Introduce a validating webhook for validation of extension resources #4293
Assignees
Labels
area/control-plane
Control plane related
area/ops-productivity
Operator productivity related (how to improve operations)
area/usability
Usability related
kind/enhancement
Enhancement, improvement, extension
priority/3
Priority (lower number equals higher priority)
Comments
gardener-robot
added
area/control-plane
|
/assign |
|
/cc @plkokanov |
|
In addition to the extension resources mentioned above, the validating webhook should also take care to validate etcd resources. We had a recent case where if we had such a validation in place, we could have prevented a rather severe issue from happening. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How to categorize this issue?
/area control-plane
/area usability
/area ops-productivity
/kind enhancement
/priority 3
What would you like to be added:
Introduce a validating webhook to execute the existing validation of extension resources in https://github.com/gardener/gardener/tree/master/pkg/apis/extensions/validation. The natural place to host it would be the
seed-admission-controller.Why is this needed:
Currently, the validation of extension resources in https://github.com/gardener/gardener/tree/master/pkg/apis/extensions/validation is not executed, so this validation is essentially dead code. It was not seen as high priority so far since the contract is internal to Gardener - extension resources are only created and updated by
gardenletand we could assume this is done correctly.However, there are edge cases in which
gardenletcould create an invalid resource or e.g. attempt to update an immutable field, and without actually validating this could have some negative consequences, see for example this discussion: gardener/gardener-extension-provider-aws#362 (comment)./cc @timebertt @kris94
The text was updated successfully, but these errors were encountered: