apiextensions: validate list-type map+set uniqueness in CRs

[sttts]

/kind api-change
/kind bug

Fixes #84724.

Fixed missing validation of uniqueness of list items in lists with `x-kubernetes-list-type: map` or x-kubernetes-list-type: set` in CustomResources.

[jennybuckley]

/assign

[fejta-bot]

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

[jtslear]

Hello @liggitt, @sttts
Bug Triage team here for the 1.18 release. This is a friendly reminder that code freeze is scheduled for 5 March. Is this PR appears to be blocking #84724, is this still intended for milestone 1.18?

[sttts]

@apelisse addressed your comments.

[liggitt]

are there cases where this would return false for complex array or map objects, but json-marshalling and comparing would be identical?

[sttts]

json.Marshal is the inverse of json.Unmarshal. If both values are the result of json.Unmarshal then this will not happen.

What do you have in mind? Our patch logic?

[liggitt]

more issues like json-iterator/go#323, where json-iterator normalizes on marshal as opposed to encoding/json normalizing on both unmarshal/marshal

[sttts]

ic. Suggestion? Marshal again?

[liggitt]

that is definitely simpler to reason about; that's what I would do to start

[apelisse]

I have a couple of additional comments.

I'm really not convinced that we want listMapKeys fields to be anything but required. Having a "nil" item validate because both keys are missing and transforming this into a valid case really feels wrong. As far as I know, we have one such case in Kubernetes, that's the protocol in the list of ports of the podspec. We might find a way to fix that one specifically, but I'd rather not generalize this problem. Alternatively, we could allow these to be if they have a default value, and in this case consider the default as the key value. IOW, "required or has a default" (that would also work for the protocol problem).

Second, I was discussion ratcheting with Daniel, and forcing the created objects to pass this validation only works if we assume that no controller/system is currently creating invalid objects. This change would break such a controller?

[sttts]

I'm really not convinced that we want listMapKeys fields to be anything but required. Having a "nil" item validate because both keys are missing and transforming this into a valid case really feels wrong. As far as I know, we have one such case in Kubernetes, that's the protocol in the list of ports of the podspec. We might find a way to fix that one specifically, but I'd rather not generalize this problem. Alternatively, we could allow these to be if they have a default value, and in this case consider the default as the key value. IOW, "required or has a default" (that would also work for the protocol problem).

All this is done via ratcheting validation, i.e. we enforce required or a default. We forbid nullable: #88076. Please review.

[sttts]

Second, I was discussion ratcheting with Daniel, and forcing the created objects to pass this validation only works if we assume that no controller/system is currently creating invalid objects. This change would break such a controller?

This is what we always do in those cases, ratcheting validation. It is the very reason why this issue is marked urgent for months. The more we wait (1.18 is around the corner) the more controllers will exist. I bet the number is zero today.

[liggitt]

Anyone defining a CRD that uses list-type: map/set must be able to rely on the documented semantics (we rely on them ourselves in server-side-apply). It is very important we not allow data that violates those semantics, and do so as soon as possible.

[liggitt]

Alternatively, we could allow these to be if they have a default value, and in this case consider the default as the key value. IOW, "required or has a default" (that would also work for the protocol problem).

That's what we settled on. Disallowing nullable and making the key attributes either be required or defaulted gives this set validation reasonable inputs to work with, and allows evolution or recovery from underspecified key sets (e.g. an underspecified item schema for a port realizes in the future it needs a protocol field that should be added to the item key specification, and needs to provide a default for existing persisted data that lacked that field).

[liggitt]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiextensions-apiserver/OWNERS [liggitt,sttts]
• vendor/OWNERS [liggitt,sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.