KEP-2876: CRD Validation Expression Language #2877
Conversation
…nts into crd-expression-lang-kep
[WIP] Add WebAssembly alternative section.
Update the KEP for validation
…nhancements into cici37-crd-expression-lang-kep
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
kind/kep
jpbetz
force-pushed
the
crd-expression-lang-kep
branch
from
e5c4577
to
c9e5fe2
Compare
|
This is exciting; we've been holding out for something like this (or considering building it) for @crossplane. |
keps/sig-api-machinery/2876-crd-validation-expression-language/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2876-crd-validation-expression-language/README.md
Show resolved
Hide resolved
keps/sig-api-machinery/2876-crd-validation-expression-language/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2876-crd-validation-expression-language/README.md
Outdated
Show resolved
Hide resolved
kikisdeliveryservice
changed the title
Update status to be implementable.
jpbetz
force-pushed
the
crd-expression-lang-kep
branch
from
5f24473
to
0628179
Compare
| operation, it should be safe to integrate. | ||
|
|
||
| Additional limits we can put in place, as needed, include: | ||
| - A max execution time limit to but could bound running time of CEL programs. This would require |
There was a problem hiding this comment.
which means a CEL program may timeout, and thus, may fail. Similar to webhook, there may be need of a policy about whether to deny or allow it when the validation fails.
There was a problem hiding this comment.
I don't think we'd ever allow if a validation rule timed out.
There was a problem hiding this comment.
Which means failure policy will not be implemented here
There was a problem hiding this comment.
CEL evaluations are multiple orders of magnitude faster than typical webhook invocations... I suspect we'd bound the CEL expression complexity and handle timeouts the same way we would if etcd caused a write operation to timeout by returning a generic server timeout error
There was a problem hiding this comment.
It make perfect sense to treat runtime CEL failures as an internal error, just like the write timeout case. I think it would still be helpful to mention that in the KEP.
There was a problem hiding this comment.
Good news. The complexity estimation is already there. https://github.com/jinmmin/cel-go/blob/a661c99f8e27676c70fc00f4f328476ca4dcdb7f/cel/program.go#L265
There was a problem hiding this comment.
+1 to using complexity estimations. I think I also agree that a server timeout error is appropriate. I'll make some notes in the KEP.
|
There is no mention of how a user should test their embedded expressions. Something that runs the validation with a given set of input/output could help. With this feature, working on full-stack YAML can be so complicated that we may need a testing framework for that. |
jpbetz
force-pushed
the
crd-expression-lang-kep
branch
from
0628179
to
0cc4c90
Compare
keps/sig-api-machinery/2876-crd-validation-expression-language/README.md
Outdated
Show resolved
Hide resolved
jpbetz
force-pushed
the
crd-expression-lang-kep
branch
from
0cc4c90
to
a09fb45
Compare
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
|
/label tide/merge-method-squash holding to prevent instant merge. I think we've got all blocking comments in, but I'll quickly solicit to be sure. |
k8s-ci-robot
added
do-not-merge/hold
…/README.md Co-authored-by: David Eads <deads2k@users.noreply.github.com>
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, jpbetz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
jpbetz
force-pushed
the
crd-expression-lang-kep
branch
from
e7d1f84
to
c01fcb1
Compare
|
no blocking comments remaining from me |
|
/hold cancel I saw an earlier version and I don't think this needs to wait for another look from me. 👍 |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/lgtm |
k8s-ci-robot
added
the
lgtm
* WIP * WIP * add alternatives * Add WebAssembly alternative section. * Update the KEP for validation * update title to focus on validation, expand on alternatives * Replace TODOs with UNRESOLVED and flesh out risks * Update KEP * Update KEP based on feedback received. * Address SIG bi-weekly feedback * Add PRR review. Update status to be implementable. * Remove security review. * Apply feedback * Fill out PRR questionare * Clarify semantic equality * Address unsolved section. * Move type field into future work * Fix toc checking. * Address need for test for rollback * Add graduation criteria for beta * Add test plan and graduation criteria * Address liggitts feedback * Update keps/sig-api-machinery/2876-crd-validation-expression-language/README.md Co-authored-by: David Eads <deads2k@users.noreply.github.com> * Add comments about CEL expression complexity Co-authored-by: Kermit Alexander <kermitalexandr@google.com> Co-authored-by: cici37 <cicih@google.com> Co-authored-by: David Eads <deads2k@users.noreply.github.com>
One-line PR description: KEP to allow an Expression language to be used to validate custom resources
Issue link: CRD Validation Expression Language #2876
Primary goal is to allow the majority of the validation use cases that currently must be handled by a webhook, to instead be handled by adding inline validation expressions directly into the schema of a CRD.
cc @cici37 @leilajal @DangerOnTheRanger @deads2k @lavalamp @fedebongio @apelisse
/sig api-machinery