Implementing Validation Webhooks on top of existing resource types?

6 views
Skip to first unread message

Billy Lynch

unread,
Feb 25, 2022, 1:47:07 PMFeb 25
to knativ...@googlegroups.com, Yongxuan Zhang
knative.dev/pkg AdmissionController question - We’re trying to implement a validation admission webhook on top of an existing resource type. The idea is to layer this new webhook on top of the existing CRD webhook (which is also using a knative controller) to add extra optional validation. 

Our hope was to use the existing validation.NewAdmissionController so we could reuse all the webhook config reconciling behavior, but we can’t use the existing CRD types directly since Knative will just invoke the CRDs Validatable interface.

One idea we had to get around this was to set up the handlers to point to a new type that embeds the underlying CRD - e.g. something like:

```
type customMyKindValidate struct {
  v1beta1.MyKind
}

func (*customMyKindValidate) Validate(ctx context.Context) *apis.FieldError {
  ...
}

validation.NewAdmissionController(ctx,
  name,
  "/validate",
   v1beta1.SchemeGroupVersion.WithKind("MyKind"): &customMyKindValidate{},
  ...
)
```

We weren’t sure if this was the best approach since we’d have to reimplement client-go generated funcs like `DeepObjectCopy` for things to play nice.
We're also looking at the Callback type and could just remarshal the Unstructured type into the expected type, but we weren't sure if this was a good fit either.

Thoughts on either approach? Is there something else we should consider instead?
Thanks!

David Protasowski

unread,
Feb 25, 2022, 1:58:55 PMFeb 25
to knativ...@googlegroups.com, Billy Lynch, Yongxuan Zhang
net-istio took the approach of using a custom type to label deployments


It's not too difficult to setup since there's tooling to generate the deep copy funcs. 

The callback approach with unstructured types is there so you don't have to opt into our opinionated resource type approach.

We used this as part of our podspec dry-run (which is opt-in) 




From: 'Billy Lynch' via Knative Users <knativ...@googlegroups.com>
Sent: Friday, February 25, 2022 1:46 PM
To: knativ...@googlegroups.com <knativ...@googlegroups.com>
Cc: Yongxuan Zhang <yongxu...@google.com>
Subject: Implementing Validation Webhooks on top of existing resource types?
 
--
You received this message because you are subscribed to the Google Groups "Knative Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to knative-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/knative-users/CAHqgvTSHQEyfP8cYYtKsY3UgazAb9geCY%2Bye4Qw5%2BfpD88sfyw%40mail.gmail.com.

Billy Lynch

unread,
Mar 1, 2022, 2:49:46 PMMar 1
to David Protasowski, knativ...@googlegroups.com, Yongxuan Zhang
Thanks for the links! Glad to know we're on the right track. :)
Reply all
Reply to author
Forward
0 new messages