feat: Add VM delete protection #1199
Conversation
kubevirt-bot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Why did you create a separate controllers instead of adding these new resources into an operand? We usually add new resources in operands. That way, they can be configured in the SSP resource.
Can you rename this PR and the commit? This is definitely not a chore.
Maybe something like:
feat: Add VM delete protection
| }, | ||
| Validations: []admissionregistrationv1.Validation{ | ||
| { | ||
| Expression: `(!has(oldObject.metadata.labels) || !(variables.label in oldObject.metadata.labels) || !oldObject.metadata.labels[variables.label].matches('^(true|True)$'))`, |
There was a problem hiding this comment.
Would it be enough to test that the label exists, instead of checking its value?
There was a problem hiding this comment.
I've considered clearer from the user point of view. My idea is: by forcing the user to add the "True" value, we make sure that user really wants the protection enabled, and I think it will avoid confusions. That being said, I'm not against it if we find it out better.
|
/hold |
kubevirt-bot
added
the
do-not-merge/hold
It is my understanding that operands are better fit when you are using CRD than controllers. In this case, we are just using a build-in feature such as VAP and VAPB. Given that, I'm not particularly against adding it though an operand. In fact, I question this myself multiple times. As we consider best.
You are absolutely right. Thanks. |
jcanocan
force-pushed
the
vm-delete-protection
branch
from
57c3cc2 to
e4f96d2
Compare
jcanocan
changed the title
I'm not sure what do you mean by "operands are better fit when you are using CRD than controllers". Can you explain it more? The SSP controller deploys various resources based on what is configured in the SSP CR. VAP and VAPB are one of these resources. Currently we don't configure them, but maybe we can. Operands are an abstraction used to group related resources together in the code, so it is easier to understand. For example we deploy multiple ClusterRole objects, and it would be harder to understand if they were all in one package. I would say that this is the exact use case to add a new operand. |
All right! You convinced me! Thanks. Let's create an operand. |
jcanocan
force-pushed
the
vm-delete-protection
branch
from
e4f96d2 to
03ff41f
Compare
|
v2:
|
|
Please also add the new operand to the |
jcanocan
force-pushed
the
vm-delete-protection
branch
from
03ff41f to
e4d02a8
Compare
Added. |
jcanocan
force-pushed
the
vm-delete-protection
branch
from
e4d02a8 to
2c8aa38
Compare
|
/unhold |
kubevirt-bot
removed
the
do-not-merge/hold
jcanocan
force-pushed
the
vm-delete-protection
branch
from
2c8aa38 to
4ff65b3
Compare
|
|
||
| func New() operands.Operand { | ||
| if err := checkCelExpression(); err != nil { | ||
| panic("Invalid VM delete protection CEL expression") |
There was a problem hiding this comment.
Show also the error message in panic. It will be useful for debugging.
|
Can you also remove unneeded text from the PR's description? |
It adds the ability to protect VirtualMachine objects from being deleted. If the label `kubevirt.io/vm-delete-protection` is set to `True`, any attempt to delete the VM will be rejected by a VAP policy. Signed-off-by: Javier Cano Cano <[email protected]>
jcanocan
force-pushed
the
vm-delete-protection
branch
from
4ff65b3 to
886d79d
Compare
|
Adjusted. |
|
@jcanocan: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
What this PR does / why we need it:
VirtualMachine objects are often managed by automation, CLI commands, 3rd party tools, etc. These automations may result in deleting accidentally VMs that should have not been deleted. These deletions may lead to a service degradation or out of service. Moreover, the deleted VMs may lead to information loss if the underlining PVC is deleted as a result of a cascaded delete.
It adds the ability to protect VirtualMachine objects from being deleted. If the label
kubevirt.io/vm-delete-protectionis set toTrue, any attempt to delete the VM will be rejected by a VAP policy.This protection enables a protection against non-intended VM deletions, providing security and confidence to users.
Which issue(s) this PR fixes:
Fixes # CNV-50741
Special notes for your reviewer:
Release note: