-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
discussion: find a simple way to figure which policies are affecting a resource #3235
Comments
@spacewander, support for I don't know if a single Another existing option is describing the resource using |
The problem with most approaches that involve putting a direct reference to all the attached policies relevant to an object is that you're creating a fan-out or fan-in update problem for your implementation or the API server. That is, you're creating a situation where an update to one object (the Policy) creates multiple further updates to the status of multiple objects (every object the Policy affects). This is fine when you have a small number, but adds a big complexity factor to keeping the system up to date. The annotation solution you describe is the same here - we did look at something similar earlier, but it means that you could concievably have one object update (on the Policy) generating many other updates (updating every object the Policy targets). This is even worse now because you have multiple This is why we've been focussing on building tooling and libraries into |
Agree with this. |
/triage needs-information |
What would you like to be added:
A simple way to figure out which policies are affecting a resource.
Why this is needed:
As a maintainer of Gateway, I am often asked about the configuration of a route. In the old days, I could figure out it simply by checking the spec of APISIXRoute or VirtualService, and their ancestor. However, in Gateway API, many features are dispatched via policy attachment, not the Route resource itself.
There are other ways to figure out, though. If we create the policies by using RESTful API, we can keep the reverse index of targetRef in the database. If we create the policies via IaC, we can keep the policies as the same yaml as the route. To keep thing simple, I don't mention the inherit policies, but they can be found by doing the same thing with the route's ancestor.
However, if we want to have a generate way to solve this problem (maybe only depends on kubectl), AFAIK there is no way to do it.
I find https://gateway-api.sigs.k8s.io/geps/gep-713/#standard-status-condition-on-policy-affected-objects is close to this topic, but it only defines a boolean flag
PolicyAffected
. As the type name has to be unique, and there would be multiple policies affect a resource.One premature solution comes to my mind is that we can add the annotation to a resource, which stores all the group-kind-name of attached policies.
The text was updated successfully, but these errors were encountered: