Enforce immutable fields using CEL rules #4128
Comments
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
|
/fresh |
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
|
/fresh |
|
Reopening this and removing the good first issue tag. @NeerajNagure got the ball rolling in #5682, but I think we need to do a more thorough scan for immutable fields and replicate the pattern there. This will probably require someone familiar enough with Crossplane APIs to know what should and shouldn't be mutable. |
What problem are you facing?
Many Crossplane API fields are immutable - you can't change them after they're first set. Typically today when a field is immutable we'll let you update it, and will just silently ignore the update. This is obviously a terrible user experience.
We've wanted to be able to enforce immutability at the schema level for a long time, but until recently doing so was pretty involved. You essentially had to write a webhook (e.g. #727) for every type to enforce immutability.
Now with CEL and kubebuilder it's possible to do this much more conveniently with comment markers - see https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/. Once these comment markers are added any API server that supports CEL will reject updates to immutable fields.
How could Crossplane help solve your problem?
We should use CEL-based immutability.
In many cases we've already added
// +immutablecomment markers on fields we know are immutable. These comment markers don't do anything - they're just placeholders and should be replaced with CEL ones.The text was updated successfully, but these errors were encountered: