Skip to content

Switch ACK to CEL-Based Immutability and Remove Runtime Checks #565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 19, 2025
Merged

Switch ACK to CEL-Based Immutability and Remove Runtime Checks #565

merged 1 commit into from
Feb 19, 2025

Conversation

rushmash91
Copy link
Member

@rushmash91 rushmash91 commented Jan 22, 2025
edited
Loading

Issue #2202

Description of changes:

Updates the ACK code generation process to enforce immutability using CEL validation rules instead of runtime comparisons. By adding +kubebuilder:validation:XValidation annotations to fields marked is_immutable: true, Kubernetes 1.25+ now blocks changes at admission time, eliminating the need for separate runtime checks or conditions.

Why?
  1. More immediate feedback: Users get a direct error when attempting to mutate an immutable field.
  2. Less runtime complexity: We no longer need to detect or conditionally reject these changes in the controller code.
  3. Cleaner codegen: The old HasImmutableFieldChanges() and similar logic can be removed.
Caveats

Clusters must be on Kubernetes 1.25+, which supports CEL.
Blog

Changes

•Add CEL rules for is_immutable: true fields in the CRD template (+kubebuilder:validation:XValidation).
•Remove runtime immutability checks (HasImmutableFieldChanges, etc.) in the generated sdk.go files.
•Clean up references to "immutable fields” in crd.go to avoid duplicating logic.
•Update inline comments and docstrings to clarify that immutability is now admission-based.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ack-prow ack-prow bot requested review from a-hilaly and jlbutler January 22, 2025 18:18
@rushmash91 rushmash91 force-pushed the main branch 2 times, most recently from 3ee1b27 to c483a60 Compare January 22, 2025 19:18
@rushmash91
Copy link
Member Author

rushmash91 commented Jan 22, 2025
edited
Loading

Controllers with immutable (reference to getImmutableFieldChanges) code in hooks:

@rushmash91
Copy link
Member Author

/test s3-controller-test

@rushmash91
Copy link
Member Author

/test cloudfront-controller-test

@a-hilaly
Copy link
Member

/hold

@ack-prow ack-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 22, 2025
a-hilaly
a-hilaly reviewed Jan 22, 2025
View reviewed changes
Copy link
Member

@a-hilaly a-hilaly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat! Good job on this @rushmash91 🚀

As you stated, we'll wait until EKS 1.24 reaches end of support ship this to all controllers

@rushmash91 rushmash91 mentioned this pull request Jan 22, 2025
Open
@rushmash91 rushmash91 mentioned this pull request Feb 11, 2025
Open
This was referenced Feb 18, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
ack-prow bot pushed a commit to aws-controllers-k8s/iam-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references from hooks (#129)
cee1aad 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove `getImmutableFieldChanges` from hooks to support cel immutability

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
ack-prow bot pushed a commit to aws-controllers-k8s/dynamodb-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references (#116)
664e61b 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove getImmutableFieldChanges from hooks to support cel immutability

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
ack-prow bot pushed a commit to aws-controllers-k8s/eventbridge-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references (#61)
93ede61 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove getImmutableFieldChanges from hooks to support cel immutability

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
ack-prow bot pushed a commit to aws-controllers-k8s/eks-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references (#147)
09ade59 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove getImmutableFieldChanges from hooks to support cel immutability

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
ack-prow bot pushed a commit to aws-controllers-k8s/kms-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references from hooks (#89)
f2bdbe1 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove getImmutableFieldChanges from hooks to support cel immutability
Remove immutability tests

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
ack-prow bot pushed a commit to aws-controllers-k8s/sns-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references (#72)
e5bda0f 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove getImmutableFieldChanges from hooks to support cel immutability

field `Name` immutability test removed for resource `Topic`


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
ack-prow bot pushed a commit to aws-controllers-k8s/route53-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references (#61)
0a88681 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove getImmutableFieldChanges from hooks to support cel immutability

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@rushmash91 rushmash91 reopened this Feb 19, 2025
@rushmash91 rushmash91 self-assigned this Feb 19, 2025
ack-prow bot pushed a commit to aws-controllers-k8s/ses-controller that referenced this pull request Feb 19, 2025
@rushmash91
remove getImmutableFieldChanges references (#22)
d2e3935 
fix aws-controllers-k8s/code-generator#565

Description of changes:
Remove getImmutableFieldChanges from hooks to support cel immutability

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@rushmash91 rushmash91 reopened this Feb 19, 2025
a-hilaly
a-hilaly approved these changes Feb 19, 2025
View reviewed changes
Copy link
Member

@a-hilaly a-hilaly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! Really excited for this to go through
/unhold

@ack-prow ack-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 19, 2025
@ack-prow ACK Prow
Copy link

ack-prow bot commented Feb 19, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: a-hilaly, rushmash91

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ack-prow ack-prow bot added the approved label Feb 19, 2025
@rushmash91
Copy link
Member Author

/test eks-controller-test

@rushmash91
Copy link
Member Author

/test efs-controller-test

@rushmash91
Copy link
Member Author

/test cloudfront-controller-test

@rushmash91
Copy link
Member Author

/test ec2-controller-test

2 similar comments
@rushmash91
Copy link
Member Author

/test ec2-controller-test

@rushmash91
Copy link
Member Author

/test ec2-controller-test

@ack-prow ACK Prow
Copy link

ack-prow bot commented Feb 19, 2025

@rushmash91: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
verify-attribution 455e3d9 link false /test verify-attribution
s3-olm-test 455e3d9 link false /test s3-olm-test
ec2-controller-test 455e3d9 link true /test ec2-controller-test

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@michaelhtm michaelhtm merged commit 8b426c4 into aws-controllers-k8s:main Feb 19, 2025
12 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-hilaly a-hilaly a-hilaly approved these changes

@jlbutler jlbutler Awaiting requested review from jlbutler

Assignees

@rushmash91 rushmash91

Labels
approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rushmash91 @a-hilaly @michaelhtm