Add Validation for NodeClassReference

kubernetes-sigs / karpenter

Karpenter is a Kubernetes Node Autoscaler built for flexibility, performance, and simplicity.

Apache License 2.0

627 stars 204 forks source link

Add Validation for NodeClassReference #1207

Closed jonathan-innis closed 3 months ago

jonathan-innis commented 6 months ago

Description

What problem are you trying to solve?

Right now, there's no CEL or webhook validation for what's passed through the NodeClassReference. This means that it can be easy to forget the version portion or not properly capitalize kinds, etc. when specifying the reference.

It probably also makes sense for the cloudprovider to inject its own CEL validation when it pulls the NodePool CRD into its helm chart (similar to what AWS does here in scripts: https://github.com/aws/karpenter-provider-aws/tree/main/hack/validation)

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

sftim commented 6 months ago

How about using a ValidatingAdmissionPolicy with a custom, singleton params kind, and then having controllers write to that custom resource based on a watch for their node class (or whatever).

We'd make the extra CRD part of the CRDs chart, leaving the controller to actually add make an instance of that CR and / or add itself in.

It's more to implement, but as a pattern it leaves room for multiple providers in one cluster, and it avoids [should avoid] the risk of different implementations clashing over CRD writes.

This is an outline, let me know if folks want details clarified.

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

njtran commented 3 months ago

This should be fixed in v1. We're doing validation for Group, but aren't doing validation for the others (name, kind)