Open sbueringer opened 1 year ago
/triage accepted I think this is an interesting exploration to carry on
/help
@fabriziopandini: This request has been marked as needing help from a contributor.
Please ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help
command.
apiVersion: cluster.x-k8s.io/v1beta1
kind: ClusterClass
metadata:
name: quick-start
namespace: default
spec:
....
....
- name: podSecurityStandard
required: false
schema:
openAPIV3Schema:
properties:
audit:
default: restricted
description: audit sets the level for the audit PodSecurityConfiguration
mode. One of privileged, baseline, restricted.
type: string
enabled:
default: true
description: enabled enables the patches to enable Pod Security Standard
via AdmissionConfiguration.
type: boolean
enforce:
default: baseline
description: enforce sets the level for the enforce PodSecurityConfiguration
mode. One of privileged, baseline, restricted.
type: string
warn:
default: restricted
description: warn sets the level for the warn PodSecurityConfiguration
mode. One of privileged, baseline, restricted.
type: string
type: object
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
....
I wanted to try writing CEL expressions in ClusterClass variables
, but I failed. I received an error message strict decoding error: unknown field "spec.variables[3].schema.openAPIV3Schema.x-kubernetes-validations"
.
Has to be implemented first
Can i pick up this issue?
/assign
Question: did we consider using validating admission policies instead? https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/
Variable schema including cel that validates variable values is basically the same as schema validation in CRDs that validates CRs
I'm not sure how we would do this with validating admission policy. Especially when the variable schema is provided by a runtime extension. Would this mean the runtime extension has to generate validating admission policies who match on variable values with specific names in a Cluster? (and also match on the ClusterClass used in a Cluster)
"Inline" CEL in variable schemas like in CRDs seems more straightforward and easy to use to me. IIRC we also run the variable validation in the cluster topology controller today. So we either couldn't do this with the cel validation or we would have to find a way to run validating admission policies in our controller.
But I'm not super familiar with validating admission policies, I might miss something obvious.
/priority backlog
What would you like to be added (User Story)?
As a user it would be nice if I could use CEL to validate ClusterClass variables.
Detailed Description
Context:
Links:
Anything else you would like to add?
If there is interest in the community, it could be interesting to explore if we could also integrate CEL into variable validation. Today we already use the upstream code for OpenAPI schema validation. We could probably get CEL validation almost for free (as it's probably implemented in the code we already use)
Label(s) to be applied
/kind feature /area topology One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels.