Open clux opened 10 months ago
This would be a great feature. Looking for how to enforce immutability
FWIW here is a better example, that allows to preserve existing schema - https://github.com/s3rius/kuo/blob/4c83b4033093e84035cefb0f5a22c46c7b9d471c/src/crds/managed_user.rs#L70-L84
That example is really useful @azat, thank you.
We could maybe create a higher level version of that that allows generating schema modifying functions like that, if we can curry the "rule" and "message" as initial arguments, and return the mutating fn from this.
There is a slew of
x-kubernetes
extension properties that is usable inside CRD schemas to improve the validation and merge behaviour of structures of members.From Kubernetes 1.25 this is being leaned into even more heavily with x-kubernetes-validations rules on CRD schemas:
This type of validation makes it possible to write controllers with much richer type of native validation without having to lean on the clunkier admission controllers / admission controller frameworks to manage extraneous policy rules - and has a lot of potential use. There's a KubeConNA'23 talk called Declarative Everything that explores this and the direction of the feature from sig apimachinery.
Current Usage
Such properties can be specified via
schemars
attributes to override the schema generation for a type as per https://github.com/kube-rs/kube/blob/3a4f72414a4ad3733c2683514abff1924271759d/examples/crd_derive_schema.rs#L84-L102This is not ideal because you then have to manage all the other schema properties for that type yourself.
Ideas
Schemars Extensions
To properly support adding properties like this, it would be interesting to see if
schemas
which has support for a large amount of attributes already, could be enhanced with akubernetes
attribute feature set to allow stuff like e.g.:Have asked upstream about what they think about this in https://github.com/GREsau/schemars/issues/258
CEL Crate?
Maybe it's better to start some of this from a CEL POV because maybe we want to be able to run validations we put into CEL rules locally. In this case a crate that allows us to do something like
in either case we probably still need something in
schemars
so that the rules are forwarded into the schema, but it means we will have our own properties (like serde/validator) that schemars can pickup on later.And we likely would need a new crate or majorly extend the cel-parser / cel-interpreter crate (both of which live in cel-rust).