve this issue of how a user can author intent once (one policy), and apply it to multiple targets. Pluralizing targetRef seems to be the simplest way to support this, but imo this style only works well when the count of targetRefs is 2-10.
When a user wants to define an implementation specific SecurityPolicy resource and apply it to 50 or even 1000 xRoutes, this becomes tedious. This is where label selectors can help reduce the number of lines to author to get the job done.
This style is used in other field within Gateway API like AllowedRoutes.
We may want to take smaller steps when supporting multiple targets, but wanted to highlight that there is a real need to support other ways to target resources, and hoping we leaving space for that in the API
There was a problem hiding this comment.
thinking out loud, here's one way to achieve it
targets:
refs:
- .....
There was a problem hiding this comment.
+1 for this.
Although matching the policy by labels may be complex and less efficient than the current KV matching used by targetRefs , providing this solution as an optional implementation would be more user-friendly.
There was a problem hiding this comment.
This has been mentioned previously somewhere (I believe by @youngnick, but I can't find the reference currently) as a possible future addition if needed, but intentionally omitted to start to keep complexity constrained while we figure out how to handle status and discoverability in a reasonably performant way.
Agreed that targetRefs is not ideal for scaling beyond a handful of referenced objects (I think that's intentional and not necessarily a bad thing).
Before considering this addition, I'd first want to dig in to whether using an inherited policy targeted at a namespace or gateway may be sufficient for these use cases rather than targeting dozens or hundreds or routes individually. The best argument I've seen for supporting a selector so far is for #1812, and Istio does already implement a split targetRef or selector API model on https://istio.io/latest/docs/reference/config/security/authorization-policy/#AuthorizationPolicy and other resources so there are other implementations with prior art, but I'd consider this beyond the scope of this immediate change for now.
There was a problem hiding this comment.
Agree with @mikemorris that label selection here is a bigger problem than I'm trying to solve in this PR. Likely worth adding this idea to the broader policy discussion in #2927 though to see what kind of traction it gets.
There was a problem hiding this comment.
@arkodg was part of your original comment here also an argument for starting with a smaller max length than the "16" that I'd originally proposed?
There was a problem hiding this comment.
@robscott my orig comment was to make sure we can extend this API easily in the future in case we want to add selector support
There was a problem hiding this comment.
Are there few enough people that have implemented Policy that we wouldn't want to make this change by deleting the v1a2 Policy and instead migrate it to v1a3 with the changes? For the same reasons as mentioned in #2955 (comment)?
There was a problem hiding this comment.
Hmm good suggestion, that might be the best way to handle this.
There was a problem hiding this comment.
Good question - I think this is different since we're not directly generating CRDs from these types, so versioning doesn't seem to carry the same weight. It might actually be better to move these types to an internal/unversioned package instead since these primarily exist as a reference point + for use in our relatively new Policy CRDs (BackendTLSPolicy and BackendLBPolicy).
There was a problem hiding this comment.
+1 There may be other CRDs that don't require specific versioning. It would be great to have a policy in place, no pun intended.
There was a problem hiding this comment.
These feel similar to the types in https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1/shared_types.go - moving them to internal/unversioned could be reasonable if we have some safeguards in place to protect against breaking changes that may propagate up to a published CRD that is versioned (like for instance if we just removed a namespace field without considering the implications for whether any published CRD embedding this type may need a revision bump).
This also clarifies cross-namespace references.
robscott
force-pushed
the
policy-targetrefs
branch
from
16c2d12 to
f7abd3d
Compare
|
Let's land this as well. 🙂 /lgtm |
k8s-ci-robot
added
the
lgtm
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
What type of PR is this?
/kind gep
What this PR does / why we need it:
This PR is a follow up to both #2955 and #2927. It makes two changes to the direct policy attachment GEP:
Both of these changes are after significant discussion at KubeCon and in a follow up meeting around how we can improve policy attachment. They are particularly timely because in this release we are already making breaking changes to BackendTLSPolicy and we're introducing another policy (BackendLBPolicy). I'd like to avoid future breaking changes to both of those policies by including these changes for both policies in v1.1.
Which issue(s) this PR fixes:
Continues on #2648
Does this PR introduce a user-facing change?:
/cc @arkodg @candita @gcs278 @guicassolato @mikemorris @shaneutt