8000 Add status field to policy resource by LorcanMcVeigh · Pull Request #1317 · nginx/kubernetes-ingress · GitHub
[go: up one dir, main page]
Skip to content

Add status field to policy resource #1317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jan 29, 2021
Merged

Add status field to policy resource #1317

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2c3d62d
Update Policy resource with status field
LorcanMcVeigh Jan 15, 2021
d5de83e
Update policy status of events
LorcanMcVeigh Jan 15, 2021
a3cffd4
Update documentation
LorcanMcVeigh Jan 15, 2021
2cdc714
Add state printable field
LorcanMcVeigh Jan 21, 2021
4153266
Address Feedback
LorcanMcVeigh Jan 25, 2021
9c59b1c
Feedback
LorcanMcVeigh Jan 28, 2021
6556d1e
Feedback 1
LorcanMcVeigh Jan 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions deployments/common/crds-v1beta1/k8s.nginx.org_policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@ metadata:
creationTimestamp: null
name: policies.k8s.nginx.org
spec:
additionalPrinterColumns:
- JSONPath: .status.state
description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
name: State
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: k8s.nginx.org
names:
kind: Policy
Expand All @@ -16,6 +24,8 @@ spec:
singular: policy
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
Expand Down Expand Up @@ -127,6 +137,16 @@ spec:
type: integer
zoneSize:
type: string
status:
description: PolicyStatus is the status of the policy resource
type: object
properties:
message:
type: string
reason:
type: string
state:
type: string
version: v1
versions:
- name: v1
Expand Down
22 changes: 21 additions & 1 deletion deployments/common/crds/k8s.nginx.org_policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,15 @@ spec:
singular: policy
scope: Namespaced
versions:
- name: v1
- additionalPrinterColumns:
- description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
Expand Down Expand Up @@ -128,8 +136,20 @@ spec:
type: integer
zoneSize:
type: string
status:
description: PolicyStatus is the status of the policy resource
type: object
properties:
message:
type: string
reason:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
Expand Down
20 changes: 20 additions & 0 deletions deployments/helm-chart/crds/k8s.nginx.org_policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@ metadata:
creationTimestamp: null
name: policies.k8s.nginx.org
spec:
additionalPrinterColumns:
- JSONPath: .status.state
description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
name: State
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: k8s.nginx.org
names:
kind: Policy
Expand All @@ -16,6 +24,8 @@ spec:
singular: policy
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
Expand Down Expand Up @@ -127,6 +137,16 @@ spec:
type: integer
zoneSize:
type: string
status:
description: PolicyStatus is the status of the policy resource
type: object
properties:
message:
type: string
reason:
type: string
state:
type: string
version: v1
versions:
- name: v1
Expand Down
1 change: 1 addition & 0 deletions deployments/helm-chart/templates/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ rules:
resources:
- virtualservers/status
- virtualserverroutes/status
- policies/status
verbs:
- update
{{- end }}
Expand Down
1 change: 1 addition & 0 deletions deployments/rbac/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ rules:
resources:
- virtualservers/status
- virtualserverroutes/status
- policies/status
verbs:
- update
- apiGroups:
Expand Down
42 changes: 41 additions & 1 deletion docs-web/configuration/global-configuration/reporting-resources-status.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,4 +110,44 @@ The Ingress controller must be configured to report a VirtualServer or VirtualSe

See the docs about [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource) and [Command-line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments).

Notes: The Ingress controller does not clear the status of VirtualServer and VirtualServerRoute resources when it is being shut down.
Notes: The Ingress controller does not clear the status of VirtualServer and VirtualServerRoute resources when it is being shut down.

## Policy Resources

A Policy resource includes the status field with information about the state of the resource.
You can see the status in the ouput of the `kubectl get policy` command as shown below:
```
$ kubectl get policy
NAME STATE AGE
webapp-policy Valid 30s
```
In order to see additional addresses or extra information about the `Status` of the resource, use the following command:
```
$ kubectl describe policy <NAME>
. . .
Status:
Message: Configuration for default/webapp-policy was added or updated
Reason: AddedOrUpdated
State: Valid
```

### Status Specification
The following fields are reported in Policy status:

```eval_rst
.. list-table::
:header-rows: 1

* - Field
- Description
- Type
* - ``State``
- Current state of the resource. Can be ``Valid`` or ``Invalid``. For more information, refer to the ``message`` field.
- ``string``
* - ``Reason``
- The reason of the last update.
- ``string``
* - ``Message``
- Additional information about the state.
- ``string``
```
11 changes: 11 additions & 0 deletions docs-web/configuration/policy-resource.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -651,4 +651,15 @@ Events:
```
Note how the events section includes a Warning event with the Rejected reason.

Additionally, this information is also available in the `status` field of the Policy resource. Note the Status section of the Policy:

```
$ kubectl describe pol webapp-policy
. . .
Status:
Message: Policy default/webapp-policy is invalid and was rejected: spec.accessControl.allow[0]: Invalid value: "10.0.0.": must be a CIDR or IP
Reason: Rejected
State: Invalid
```

**Note**: If you make an existing resource invalid, the Ingress Controller will reject it.
65 changes: 55 additions & 10 deletions internal/k8s/controller.go
View file
Open in desktop
6D38
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
ingressLister: &lbc.ingressLister,
virtualServerLister: lbc.virtualServerLister,
virtualServerRouteLister: lbc.virtualServerRouteLister,
policyLister: lbc.policyLister,
keyFunc: keyFunc,
confClient: input.ConfClient,
}
Expand Down Expand Up @@ -822,7 +823,7 @@ func (lbc *LoadBalancerController) syncIngressLink(task task) {
}
}

if lbc.areCustomResourcesEnabled && lbc.reportVsVsrStatusEnabled() {
if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() {
virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true})

glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers))
Expand All @@ -848,9 +849,25 @@ func (lbc *LoadBalancerController) syncPolicy(task task) {
pol := obj.(*conf_v1.Policy)
err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies)
if err != nil {
lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", "Policy %v is invalid and was rejected: %v", key, err)
msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err)
lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", msg)

if lbc.reportCustomResourceStatusEnabled() {
err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg)
if err != nil {
glog.V(3).Infof("Failed to update policy %s status: %v", key, err)
}
}
} else {
lbc.recorder.Eventf(pol, api_v1.EventTypeNormal, "AddedOrUpdated", "Policy %v was added or updated", key)
msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name)
lbc.recorder.Eventf(pol, api_v1.EventTypeNormal, "AddedOrUpdated", msg)

if lbc.reportCustomResourceStatusEnabled() {
err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg)
if err != nil {
glog.V(3).Infof("Failed to update policy %s status: %v", key, err)
}
}
}
}

Expand Down Expand Up @@ -1022,7 +1039,7 @@ func (lbc *LoadBalancerController) processProblems(problems []ConfigurationProbl
eventType := api_v1.EventTypeWarning
lbc.recorder.Event(p.Object, eventType, p.Reason, p.Message)

if lbc.reportVsVsrStatusEnabled() {
if lbc.reportCustomResourceStatusEnabled() {
state := conf_v1.StateWarning
if p.IsError {
state = conf_v1.StateInvalid
Expand Down Expand Up @@ -1241,7 +1258,7 @@ func (lbc *LoadBalancerController) UpdateVirtualServerStatusAndEventsOnDelete(vs
msg := fmt.Sprintf("VirtualServer %s was rejected %s", getResourceKey(&vsConfig.VirtualServer.ObjectMeta), eventWarningMessage)
lbc.recorder.Eventf(vsConfig.VirtualServer, eventType, eventTitle, msg)

if lbc.reportVsVsrStatusEnabled() {
