github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-10-06 02:26:07 +00:00
Code Issues Projects Releases Wiki Activity

DRA cel: enforce runtime limit by default again

Browse Source 
As pointed out during code review, the CEL cost estimates are not considered
perfectly reliable. Therefore it is better to also do runtime checks.

Some downstream users might decide to allow CEL expressions to run
longer. Therefore the cost limit is now part of an Options struct.
kube-scheduler uses the default cost limit defined in the resource.k8s.io API,
which is the same cost limit that also the apiserver uses during validation.
This commit is contained in:
Patrick Ohly
2024-10-23 21:15:05 +02:00
parent 021c9fb92f
commit d53cb79cec
6 changed files with 40 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/apis/resource/validation/validation.go
View File

@@ -176,7 +176,7 @@ func validateCELSelector(celSelector resource.CELDeviceSelector, fldPath *field.
return allErrs
}
result := dracel.GetCompiler().CompileCELExpression(celSelector.Expression, envType)
result := dracel.GetCompiler().CompileCELExpression(celSelector.Expression, dracel.Options{EnvType: &envType})
if result.Error != nil {
allErrs = append(allErrs, convertCELErrorToValidationError(fldPath.Child("expression"), celSelector.Expression, result.Error))
} else if result.MaxCost > resource.CELSelectorExpressionMaxCost {