Open tomkerkhove opened 1 year ago
stale[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.
tomkerkhove
commented
1 year ago Any thoughts on this @kedacore/keda-maintainers?
zroubalik
commented
1 year ago We should have this.
stale[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.
stale[bot]
commented
1 year ago This issue has been automatically closed due to inactivity.
pokgak
commented
10 months ago Since no one has commented on this yet; 3rd-party validation can be done with the upcoming feature ValidatingAdmissionPolicy without any changes required on keda part.
https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/
Tomer20
commented
2 months ago Good call @pokgak!
That configuration worked well for me:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "limit-apps-replicas.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments", "replicasets"]
validations:
- expression: "object.spec.replicas <= 10"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "limit-keda-replicas.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["keda.sh"]
apiVersions: ["v1alpha1"]
operations: ["CREATE", "UPDATE"]
resources: ["scaledobjects"]
validations:
- expression: "object.spec.maxReplicaCount <= 10"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "limit-apps-replicas-binding.example.com"
spec:
policyName: "limit-apps-replicas.example.com"
validationActions: [Deny]
matchResources:
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: k8s-limitations
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "limit-keda-replicas-binding.example.com"
spec:
policyName: "limit-keda-replicas.example.com"
validationActions: [Deny]
matchResources:
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: k8s-limitations@Tomer20 this is great, could you please contribute this to our documentation? Probably here: https://keda.sh/docs/2.15/operate/admission-webhooks/
Tomer20
commented
1 month ago @Tomer20 this is great, could you please contribute this to our documentation? Probably here: https://keda.sh/docs/2.15/operate/admission-webhooks/
Sure thing @zroubalik 😄 Here's the PR, any feedback is welcome: https://github.com/kedacore/keda-docs/pull/1471.
Proposal
Provide the capability for 3rd parties to integrate in our validation webhook so that they integrate their own logic.
This should be done by introducing a new CRD which defines an HTTP/gRPC endpoint that KEDA will call during validation. If the validation endpoint becomes unreachable/non responding, then the status of the new CRD should reflect this but validation will be skipped for a while to avoid it causing KEDA to fail/time out.
Use-Case
Provide the capability for 3rd parties to integrate in our validation webhook so that they integrate their own logic.
This allows platform builders/cluster operators to enforce their own best practices and tie in to our validation process.
Is this a feature you are interested in implementing yourself?
No
Anything else?
No response