Menu
I created a custom resource definition (CRD) and its controller in my cluster, now I can create custom resources, but how do I validate update requests to the CR? e.g., only certain fields can be updated.
271
The Kubernetes docs on Custom Resources has a section on Advanced features and flexibility (never mind that validating requests should be considered a pretty basic feature 😉). For validation of CRDs, it says:
Most validation can be specified in the CRD using OpenAPI v3.0 validation. Any other validations supported by addition of a Validating Webhook.
The OpenAPI v3.0 validation won't help you accomplish what you're looking for, namely ensuring immutability of certain fields on your custom resource, it's only helpful for stateless validations where you're looking at one instance of an object and determining if it's valid or not, you can't compare it to a previous version of the resource and validate that nothing has changed.
You could use Validating Webhooks. It feels like a heavyweight solution, as you will need to implement a server that conforms to the Validating Webhook contract (responding to specific kinds of requests with specific kinds of responses), but you will have the required data at least to make the desired determination, e.g. knowing that it's an UPDATE request and knowing what the old object looked like. For more details, see here. I have not actually tried Validating Webhooks, but it feels like it could work.
An alternative approach I've used is to store the user-provided data within the Status subresource of the custom resource the first time it's created, and then always look at the data there. Any changes to the Spec are ignored, though your controller can notice discrepancies between what's in the Spec and what's in the Status, and embed a warning in the Status telling the user that they've mutated the object in an invalid way and their specified values are being ignored. You can see an example of that approach here and here. As per the relevant README section of that linked repo, this results in the following behaviour:
The
AVAILABLEcolumn will show false if the UAA client for the team has not been successfully created. TheWARNINGcolumn will display a warning if you have mutated the Team spec after initial creation. TheDIRECTORcolumn displays the originally provided value forspec.directorand this is the value that this team will continue to use. If you do attempt to mutate theTeamresource, you can see your (ignored) user-provided value with the-o wideflag:$ kubectl get team --all-namespaces -owide NAMESPACE NAME DIRECTOR AVAILABLE WARNING USER-PROVIDED DIRECTOR test test vbox-admin true vbox-adminIf we attempt to mutate the
spec.directorproperty, here's what we will see:$ kubectl get team --all-namespaces -owide NAMESPACE NAME DIRECTOR AVAILABLE WARNING USER-PROVIDED DIRECTOR test test vbox-admin true API resource has been mutated; all changes ignored bad-new-director-name
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
