Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install a validating webhook for Gateway API custom resources #3416

Closed
Tracked by #3445
jpeach opened this issue Dec 2, 2021 · 6 comments · Fixed by #4072
Closed
Tracked by #3445

Install a validating webhook for Gateway API custom resources #3416

jpeach opened this issue Dec 2, 2021 · 6 comments · Fixed by #4072
Assignees
@jakubdyszkiewicz
Labels
area/gateway Built-in Kuma gateway support area/k8s kind/feature New feature triage/accepted The issue was reviewed and is complete enough to start working on it triage/stale Inactive for some time. It will be triaged again

Comments

@jpeach
Copy link
Contributor

jpeach commented Dec 2, 2021

Description

Gateway API has a validating webhook because not all the invariants of the API can be enforced by CRD validation. We need to install the validation webhook for the Gateway API types, though not necessarily as a separate controller. I expect that the gateway controller can be the admission controller, since the validation is exposed as a public package in the gateway Go module.

https://github.com/kubernetes-sigs/gateway-api/blob/master/deploy/admission_webhook.yaml
@jpeach jpeach added triage/pending This issue will be looked at on the next triage meeting kind/feature New feature area/gateway Built-in Kuma gateway support labels Dec 2, 2021
@jpeach jpeach mentioned this issue Dec 2, 2021
Closed
8 tasks
@lahabana lahabana added triage/accepted The issue was reviewed and is complete enough to start working on it and removed triage/pending This issue will be looked at on the next triage meeting labels Dec 6, 2021
@jpeach
Copy link
Contributor Author

jpeach commented Dec 6, 2021

triage: We want this because there's no other machinery that installs the webhook and it's better to give early feedback for users.

@jpeach jpeach mentioned this issue Dec 9, 2021
Closed
18 tasks
@michaelbeaumont
Copy link
Contributor

michaelbeaumont commented Jan 3, 2022
edited
Loading

I expect that the gateway controller can be the admission controller, since the validation is exposed as a public package in the gateway Go module.

I think we may want to separate our validation from core Gateway API validation since our validator will end up validating resources of a different gatewayClass which may be unexpected behavior. It's not clear who's responsible for the webhook, so users might end up installing the upstream webhook to validate all their Gateway resources on their own.

@jpeach
Copy link
Contributor Author

jpeach commented Jan 5, 2022

I expect that the gateway controller can be the admission controller, since the validation is exposed as a public package in the gateway Go module.

I think we may want to separate our validation from core Gateway API validation since our validator will end up validating resources of a different gatewayClass which may be unexpected behavior. It's not clear who's responsible for the webhook, so users might end up installing the upstream webhook to validate all their Gateway resources on their own.

In principle, it's OK for multiple controllers to validate gateway resources. Could be a trap if someone has some buggy validation though.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 5, 2022

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.

@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Feb 5, 2022
@lahabana lahabana mentioned this issue Feb 14, 2022
Closed
@lahabana
Copy link
Contributor

xref #3905

@jakubdyszkiewicz jakubdyszkiewicz self-assigned this Mar 28, 2022
@jakubdyszkiewicz jakubdyszkiewicz mentioned this issue Mar 29, 2022
Merged
4 tasks
@michaelbeaumont
Copy link
Contributor

See also kubernetes-sigs/gateway-api#1005

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jakubdyszkiewicz jakubdyszkiewicz

Labels
area/gateway Built-in Kuma gateway support area/k8s kind/feature New feature triage/accepted The issue was reviewed and is complete enough to start working on it triage/stale Inactive for some time. It will be triaged again
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(kuma-cp): upstream validation of Gateway API kumahq/kuma
4 participants
@jpeach @lahabana @michaelbeaumont @jakubdyszkiewicz