Initial implementation of validation webhook #441
Conversation
istio-testing
added
the
do-not-merge/work-in-progress
googlebot
added
the
cla: yes
istio-testing
added
the
size/L
richardwxn
force-pushed
the
validate-webhook
branch
from
6fd3ed5 to
ccbdb82
Compare
istio-policy-bot
added
the
lifecycle/needs-triage
richardwxn
removed
the
lifecycle/needs-triage
richardwxn
force-pushed
the
validate-webhook
branch
from
ccbdb82 to
e610bf6
Compare
richardwxn
force-pushed
the
validate-webhook
branch
from
c50d4fc to
368f4b3
Compare
richardwxn
force-pushed
the
validate-webhook
branch
from
368f4b3 to
c93af51
Compare
richardwxn
removed
the
do-not-merge/work-in-progress
richardwxn
changed the title
istio-testing
added
the
do-not-merge/work-in-progress
istio-testing
removed
the
do-not-merge/work-in-progress
|
@richardwxn: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
What is the motivation for making a Webhook? We can do open API schema validation which gets us everything we want here, with way less complexity.
Two 2 webhooks we already have (galley/injector) already cause us a ton of pain, I am very hesitant to add another unless it is absolutely needed
|
@howardjohn I think the motivation here is that validation webhook can do more than openAPI schema check does(basic type, pattern, range checking). So now our custom validation logic is not doing much more than that, but it is being added more custom logic(I would add more details). Also this webhook is managed by controller-runtime manager, similar with controller, so we don't need to have extra deployment or so for it, making it simpler to maintain. |
|
@richardwxn I am not suggesting the openAPI check can do everything a webhook can do. Of course the webhook can do whatever validation it wants so its much more flexible. It is a huge pain to manage the certs and other issues involved though, so we shouldn't take it lightly to add a webhook. OpenAPI and webhook can coexist too. In my opinion, we the best option is to start with openAPI schema (which is still useful even if we add a webhook later) and only add a webhook if there are clearly defined benefits that openAPI does not provide |
|
+1 to @howardjohn's suggestion to start with OpenAPI schema first and only add the webhook later if the schema isn't sufficient. |
|
@howardjohn @ayj Yep, that makes sense. I would put this PR on hold for now and move the basic schema checking part to openAPI first. |
istio-testing
added
the
needs-rebase
|
@richardwxn: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes include:
3..Create configs for ValidatingWebhookConfiguration, Certificate/Issuer and update the corresponding operator service deployment
Update at 11/12:
Thanks for the help of @martonsereg , we update the matching rules of webhook configuration to be plural form of IstioControlPlane, otherwise the admission request would not trigger the validation call.