Allow sandboxclaim's metadata to be passed to the sandbox #173
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: peterzhongyi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @peterzhongyi. Thanks for your PR. I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
✅ Deploy Preview for agent-sandbox canceled.
|
k8s-ci-robot
added
the
size/M
| Labels: claim.Labels, | ||
| Annotations: claim.Annotations, | ||
| }, | ||
| } |
There was a problem hiding this comment.
lgtm, not blocking but do you mind updating the sandbox_claim.yaml https://github.com/kubernetes-sigs/agent-sandbox/blob/main/extensions/examples/sandboxclaim.yaml to show that we can pass labels/annotations through the claim as well , thanks!
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| Name: claim.Name, | ||
| Namespace: claim.Namespace, | ||
| Name: claim.Name, | ||
| Labels: claim.Labels, |
There was a problem hiding this comment.
Is the goal to be passed on the pod as well ?
if so this is not sufficient.
There was a problem hiding this comment.
We need to be careful about modifying pod labels, see #174 (comment)
| Namespace: claim.Namespace, | ||
| Name: claim.Name, | ||
| Labels: claim.Labels, | ||
| Annotations: claim.Annotations, |
There was a problem hiding this comment.
Filter internal annotations instead of blindly copying everything that might be misleading. For example, filtering out the "last applied" annotation.
Also, this only copies the map reference. The best practice is to deep copy maps, ref
agent-sandbox/controllers/sandbox_controller.go
Lines 393 to 399 in 2e61902
barney-s
left a comment
barney-s
left a comment
There was a problem hiding this comment.
This PR introduces a valuable feature by propagating metadata from the SandboxClaim to the Sandbox. However, there are a few critical issues that need to be addressed before this can be merged.
- Shallow Copy: The labels and annotations are being copied by reference, not by value. This can lead to concurrent map access issues or unintended modifications. A deep copy is required.
- Annotation Filtering: The implementation copies all annotations, including internal ones that should not be propagated (e.g.,
kubectl.kubernetes.io/last-applied-configuration). A filtering mechanism is needed. - Testing: While a unit test has been added, it would be beneficial to expand it to cover the filtering logic and also add an e2e test to validate the end-to-end flow.
Existing issue:
- Lack of an
OwnerReferenceon the createdSandbox
| Name: claim.Name, | ||
| Namespace: claim.Namespace, | ||
| Name: claim.Name, | ||
| Labels: claim.Labels, |
There was a problem hiding this comment.
This is a shallow copy, not a deep copy. Assigning claim.Labels directly makes sandbox.ObjectMeta.Labels a reference to the same map. Any modification to the claim's labels by another controller could unintentionally alter the sandbox's labels, leading to unpredictable behavior.
A new map should be created and the key-value pairs copied over. For example:
newLabels := make(map[string]string)
for k, v := range claim.Labels {
newLabels[k] = v
}
sandbox.ObjectMeta.Labels = newLabels| Namespace: claim.Namespace, | ||
| Name: claim.Name, | ||
| Labels: claim.Labels, | ||
| Annotations: claim.Annotations, |
There was a problem hiding this comment.
Similar to the labels, this is a shallow copy for annotations. More importantly, blindly copying all annotations can cause issues. For instance, the kubectl.kubernetes.io/last-applied-configuration annotation should not be carried over from the claim to the sandbox, as it could interfere with kubectl apply operations on the sandbox object itself.
You should implement a filtering mechanism to exclude known internal or problematic annotations before assigning them.
| labels: | ||
| test-label: test-value | ||
| annotations: | ||
| test-annotation: test-annotation-value |
There was a problem hiding this comment.
While this example is functionally correct, it could be more illustrative. Consider adding a more realistic annotation that a user might want to use, for example description: "My custom sandbox environment". This helps users better understand the intended use of the new feature.
| } | ||
|
|
||
| logger.Info("creating sandbox from template", "template", template.Name) | ||
| sandbox := &v1alpha1.Sandbox{ |
There was a problem hiding this comment.
The created Sandbox is missing an OwnerReference that points to the SandboxClaim. Without this, the Sandbox will not be garbage collected when the SandboxClaim is deleted, and it breaks the ownership chain that is fundamental to Kubernetes controllers.
You should set the OwnerReference on the Sandbox's ObjectMeta.
| } | ||
|
|
||
| claimWithMetadata := claim.DeepCopy() | ||
| claimWithMetadata.Labels = map[string]string{ |
There was a problem hiding this comment.
The test should be more comprehensive. It should also handle cases where claim.Labels or claim.Annotations are nil to ensure the controller doesn't panic.
| expectError bool | ||
| expectedCondition metav1.Condition | ||
| name string | ||
| existingObjects []client.Object |
There was a problem hiding this comment.
This test does not validate that a deep copy of the labels and annotations was performed. To properly test this, you should modify the claim.Labels and claim.Annotations maps after the createSandbox function is called, and then verify that the labels and annotations on the created sandbox object have not changed.
5 participants
This allows a user to create a sandbox with customized labels.