[GitHub] [incubator-uniffle] advancedxy commented on a diff in pull request #531: [ISSUE-524][operator] Upgrading rss could also be deleted

Tue, 31 Jan 2023 22:28:54 -0800 


advancedxy commented on code in PR #531:
URL: https://github.com/apache/incubator-uniffle/pull/531#discussion_r1092809817


##########
deploy/kubernetes/operator/pkg/webhook/inspector/rss.go:
##########
@@ -35,19 +35,19 @@ import (
 // validateRSS validates the create and update operation towards rss objects.
 func (i *inspector) validateRSS(ar *admissionv1.AdmissionReview) 
*admissionv1.AdmissionReview {
        if !i.ignoreRSS && ar.Request.Operation == admissionv1.Update {
-               oldRSS := &unifflev1alpha1.RemoteShuffleService{}
+               oldRSS := &uniffleAPI.RemoteShuffleService{}
                if err := json.Unmarshal(ar.Request.OldObject.Raw, oldRSS); err 
!= nil {
                        klog.Errorf("unmarshal old object of rss (%v) failed: 
%v",
                                string(ar.Request.OldObject.Raw), err)
                        return util.AdmissionReviewFailed(ar, err)
                }
-               // for security purposes, we forbid updating rss objects when 
they are in upgrading phase.
-               if oldRSS.Status.Phase == unifflev1alpha1.RSSUpgrading {
-                       message := "can not update upgrading rss object: " + 
utils.UniqueName(oldRSS)
+               // for security purposes, we forbid updating rss objects when 
they are in upgrading/terminating phase.
+               if oldRSS.Status.Phase == uniffleAPI.RSSUpgrading || 
oldRSS.Status.Phase == uniffleAPI.RSSTerminating {

Review Comment:
   > Sorry, webhook is not currently intercepting the subresource status, so 
updatestatus is not affected.
   
   Yeah, so we don't have to allow `old.Upgrading && new.Terminating`.
   
   > But after Terminating, there will be an action to delete finalizer. Is 
this also not blocked in your test environment ?
   
   When I'm testing, denied update request when being terminating is not added. 
But I think you raised a good point. 
   If a deletion operation is issued, the object is already marked terminating 
by setting `deletionTimestamp`, does k8S manager itself handles update 
protection automatically? or does crd controller needed  to enforce it?
   
   if K8S itself already handles, then this line of code is unnecessary?
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to