if lbc.reportCustomResourceStatusEnabled() {
err := lbc.statusUpdater.UpdateVirtualServerStatus(vsConfig.VirtualServer, state, eventTitle, msg)
if err != nil {
glog.Errorf("Error when updating the status for VirtualServer %v/%v: %v", vsConfig.VirtualServer.Namespace, vsConfig.VirtualServer.Name, err)
Expand Down Expand Up @@ -1433,7 +1450,7 @@ func (lbc *LoadBalancerController) updateVirtualServerStatusAndEvents(vsConfig *
msg := fmt.Sprintf("Configuration for %v was added or updated %s", getResourceKey(&vsConfig.VirtualServer.ObjectMeta), eventWarningMessage)
lbc.recorder.Eventf(vsConfig.VirtualServer, eventType, eventTitle, msg)

if lbc.reportVsVsrStatusEnabled() {
if lbc.reportCustomResourceStatusEnabled() {
err := lbc.statusUpdater.UpdateVirtualServerStatus(vsConfig.VirtualServer, state, eventTitle, msg)
if err != nil {
glog.Errorf("Error when updating the status for VirtualServer %v/%v: %v", vsConfig.VirtualServer.Namespace, vsConfig.VirtualServer.Name, err)
Expand Down Expand Up @@ -1463,7 +1480,7 @@ func (lbc *LoadBalancerController) updateVirtualServerStatusAndEvents(vsConfig *
msg := fmt.Sprintf("Configuration for %v/%v was added or updated %s", vsr.Namespace, vsr.Name, vsrEventWarningMessage)
lbc.recorder.Eventf(vsr, vsrEventType, vsrEventTitle, msg)

if lbc.reportVsVsrStatusEnabled() {
if lbc.reportCustomResourceStatusEnabled() {
vss := []*conf_v1.VirtualServer{vsConfig.VirtualServer}
err := lbc.statusUpdater.UpdateVirtualServerRouteStatusWithReferencedBy(vsr, vsrState, vsrEventTitle, msg, vss)
if err != nil {
Expand Down Expand Up @@ -1571,7 +1588,7 @@ func (lbc *LoadBalancerController) syncService(task task) {
}
}

if lbc.areCustomResourcesEnabled && lbc.reportVsVsrStatusEnabled() {
if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() {
virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true})

glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers))
Expand Down Expand Up @@ -1628,8 +1645,8 @@ func (lbc *LoadBalancerController) reportStatusEnabled() bool {
return false
}

// reportVsVsrStatusEnabled determines if we should attempt to report status for VirtualServers and VirtualServerRoutes.
func (lbc *LoadBalancerController) reportVsVsrStatusEnabled() bool {
// reportCustomResourceStatusEnabled determines if we should attempt to report status for Custom Resources.
func (lbc *LoadBalancerController) reportCustomResourceStatusEnabled() bool {
if lbc.isLeaderElectionEnabled {
return lbc.leaderElector != nil && lbc.leaderElector.IsLeader()
}
Expand Down Expand Up @@ -1861,6 +1878,34 @@ func (lbc *LoadBalancerController) updateVirtualServerRoutesStatusFromEvents() e
return nil
}

func (lbc *LoadBalancerController) updatePoliciesStatus() error {
var allErrs []error
for _, obj := range lbc.policyLister.List() {
pol := obj.(*conf_v1.Policy)

err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies)
if err != nil {
msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err)
err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg)
if err != nil {
allErrs = append(allErrs, err)
}
} else {
msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name)
err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg)
if err != nil {
allErrs = append(allErrs, err)
}
}
}

if len(allErrs) != 0 {
return fmt.Errorf("not all Policies statuses were updated: %v", allErrs)
}

return nil
}

// EnqueueTransportServerForService enqueues TransportServers for the given service.
func (lbc *LoadBalancerController) EnqueueTransportServerForService(service *api_v1.Service) {
transportServers := lbc.getTransportServersForService(service)
Expand Down
1 change: 1 addition & 0 deletions internal/k8s/controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/client-go/kubernetes/fake"

"k8s.io/client-go/tools/cache"
)

Expand Down
5 changes: 5 additions & 0 deletions internal/k8s/leader.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,11 @@ func createLeaderHandler(lbc *LoadBalancerController) leaderelection.LeaderCallb
if err != nil {
glog.V(3).Infof("error updating VirtualServerRoutes status when starting leading: %v", err)
}

err = lbc.updatePoliciesStatus()
if err != nil {
glog.V(3).Infof("error updating Policies status when starting leading: %v", err)
}
}
},
OnStoppedLeading: func() {
Expand Down
Loading
0