2

I'm developing a controller with a CRD. The CRD includes our custom stuff along with an embedded core.v1.PodSpec. (v1.13.1)

I define a validation section in the CRD that can validate and enforce constraints on our custom fields but I can't figure out how to do this for the embedded PodSpec. PodSpec is far too large and far too many options to manually add this to the validate section of the CRD:

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: mystuff.example.com
spec:
  group: mystuff.example.com
  versions:
    - name: v1alpha1
      served: true
      storage: true
  names:
    kind: MyStuff
    plural: mystuffs
    singular: mystuff
    shortNames:
    - ms
  scope: Namespaced
  additionalPrinterColumns:
  - JSONPath: .status.phase
    name: Status
    type: string
  - JSONPath: .metadata.resourceVersion
    name: Version
    type: string
  validation:
    openAPIV3Schema:
      properties:
        spec:
          required:
            - myVar1
            - myVar2
            - podSpec
          properties:
            myVar1:
              type: boolean
            myVar2:
              type: boolean
            # Here I need to validate a valid core.v1.PodSpec
            podSpec:
              type: core.v1.PodSpec

How do other people approach this?

I also need validation for any mechanism in which a user can submit a workload, ie directly using the kube apiserver or with kubectl.

Thanks for any help.

2 Answers2

1

In general CRD doesn't allow to put references to other objects. There was a discussion on that: https://github.com/kubernetes/kubernetes/issues/54579. Decision was made not to add references.

Workaround is described in this comment: https://github.com/kubernetes/kubernetes/issues/54579#issuecomment-370372942 I haven't use it but you may try.

Vasili Angapov
  • 8,061
  • 15
  • 31
  • Yea I stumbled onto that but it seems to have been abandoned since v1.9. I haven't been able to get this approach to work. –  May 08 '19 at 17:33
  • Did you have another approach to perform validation or a sample example which can be referred for the suggested approach – PREETI BANSAL Dec 23 '19 at 10:19
0

There are multiple ways to perform CRD validation. Static validation via .validation is one way as you know. Other way is to perform dynamic via a ValidatingAdmissionWebhook. This allows you to implement and deploy a server that the Kubernetes API server will call just prior to resource admission.

frankgreco
  • 1,426
  • 1
  • 18
  • 31
  • To use a web hook in this manner, does this mean I need to develop and run a controller/operator (or whatever you wanna call it), in addition to the controller for my CRD itself, that kubernetes in turn will contact to validate any workloads submitted using my CRD? –  May 08 '19 at 18:31
  • yes, you would deploy a stateless microservice. here is an example: https://github.com/northwesternmutual/kanali/blob/master/pkg/middleware/validator.go – frankgreco May 08 '19 at 20:14