-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webhook: support validation rules #2885
base: master
Are you sure you want to change the base?
Conversation
- reject: Missing application label, see https://example.test/reference/labels-selectors/#application | ||
when: | | ||
request.kind.kind in ["Ingress", "RouteGroup"] && ( | ||
!has(request.object.metadata.labels) || | ||
!has(request.object.metadata.labels.application) || | ||
request.object.metadata.labels.application == '' | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may also implement
rules:
- warning: Feature X will be deprecated
when: request.kind.kind == "RouteGroup" && ...
that would allow request with warnings, see 9281783
I would assume that you would share pros and cons and why it's better than what we have today. |
This approach allows skipper operator to define custom rules that may be specific to a given setup or contain sensitive bits. Alternative is to deploy closed-source webhook written in go.
Its possible, see TODO comment #2885 (comment), I decided not to invest into it until we decide to move forward with this (or abandon the idea). |
90dbd9d
to
99e05b3
Compare
9c94c55
to
b2a5214
Compare
Add new webhook admitter that evaluates Ingresses and RouteGroups against a set of rules. Each rule defines properties of matching resource and rejection message. The implementation uses [Common Expression Language](https://github.com/google/cel-spec) to match properties which is also used in [Kubernetes](https://kubernetes.io/docs/reference/using-api/cel/). Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
b2a5214
to
f34f663
Compare
Add new webhook admitter that evaluates Ingresses and RouteGroups against a set of rules.
Each rule defines properties of matching resource and rejection message.
The implementation uses Common Expression Language to match properties which is also used in Kubernetes.