Skip to content

Fix IntOrString cost estimation when schema has a MaxLength constraint #132837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix IntOrString cost estimation when schema has a MaxLength constraint #132837

wants to merge 2 commits into from
+72 −9

Conversation

JoelSpeed
Copy link
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:

This updates the way that the maximum size of an IntOrString is calculated in the CEL cost estimator to take into account an openapi maxlength constraint.

I was working with someone on a field like:

// request is the minimum amount of the resource required (e.g. "2Mi", "1Gi").
	// This field is optional.
	// When limit is specified, request cannot be greater than limit.
	// +optional
	Request resource.Quantity `json:"request,omitempty"`

We then started adding some CEL rules, for example,

	// +kubebuilder:validation:XValidation:rule="isQuantity(self) && quantity(self).isGreaterThan(quantity('0'))",message="request must be a positive, non-zero quantity"

The API server started to complain of high validation costs. Typically this is because the unbounded string length results in a high MaxElements in the cost estimates.

The usual fix would be to add a maximum length, for example:

	// +kubebuilder:validation:MaxLength=20

But this doesn't work initially because of the way controller-gen is applying different parts of the schema, adding

	// +kubebuilder:validation:XIntOrString

Allows it to produce the following schema:

request:
  anyOf:
  - type: integer
  - type: string
  description: |-
    request is the minimum amount of the resource required (e.g. "2Mi", "1Gi").
    This field is optional.
    When limit is specified, request cannot be greater than limit.
  maxLength: 20 // This is the only part we've added on top of the default schema that controller tools produced
  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
  x-kubernetes-int-or-string: true
  x-kubernetes-validations:
  - message: request must be a non-negative quantity
    rule: isQuantity(self) && quantity(self).isGreaterThan(quantity('0'))

We then noticed that the cost estimates were still particularly high. It turns out, that the logic handling any XIntOrString field isn't correctly observing the MaxLength.

As far as I can tell, the above is a valid schema and the API server appears to accept this schema, and enforce the maximum string length (note int64 has a maximum length of 19 so the integer max length should be covered by this case too, though CELs cost estimates for integers doesn't set a max elements AFAICT)

This PR updates the logic to take into account the max length and resolves our issue.

Which issue(s) this PR is related to:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fix runtime cost estimation for x-int-or-string custom resource schemas with maximum lengths

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 9, 2025
@k8s-ci-robot k8s-ci-robot requested review from cici37 and jpbetz July 9, 2025 11:51
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jul 9, 2025
@JoelSpeed
Copy link
Contributor Author

/test all

@seans3
Copy link
Contributor

seans3 commented Jul 17, 2025

/triage accepted

@JoelSpeed Hi Joel. Thanks for the contribution. Please remember to add unit tests to prove that the bug is fixed. Thanks.

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 17, 2025
@JoelSpeed
Copy link
Contributor Author

@seans3 Have added a unit in the most appropriate place I could find (trying to add one close to the change, where thye don't exist, was creating import cycles trying to get interfaces to line up)

@JoelSpeed
Copy link
Contributor Author

/assign @jpbetz

I'll need your approval to cover both the fix and test update here

@JoelSpeed JoelSpeed force-pushed the fix-max-elements-x-int-or-string branch from 52b3343 to ddaec51 Compare July 18, 2025 11:35
@jpbetz
Copy link
Contributor

jpbetz commented Jul 18, 2025

/assign @cici37

@cici37
Copy link
Contributor

cici37 commented Jul 18, 2025

Thanks for the fix! The fix looks good to me. If you could add a test into the estimated cost test cases, that will be awesome (Just to verify the estimated cost calculation respect the maxLength set. And it should fail before the PR changes added^^

@cici37
Copy link
Contributor

cici37 commented Jul 18, 2025

Fixes #132370
/cc @lalitc375

@k8s-ci-robot
Copy link
Contributor

@cici37: GitHub didn't allow me to request PR reviews from the following users: lalitc375.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Fixes #132370
/cc @lalitc375

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@JoelSpeed JoelSpeed force-pushed the fix-max-elements-x-int-or-string branch from ddaec51 to b8d74e7 Compare July 21, 2025 11:57
@JoelSpeed
Copy link
Contributor Author

/test unit

Error appears to be completely unrelated

@k8s-ci-robot
Copy link
Contributor

@JoelSpeed: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test pull-cos-containerd-e2e-ubuntu-gce

/test pull-kubernetes-cmd

/test pull-kubernetes-cmd-canary

/test pull-kubernetes-cmd-go-canary

/test pull-kubernetes-conformance-kind-ga-only-parallel

/test pull-kubernetes-coverage-unit

/test pull-kubernetes-dependencies

/test pull-kubernetes-dependencies-go-canary

/test pull-kubernetes-e2e-gce

/test pull-kubernetes-e2e-gce-100-performance

/test pull-kubernetes-e2e-gce-cos

/test pull-kubernetes-e2e-gce-cos-canary

/test pull-kubernetes-e2e-gce-cos-no-stage

/test pull-kubernetes-e2e-gce-network-proxy-http-connect

/test pull-kubernetes-e2e-gce-pull-through-cache

/test pull-kubernetes-e2e-gce-scale-performance-manual

/test pull-kubernetes-e2e-kind

/test pull-kubernetes-e2e-storage-kind-alpha-beta-features-slow

/test pull-kubernetes-integration

/test pull-kubernetes-integration-canary

/test pull-kubernetes-integration-go-canary

/test pull-kubernetes-kubemark-e2e-gce-scale

/test pull-kubernetes-node-e2e-containerd

/test pull-kubernetes-typecheck

/test pull-kubernetes-unit

/test pull-kubernetes-unit-go-canary

/test pull-kubernetes-update

/test pull-kubernetes-verify

/test pull-kubernetes-verify-go-canary

The following commands are available to trigger optional jobs:

/test check-dependency-stats

/test pull-crio-cgroupv1-node-e2e-eviction

/test pull-crio-cgroupv1-node-e2e-features

/test pull-crio-cgroupv1-node-e2e-hugepages

/test pull-crio-cgroupv1-node-e2e-resource-managers

/test pull-crio-cgroupv2-imagefs-separatedisktest

/test pull-crio-cgroupv2-node-e2e-eviction

/test pull-crio-cgroupv2-node-e2e-hugepages

/test pull-crio-cgroupv2-node-e2e-resource-managers

/test pull-crio-cgroupv2-splitfs-separate-disk

/test pull-e2e-gce-cloud-provider-disabled

/test pull-e2e-gci-gce-alpha-enabled-default

/test pull-kubernetes-apidiff

/test pull-kubernetes-apidiff-client-go

/test pull-kubernetes-conformance-image-test

/test pull-kubernetes-conformance-kind-ga-only

/test pull-kubernetes-conformance-kind-ipv6-parallel

/test pull-kubernetes-cos-cgroupv1-containerd-node-e2e

/test pull-kubernetes-cos-cgroupv1-containerd-node-e2e-features

/test pull-kubernetes-cos-cgroupv2-containerd-node-e2e

/test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-eviction

/test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-features

/test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-serial

/test pull-kubernetes-crio-node-memoryqos-cgrpv2

/test pull-kubernetes-cross

/test pull-kubernetes-dra-integration

/test pull-kubernetes-dra-integration-canary

/test pull-kubernetes-e2e-autoscaling-hpa-cm

/test pull-kubernetes-e2e-autoscaling-hpa-cpu

/test pull-kubernetes-e2e-autoscaling-hpa-cpu-alpha-beta

/test pull-kubernetes-e2e-capz-azure-disk

/test pull-kubernetes-e2e-capz-azure-disk-vmss

/test pull-kubernetes-e2e-capz-azure-disk-windows

/test pull-kubernetes-e2e-capz-azure-file

/test pull-kubernetes-e2e-capz-azure-file-vmss

/test pull-kubernetes-e2e-capz-azure-file-windows

/test pull-kubernetes-e2e-capz-conformance

/test pull-kubernetes-e2e-capz-master-windows-nodelogquery

/test pull-kubernetes-e2e-capz-windows-alpha-feature-vpa

/test pull-kubernetes-e2e-capz-windows-alpha-features

/test pull-kubernetes-e2e-capz-windows-master

/test pull-kubernetes-e2e-capz-windows-serial-slow

/test pull-kubernetes-e2e-capz-windows-serial-slow-hpa

/test pull-kubernetes-e2e-containerd-gce

/test pull-kubernetes-e2e-ec2

/test pull-kubernetes-e2e-ec2-arm64

/test pull-kubernetes-e2e-ec2-conformance

/test pull-kubernetes-e2e-ec2-conformance-arm64

/test pull-kubernetes-e2e-ec2-device-plugin-gpu

/test pull-kubernetes-e2e-gce-canary

/test pull-kubernetes-e2e-gce-correctness

/test pull-kubernetes-e2e-gce-cos-alpha-features

/test pull-kubernetes-e2e-gce-csi-serial

/test pull-kubernetes-e2e-gce-device-plugin-gpu

/test pull-kubernetes-e2e-gce-disruptive-canary

/test pull-kubernetes-e2e-gce-kubelet-credential-provider

/test pull-kubernetes-e2e-gce-network-policies

/test pull-kubernetes-e2e-gce-network-proxy-grpc

/test pull-kubernetes-e2e-gce-serial

/test pull-kubernetes-e2e-gce-serial-canary

/test pull-kubernetes-e2e-gce-storage-disruptive

/test pull-kubernetes-e2e-gce-storage-selinux

/test pull-kubernetes-e2e-gce-storage-slow

/test pull-kubernetes-e2e-gce-storage-snapshot

/test pull-kubernetes-e2e-gci-gce-autoscaling

/test pull-kubernetes-e2e-gci-gce-ingress

/test pull-kubernetes-e2e-gci-gce-ipvs

/test pull-kubernetes-e2e-gci-gce-kube-dns-nodecache

/test pull-kubernetes-e2e-gci-gce-nftables

/test pull-kubernetes-e2e-kind-alpha-beta-features

/test pull-kubernetes-e2e-kind-alpha-features

/test pull-kubernetes-e2e-kind-beta-features

/test pull-kubernetes-e2e-kind-canary

/test pull-kubernetes-e2e-kind-cloud-provider-loadbalancer

/test pull-kubernetes-e2e-kind-dependencies

/test pull-kubernetes-e2e-kind-dual-canary

/test pull-kubernetes-e2e-kind-evented-pleg

/test pull-kubernetes-e2e-kind-golang-tip

/test pull-kubernetes-e2e-kind-ipv6

/test pull-kubernetes-e2e-kind-ipv6-canary

/test pull-kubernetes-e2e-kind-ipvs

/test pull-kubernetes-e2e-kind-kms

/test pull-kubernetes-e2e-kind-multizone

/test pull-kubernetes-e2e-kind-nftables

/test pull-kubernetes-e2e-storage-kind-disruptive

/test pull-kubernetes-e2e-storage-kind-volume-group-snapshots

/test pull-kubernetes-e2e-unit-dependencies

/test pull-kubernetes-e2e-unit-golang-tip

/test pull-kubernetes-integration-race

/test pull-kubernetes-kind-dra

/test pull-kubernetes-kind-dra-all

/test pull-kubernetes-kind-dra-all-canary

/test pull-kubernetes-kind-dra-all-slow

/test pull-kubernetes-kind-dra-all-slow-canary

/test pull-kubernetes-kind-dra-canary

/test pull-kubernetes-kind-dra-n-1

/test pull-kubernetes-kind-dra-n-1-canary

/test pull-kubernetes-kind-dra-n-2

/test pull-kubernetes-kind-dra-n-2-canary

/test pull-kubernetes-kind-json-logging

/test pull-kubernetes-kind-text-logging

/test pull-kubernetes-kubemark-e2e-gce-big

/test pull-kubernetes-linter-hints

/test pull-kubernetes-local-e2e

/test pull-kubernetes-node-arm64-e2e-containerd-ec2

/test pull-kubernetes-node-arm64-e2e-containerd-serial-ec2

/test pull-kubernetes-node-arm64-ubuntu-serial-gce

/test pull-kubernetes-node-crio-cgrpv1-evented-pleg-e2e

/test pull-kubernetes-node-crio-cgrpv2-e2e

/test pull-kubernetes-node-crio-cgrpv2-e2e-canary

/test pull-kubernetes-node-crio-cgrpv2-imagefs-e2e

/test pull-kubernetes-node-crio-cgrpv2-imagevolume-e2e

/test pull-kubernetes-node-crio-cgrpv2-splitfs-e2e

/test pull-kubernetes-node-crio-cgrpv2-userns-e2e-serial

/test pull-kubernetes-node-crio-e2e

/test pull-kubernetes-node-e2e-alpha-ec2

/test pull-kubernetes-node-e2e-containerd-1-7-dra

/test pull-kubernetes-node-e2e-containerd-1-7-dra-canary

/test pull-kubernetes-node-e2e-containerd-2-0-dra

/test pull-kubernetes-node-e2e-containerd-2-0-dra-canary

/test pull-kubernetes-node-e2e-containerd-alpha-features

/test pull-kubernetes-node-e2e-containerd-ec2

/test pull-kubernetes-node-e2e-containerd-features

/test pull-kubernetes-node-e2e-containerd-features-kubetest2

/test pull-kubernetes-node-e2e-containerd-kubelet-psi

/test pull-kubernetes-node-e2e-containerd-kubetest2

/test pull-kubernetes-node-e2e-containerd-serial-ec2

/test pull-kubernetes-node-e2e-containerd-standalone-mode

/test pull-kubernetes-node-e2e-containerd-standalone-mode-all-alpha

/test pull-kubernetes-node-e2e-cri-proxy-serial

/test pull-kubernetes-node-e2e-crio-cgrpv1-dra

/test pull-kubernetes-node-e2e-crio-cgrpv1-dra-canary

/test pull-kubernetes-node-e2e-crio-cgrpv2-dra

/test pull-kubernetes-node-e2e-crio-cgrpv2-dra-canary

/test pull-kubernetes-node-e2e-resource-health-status

/test pull-kubernetes-node-kubelet-containerd-flaky

/test pull-kubernetes-node-kubelet-credential-provider

/test pull-kubernetes-node-kubelet-serial-containerd

/test pull-kubernetes-node-kubelet-serial-containerd-alpha-features

/test pull-kubernetes-node-kubelet-serial-containerd-kubetest2

/test pull-kubernetes-node-kubelet-serial-containerd-sidecar-containers

/test pull-kubernetes-node-kubelet-serial-cpu-manager

/test pull-kubernetes-node-kubelet-serial-cpu-manager-kubetest2

/test pull-kubernetes-node-kubelet-serial-crio-cgroupv1

/test pull-kubernetes-node-kubelet-serial-crio-cgroupv2

/test pull-kubernetes-node-kubelet-serial-hugepages

/test pull-kubernetes-node-kubelet-serial-memory-manager

/test pull-kubernetes-node-kubelet-serial-podresources

/test pull-kubernetes-node-kubelet-serial-topology-manager

/test pull-kubernetes-node-kubelet-serial-topology-manager-kubetest2

/test pull-kubernetes-node-swap-conformance-fedora-serial

/test pull-kubernetes-node-swap-conformance-ubuntu-serial

/test pull-kubernetes-node-swap-fedora

/test pull-kubernetes-node-swap-fedora-serial

/test pull-kubernetes-node-swap-ubuntu-serial

/test pull-kubernetes-scheduler-perf

/test pull-kubernetes-unit-windows-master

/test pull-publishing-bot-validate

Use /test all to run the following jobs that were automatically triggered:

pull-kubernetes-cmd

pull-kubernetes-conformance-kind-ga-only-parallel

pull-kubernetes-dependencies

pull-kubernetes-e2e-ec2

pull-kubernetes-e2e-gce

pull-kubernetes-e2e-kind

pull-kubernetes-integration

pull-kubernetes-linter-hints

pull-kubernetes-node-e2e-containerd

pull-kubernetes-typecheck

pull-kubernetes-unit

pull-kubernetes-verify

In response to this:

/test unit

Error appears to be completely unrelated

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@JoelSpeed
Copy link
Contributor Author

/test pull-kubernetes-unit

@JoelSpeed
Copy link
Contributor Author

@cici37 I've added the test case you requested

@JoelSpeed JoelSpeed mentioned this pull request Jul 21, 2025
Open
@cici37
Copy link
Contributor

cici37 commented Jul 21, 2025

Thank you for the fix!
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 21, 2025
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 0ce27de7978691ed49692bc2861db4752d465d18

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cici37, JoelSpeed
Once this PR has been reviewed and has the lgtm label, please ask for approval from jpbetz. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cici37 cici37 Awaiting requested review from cici37

@jpbetz jpbetz Awaiting requested review from jpbetz

Assignees

@jpbetz jpbetz

@cici37 cici37

Labels
area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JoelSpeed @seans3 @jpbetz @cici37 @k8s-ci-robot
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy