-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introducing a ValidatingWebhook admisson controller to validate specs #1019
Comments
Here is the perspective from argo-rollouts, and why we chose not to implement a ValidatingWebhook (at least not at this time) and instead chose to have Error conditions on the Rollout object
If failurePolicy is
Rollouts came to the conclusion that it would rather deal with malformed objects that somehow entered the cluster after the fact, and instead provide clear indications of a Rollout with an InvalidSpec. In the future, we may improve the user experience by complementing spec validation with a validating webhook with failurePolicy of Ignore. This would provide a better user experience since it catches the problem much earlier. But principally, the primary means of dealing with invalid objects in argo-rollouts, are Error conditions, with the future possibility of complementing that with an optional but not mandatory validating webhook (failurePolicy: Ignore). |
argo cli comes with |
|
|
BTW - |
Is your feature request related to a problem? Please describe.
Spec validation is something needed for all the CRD objects, for example, following operations are not expected, such as creating a Sensor object without defining any dependencies, updating auth strategy of an EventBus object, and so on.
Currently spec validation happens in the controller reconciliation, which means users will not know if the spec he/she provided, or the operation he/she did is allowed until he/she checks the
status
field of the CRD object.Describe the solution you'd like
To let the user know if the spec or operation is valid earlier, we can introduce a ValidatingAdmissionWebhook, so that people can know the errors before the spec is stored in etcd.
This will introduce:
argo-events
namespace, it implements the validation logic.ValidatingWebhookConfigurations
object for admission controller configuration. It will be automatically created by the deployment in 1.)With this validating webhook, right after an invalid spec is applied, you will get an error message like below (assume a native EventBus requires a replica number >=3):
Additional context
This validating webhook will be included in the cluster scope installation spec, might not be in the namespace scope installation.
Message from the maintainers:
If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
The text was updated successfully, but these errors were encountered: