Add MatchLabelKeys validation for PodTemplateSpec #130534
Conversation
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mochizuki875 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
889738e to
ac8226b
Compare
|
/retest |
1 similar comment
|
/retest |
There was a problem hiding this comment.
Maybe we could add some valid cases to cover the following scenarios:
- A test where no conflicts exist.
- A test with an empty label selector (or even a nil label selector, if allowed) along with non-empty matchLabelKeys to verify that no error is raised when there’s nothing to conflict with.
- Include a test case where mismatchLabelKeys and matchLabelKeys are both provided but do not overlap.
| // Here, we found the duplicate key in labelSelector and the key is specified in labelKeys. | ||
| // Meaning that the same key is specified in both labelSelector and matchLabelKeys/mismatchLabelKeys. | ||
| allErrs = append(allErrs, field.Invalid(fldPath.Index(i), key, "exists in both matchLabelKeys and labelSelector")) | ||
| if strings.Contains(fldPath.String(), "template.spec") { // PodTemplateSpec validation |
There was a problem hiding this comment.
Do we have a robust way to detect PodTemplateSpec, not sure if this check may match unexpected cases in the future.
There was a problem hiding this comment.
I've reconsidered and changed to use opts.ResourceIsPod.
| expectedErr: field.ErrorList{ | ||
| field.Invalid(rootFld.Child("spec").Child("affinity").Child("podAffinity").Child("preferredDuringSchedulingIgnoredDuringExecution").Index(0).Child("podAffinityTerm").Child("matchLabelKeys").Index(0), "/key", "prefix part must be non-empty"), | ||
| }, | ||
| spec: &core.PodTemplateSpec{ |
There was a problem hiding this comment.
Do we have test cases to cover core.PodSpec{ scenario
} else { // PodSpec validation
// labelKeysMap is keyed by label key and valued by the index of label key in labelKeys.
labelKeysMap := map[string]int{}
for i, key := range matchLabelKeys {
There was a problem hiding this comment.
They have already been added as part of the existing test cases in TestValidatePod().
e.g.
kubernetes/pkg/apis/core/validation/validation_test.go
Lines 11543 to 11575 in 9d9e1af
| ), | ||
| }, | ||
| }, { | ||
| description: "invalid hard pod anti-affinity, key exists in both MatchLabelKeys and MismatchLabelKeys", |
There was a problem hiding this comment.
Do we need to test positive case, where mismatchLabelKeys and matchLabelKeys are both provided but do not overlap.
There was a problem hiding this comment.
I've added positive test cases as successCases.
| { | ||
| LabelSelector: &metav1.LabelSelector{}, | ||
| TopologyKey: "k8s.io/zone", | ||
| MatchLabelKeys: []string{"key1", "key2", "key1"}, |
There was a problem hiding this comment.
Do we have test cases that only a subset of the provided keys is problematic (for example, one key is duplicated or conflicts while others are valid) between MatchLabelKeys/LabelSelector/MismatchLabelKeys
There was a problem hiding this comment.
I've fixed the additional test cases.
e.g.
kubernetes/pkg/apis/core/validation/validation_test.go
Lines 23916 to 23937 in 6dcf62b
ac8226b to
0ab306a
Compare
|
The origin information "labelKey" has been added to the error of ValidateLabelName() by #130388, and |
|
@haosdent |
|
@haosdent |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What type of PR is this?
/kind feature
/sig scheduling
What this PR does / why we need it:
As #130063, when an attempt is made to create an object(e.g.
Deployment) containing aPodTemplateSpecwith a specific key that exists in bothPodAffinity'smatchLabelKeysandlabelSelector, thePodTemplateSpecvalidation will pass.However, the Pods are not created due to the
PodSpecvalidation.I think it makes users confused, and the
PodTemplateSpecvalidation should fail in this case.In this PR, I've added
MatchLabelKeysvalidation forPodTemplateSpecto validate such cases.Which issue(s) this PR fixes:
Fixes #130063
Special notes for your reviewer:
I've added test cases for this PR to
TestValidatePodTemplateSpecSeccomp(), which invokesValidatePodTemplateSpec()for each test case containingPodTemplateSpec.While the name of
TestValidatePodTemplateSpecSeccomp()contains "seccomp", the invoked methodValidatePodTemplateSpec()used for more than just seccomp validation and should have a more general name.Therefore I've submitted another PR.(#130155)
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: