Prevent invalid custom resources (appdefinition, session, workspace)

[jfaltermeier]

Describe the bug

Invalid values in the custom resources may lead to crash loops or open attack vectors.

Resources:
https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation

https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules

Reproducer Session
theia-cloud branch osweek23-1
theia-cloud-helm branch osweek23-1
terraform test-configuration 2-01_try-now
kubectl apply -f osweek23/empty-session.yaml

Reproducer Workspace
theia-cloud branch osweek23-1
theia-cloud-helm branch osweek23-1
terraform test-configuration 2-01_try-now
kubectl apply -f osweek23/empty-workspace.yaml

Reproducer AppDefinition
theia-cloud branch osweek23-2
theia-cloud-helm branch osweek23-1
terraform test-configuration 2-01_try-now
kubectl apply -f osweek23/coffee-session.yaml

Expected behavior

• Preferably applying invalid CRs should not be possible. There might be shemas for CRDs.
• Validate all user input from CRs in code before using it (e.g. is this really valid container-image string? is this a injection attack? do the timeout values make sense?, ...)

Cluster provider

No response

Version

No response

Additional information

No response

[xai]

Since apiextensions.k8s.io/v1, preserveUnknownFields should be set to false by default, which leads to automatic pruning of unknown fields. So I assume that we do not have to care about these 😊

[github-actions]

This issue is stale because it has been open for 180 days with no activity.

[sgraband]

Keep open