Merge pull request #1211 from viccuad/fix-timeouts

feat: Check timeouts for mininum value

Author: viccuad

api/policies/v1/policy_types.go

@@ -148,17 +148,21 @@ type PolicySpec struct {
 	// TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes,
 	// the webhook call will be ignored or the API call will fail based on the
 	// failure policy.
-	// The timeout value must be between 1 and 30 seconds.
+	// The timeout value must be between 2 and 30 seconds.
 	// Default to 10 seconds.
 	// +optional
 	// +kubebuilder:default:=10
+	// +kubebuilder:validation:Minimum=2
+	// +kubebuilder:validation:Maximum=30
 	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
 
 	// TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
 	// the timeout passes, the policy evaluation call will fail based on the
 	// failure policy.
-	// The timeout value must be between 1 and 30 seconds.
+	// The timeout value must be between 2 and 30 seconds.
 	// +optional
+	// +kubebuilder:validation:Minimum=2
+	// +kubebuilder:validation:Maximum=30
 	TimeoutEvalSeconds *int32 `json:"timeoutEvalSeconds,omitempty"`
 
 	// Message overrides the rejection message of the policy.
@@ -192,8 +196,10 @@ type PolicyGroupMember struct {
 	// TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
 	// the timeout passes, the policy evaluation call will fail based on the
 	// failure policy.
-	// The timeout value must be between 1 and 30 seconds.
+	// The timeout value must be between 2 and 30 seconds.
 	// +optional
+	// +kubebuilder:validation:Minimum=2
+	// +kubebuilder:validation:Maximum=30
 	TimeoutEvalSeconds *int32 `json:"timeoutEvalSeconds,omitempty"`
 }
 
@@ -308,10 +314,12 @@ type GroupSpec struct {
 	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
 	// the webhook call will be ignored or the API call will fail based on the
 	// failure policy.
-	// The timeout value must be between 1 and 30 seconds.
+	// The timeout value must be between 2 and 30 seconds.
 	// Default to 10 seconds.
 	// +optional
 	// +kubebuilder:default:=10
+	// +kubebuilder:validation:Minimum=2
+	// +kubebuilder:validation:Maximum=30
 	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
 
 	// Expression is the evaluation expression to accept or reject the

api/policies/v1/policy_validation.go

@@ -309,30 +309,13 @@ func validateMatchConditionsExpression(expressionStr string, fldPath *field.Path
 }
 
 // validateTimeoutSeconds checks the timeouts so that:
-//   - the policy's timeoutSeconds is not greater than the Kubernetes webhook max timeout (30s).
-//   - the policy's timeoutEvalSeconds is not greater than the Kubernetes webhook max timeout (30s).
 //   - the policy's timeoutEvalSeconds is not greater than the policy's timeoutSeconds.
 func validateTimeoutSeconds(policy Policy) field.ErrorList {
 	var allErrors field.ErrorList
 	timeoutSeconds := policy.GetTimeoutSeconds()
 	timeoutEvalSeconds := policy.GetTimeoutEvalSeconds()
-	fldTimeoutSeconds := field.NewPath("spec").Child("timeoutSeconds")
 	fldTimeoutEvalSeconds := field.NewPath("spec").Child("timeoutEvalSeconds")
 
-	if timeoutSeconds != nil && *timeoutSeconds > maxWebhookTimeoutSeconds {
-		allErrors = append(allErrors, field.Invalid(
-			fldTimeoutSeconds,
-			*timeoutSeconds,
-			fmt.Sprintf("timeoutSeconds cannot be greater than %d (Kubernetes webhook max timeout)", maxWebhookTimeoutSeconds),
-		))
-	}
-	if timeoutEvalSeconds != nil && *timeoutEvalSeconds > maxWebhookTimeoutSeconds {
-		allErrors = append(allErrors, field.Invalid(
-			fldTimeoutEvalSeconds,
-			*timeoutEvalSeconds,
-			fmt.Sprintf("timeoutEvalSeconds cannot be greater than %d (Kubernetes webhook max timeout)", maxWebhookTimeoutSeconds),
-		))
-	}
 	if timeoutSeconds != nil && timeoutEvalSeconds != nil {
 		if *timeoutEvalSeconds > *timeoutSeconds {
 			allErrors = append(allErrors, field.Invalid(

api/policies/v1/policy_validation_test.go

@@ -600,7 +600,6 @@ func TestValidatePolicyModeField(t *testing.T) {
 
 func TestValidateTimeoutSeconds(t *testing.T) {
 	maxTimeout := int32(30)
-	overTimeout := int32(31)
 	underTimeout := int32(10)
 
 	type testCase struct {
@@ -617,18 +616,6 @@ func TestValidateTimeoutSeconds(t *testing.T) {
 			timeoutEvalSeconds: nil,
 			expectedErrors:     nil,
 		},
-		{
-			name:               "timeoutSeconds over max",
-			timeoutSeconds:     &overTimeout,
-			timeoutEvalSeconds: nil,
-			expectedErrors:     []string{"timeoutSeconds cannot be greater than"},
-		},
-		{
-			name:               "timeoutEvalSeconds over max",
-			timeoutSeconds:     &maxTimeout,
-			timeoutEvalSeconds: &overTimeout,
-			expectedErrors:     []string{"timeoutEvalSeconds cannot be greater than"},
-		},
 		{
 			name:               "timeoutEvalSeconds > timeoutSeconds",
 			timeoutSeconds:     &underTimeout,

api/policies/v1/policygroup_validation.go

@@ -142,25 +142,15 @@ func validatePolicyGroupExpressionField(policyGroup PolicyGroup) *field.Error {
 }
 
 // validatePolicyGroupMembersTimeouts checks the timeouts so that:
-//   - the group's timeoutSeconds is not greater than the Kubernetes webhook max timeout (30s).
 //   - each member's timeoutEvalSeconds is not greater than the group's
-//     timeoutSeconds nor the Kubernetes webhook max timeout (30s)
+//     timeoutSeconds
 //   - the sum of each members' timeoutEvalSeconds is not greater than the group's
 //     timeoutSeconds nor the Kubernetes webhook max timeout (30s)
 func validatePolicyGroupMembersTimeouts(policyGroup PolicyGroup) field.ErrorList {
 	var allErrors field.ErrorList
 	groupTimeout := policyGroup.GetTimeoutSeconds()
-	fldGroupTimeout := field.NewPath("spec").Child("timeoutSeconds")
 	fldMembers := field.NewPath("spec").Child("policies")
 
-	if groupTimeout != nil && *groupTimeout > maxWebhookTimeoutSeconds {
-		allErrors = append(allErrors, field.Invalid(
-			fldGroupTimeout,
-			*groupTimeout,
-			fmt.Sprintf("timeoutSeconds cannot be greater than %d (Kubernetes webhook max timeout)", maxWebhookTimeoutSeconds),
-		))
-	}
-
 	sumMemberTimeoutEval := int32(0)
 	for memberName, member := range policyGroup.GetPolicyGroupMembersWithContext() {
 		memberTimeoutEval := member.TimeoutEvalSeconds
@@ -170,14 +160,12 @@ func validatePolicyGroupMembersTimeouts(policyGroup PolicyGroup) field.ErrorList
 		sumMemberTimeoutEval += *memberTimeoutEval
 
 		if *memberTimeoutEval > maxWebhookTimeoutSeconds {
-			sumMemberTimeoutEval += *memberTimeoutEval
 			allErrors = append(allErrors, field.Invalid(
 				fldMembers.Key(memberName).Child("timeoutEvalSeconds"),
 				*memberTimeoutEval,
 				fmt.Sprintf("timeoutEvalSeconds cannot be greater than %d (Kubernetes webhook max timeout)", maxWebhookTimeoutSeconds),
 			))
 		}
-
 		if groupTimeout != nil && *memberTimeoutEval > *groupTimeout {
 			allErrors = append(allErrors, field.Invalid(
 				fldMembers.Key(memberName).Child("timeoutEvalSeconds"),

api/policies/v1/policygroup_validation_test.go

@@ -344,7 +344,6 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 
 func TestValidatePolicyGroupTimeoutSeconds(t *testing.T) {
 	maxTimeout := int32(30)
-	overTimeout := int32(31)
 	underTimeout := int32(10)
 	overMinusUnderTimeout := int32(21)
 
@@ -364,20 +363,6 @@ func TestValidatePolicyGroupTimeoutSeconds(t *testing.T) {
 			timeoutEvalSeconds2: nil,
 			expectedErrors:      nil,
 		},
-		{
-			name:                "timeoutSeconds over max",
-			timeoutSeconds:      &overTimeout,
-			timeoutEvalSeconds:  nil,
-			timeoutEvalSeconds2: nil,
-			expectedErrors:      []string{"timeoutSeconds cannot be greater than"},
-		},
-		{
-			name:                "timeoutEvalSeconds over max",
-			timeoutSeconds:      &maxTimeout,
-			timeoutEvalSeconds:  &overTimeout,
-			timeoutEvalSeconds2: nil,
-			expectedErrors:      []string{"timeoutEvalSeconds cannot be greater than"},
-		},
 		{
 			name:                "timeoutEvalSeconds > timeoutSeconds",
 			timeoutSeconds:      &underTimeout,

config/crd/bases/policies.kubewarden.io_admissionpolicies.yaml

@@ -356,18 +356,22 @@ spec:
                   TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
                   the timeout passes, the policy evaluation call will fail based on the
                   failure policy.
-                  The timeout value must be between 1 and 30 seconds.
+                  The timeout value must be between 2 and 30 seconds.
                 format: int32
+                maximum: 30
+                minimum: 2
                 type: integer
               timeoutSeconds:
                 default: 10
                 description: |-
                   TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes,
                   the webhook call will be ignored or the API call will fail based on the
                   failure policy.
-                  The timeout value must be between 1 and 30 seconds.
+                  The timeout value must be between 2 and 30 seconds.
                   Default to 10 seconds.
                 format: int32
+                maximum: 30
+                minimum: 2
                 type: integer
             required:
             - module

config/crd/bases/policies.kubewarden.io_admissionpolicygroups.yaml

@@ -283,8 +283,10 @@ spec:
                         TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
                         the timeout passes, the policy evaluation call will fail based on the
                         failure policy.
-                        The timeout value must be between 1 and 30 seconds.
+                        The timeout value must be between 2 and 30 seconds.
                       format: int32
+                      maximum: 30
+                      minimum: 2
                       type: integer
                   required:
                   - module
@@ -385,9 +387,11 @@ spec:
                   TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
                   the webhook call will be ignored or the API call will fail based on the
                   failure policy.
-                  The timeout value must be between 1 and 30 seconds.
+                  The timeout value must be between 2 and 30 seconds.
                   Default to 10 seconds.
                 format: int32
+                maximum: 30
+                minimum: 2
                 type: integer
             required:
             - expression

config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml

@@ -468,18 +468,22 @@ spec:
                   TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
                   the timeout passes, the policy evaluation call will fail based on the
                   failure policy.
-                  The timeout value must be between 1 and 30 seconds.
+                  The timeout value must be between 2 and 30 seconds.
                 format: int32
+                maximum: 30
+                minimum: 2
                 type: integer
               timeoutSeconds:
                 default: 10
                 description: |-
                   TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes,
                   the webhook call will be ignored or the API call will fail based on the
                   failure policy.
-                  The timeout value must be between 1 and 30 seconds.
+                  The timeout value must be between 2 and 30 seconds.
                   Default to 10 seconds.
                 format: int32
+                maximum: 30
+                minimum: 2
                 type: integer
             required:
             - module

config/crd/bases/policies.kubewarden.io_clusteradmissionpolicygroups.yaml

@@ -396,8 +396,10 @@ spec:
                         TimeoutEvalSeconds specifies the timeout for the policy evaluation. After
                         the timeout passes, the policy evaluation call will fail based on the
                         failure policy.
-                        The timeout value must be between 1 and 30 seconds.
+                        The timeout value must be between 2 and 30 seconds.
                       format: int32
+                      maximum: 30
+                      minimum: 2
                       type: integer
                   required:
                   - module
@@ -498,9 +500,11 @@ spec:
                   TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
                   the webhook call will be ignored or the API call will fail based on the
                   failure policy.
-                  The timeout value must be between 1 and 30 seconds.
+                  The timeout value must be between 2 and 30 seconds.
                   Default to 10 seconds.
                 format: int32
+                maximum: 30
+                minimum: 2
                 type: integer
             required:
             - expression

config/crd/bases/policies.kubewarden.io_policyservers.yaml

@@ -619,8 +619,8 @@ spec:
                           most preferred is the one with the greatest sum of weights, i.e.
                           for each node that meets all of the scheduling requirements (resource
                           request, requiredDuringScheduling anti-affinity expressions, etc.),
-                          compute a sum by iterating through the elements of this field and adding
-                          "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                          compute a sum by iterating through the elements of this field and subtracting
+                          "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                           node(s) with the highest sum are the most preferred.
                         items:
                           description: The weights of all of the matched WeightedPodAffinityTerm
@@ -978,7 +978,9 @@ spec:
                     a Container.
                   properties:
                     name:
-                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                      description: |-
+                        Name of the environment variable.
+                        May consist of any printable ASCII characters except '='.
                       type: string
                     value:
                       description: |-
@@ -1036,6 +1038,43 @@ spec:
                           - fieldPath
                           type: object
                           x-kubernetes-map-type: atomic
+                        fileKeyRef:
+                          description: |-
+                            FileKeyRef selects a key of the env file.
+                            Requires the EnvFiles feature gate to be enabled.
+                          properties:
+                            key:
+                              description: |-
+                                The key within the env file. An invalid key will prevent the pod from starting.
+                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                              type: string
+                            optional:
+                              default: false
+                              description: |-
+                                Specify whether the file or its key must be defined. If the file or key
+                                does not exist, then the env var is not published.
+                                If optional is set to true and the specified key does not exist,
+                                the environment variable will not be set in the Pod's containers.
+
+                                If optional is set to false and the specified key does not exist,
+                                an error will be returned during Pod creation.
+                              type: boolean
+                            path:
+                              description: |-
+                                The path within the volume from which to select the file.
+                                Must be relative and may not contain the '..' path or start with '..'.
+                              type: string
+                            volumeName:
+                              description: The name of the volume mount containing
+                                the env file.
+                              type: string
+                          required:
+                          - key
+                          - path
+                          - volumeName
+                          type: object
+                          x-kubernetes-map-type: atomic
                         resourceFieldRef:
                           description: |-
                             Selects a resource of the container: only resources limits and requests
@@ -1791,7 +1830,9 @@ spec:
                     a Container.
                   properties:
                     name:
-                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                      description: |-
+                        Name of the environment variable.
+                        May consist of any printable ASCII characters except '='.
                       type: string
                     value:
                       description: |-
@@ -1849,6 +1890,43 @@ spec:
                           - fieldPath
                           type: object
                           x-kubernetes-map-type: atomic
+                        fileKeyRef:
+                          description: |-
+                            FileKeyRef selects a key of the env file.
+                            Requires the EnvFiles feature gate to be enabled.
+                          properties:
+                            key:
+                              description: |-
+                                The key within the env file. An invalid key will prevent the pod from starting.
+                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                              type: string
+                            optional:
+                              default: false
+                              description: |-
+                                Specify whether the file or its key must be defined. If the file or key
+                                does not exist, then the env var is not published.
+                                If optional is set to true and the specified key does not exist,
+                                the environment variable will not be set in the Pod's containers.
+
+                                If optional is set to false and the specified key does not exist,
+                                an error will be returned during Pod creation.
+                              type: boolean
+                            path:
+                              description: |-
+                                The path within the volume from which to select the file.
+                                Must be relative and may not contain the '..' path or start with '..'.
+                              type: string
+                            volumeName:
+                              description: The name of the volume mount containing
+                                the env file.
+                              type: string
+                          required:
+                          - key
+                          - path
+                          - volumeName
+                          type: object
+                          x-kubernetes-map-type: atomic
                         resourceFieldRef:
                           description: |-
                             Selects a resource of the container: only resources limits and requests