New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kube Gateway Policy Validation #9456
Conversation
Issues linked to changelog: |
Visit the preview URL for this PR (updated for commit 79f32a6): https://gloo-edge--pr9456-ggv2-validation-9fqddthj.web.app (expires Thu, 23 May 2024 17:29:06 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: 77c2b86e287749579b7ff9cadb81e099042ef677 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking great! I like the direction, accepting it as a viable solution in the short-term
install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml
Show resolved
Hide resolved
install/helm/gloo/templates/5-gateway-validation-webhook-configuration.yaml
Show resolved
Hide resolved
projects/gateway/pkg/services/k8sadmission/validating_admission_webhook.go
Show resolved
Hide resolved
projects/gateway/pkg/services/k8sadmission/validating_admission_webhook.go
Show resolved
Hide resolved
test/kubernetes/e2e/k8sgateway/k8s_gw_test_no_validation_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Per standup, @jbohanon @npolshakova @sam-heilbron are happy to have this merge as is. Sam is going to resolve the comments to allow the PR to merge |
/kick build-bot |
Description
Implements webhook validation for Gloo Gateway Policies in the context of Kubernetes Gateway API.
RouteOption and VirtualHostOption CRs will be hermetically validated to prevent admission for semantically incorrect resources. Referential errors (i.e. "warnings" in the Gloo Edge API) will not be checked.
Context
Validation is implemented in the existing webhook but does NOT do a full translation like the original Gloo Edge API validation. There are many challenges associated with performing a full translation (see design doc for more analysis).
This approach gives us semantic validation/rejection via a. webhook without needing a snapshot-based full translation.
Testing steps
Manually verified with resources such as:
Still exploring how we can test this in the new e2e testing framework
Checklist:
BOT NOTES:
resolves https://github.com/solo-io/solo-projects/issues/6063