From 3c473019482b7ac003152cae9491c82099de04bc Mon Sep 17 00:00:00 2001 From: June Han Date: Mon, 15 Apr 2024 21:53:38 +0900 Subject: [PATCH] Add explanations for `validations.keda.sh/hpa-ownership` (#1358) Signed-off-by: June Han Co-authored-by: Zbynek Roubalik --- content/docs/2.14/concepts/scaling-deployments.md | 13 +++++++++++-- content/docs/2.14/operate/admission-webhooks.md | 2 ++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/content/docs/2.14/concepts/scaling-deployments.md b/content/docs/2.14/concepts/scaling-deployments.md index 3780bd4fc..87eb7d395 100644 --- a/content/docs/2.14/concepts/scaling-deployments.md +++ b/content/docs/2.14/concepts/scaling-deployments.md @@ -39,8 +39,8 @@ kind: ScaledObject metadata: name: {scaled-object-name} annotations: - scaledobject.keda.sh/transfer-hpa-ownership: "true" # Optional. Use to transfer an existing HPA ownership to this ScaledObject - autoscaling.keda.sh/paused-replicas: "0" # Optional. Use to pause autoscaling of objects + scaledobject.keda.sh/transfer-hpa-ownership: "true" # Optional. Use to transfer an existing HPA ownership to this ScaledObject + validations.keda.sh/hpa-ownership: "true" # Optional. Use to disable HPA ownership validation on this ScaledObject autoscaling.keda.sh/paused: "true" # Optional. Use to pause autoscaling of objects explicitly spec: scaleTargetRef: @@ -413,6 +413,15 @@ spec: > ⚠️ **NOTE:** You need to specify a custom HPA name in your ScaledObject matching the existing HPA name you want it to manage. +## Disable validations on an existing HPA + +You are allowed to disable admission webhooks validations with the following snippet. It grants you better flexibility but also brings vulnerabilities. Do it **at your own risk**. + +```yaml +metadata: + annotations: + validations.keda.sh/hpa-ownership: "true" +``` ## Long-running executions diff --git a/content/docs/2.14/operate/admission-webhooks.md b/content/docs/2.14/operate/admission-webhooks.md index 8386dfde2..9b3b753ca 100644 --- a/content/docs/2.14/operate/admission-webhooks.md +++ b/content/docs/2.14/operate/admission-webhooks.md @@ -7,3 +7,5 @@ weight = 100 ## Validation Enforcement By default, the admission webhooks are registered with `failurePolicy: Ignore`, this won't block the resources creation/update when the admission controller is not available. To ensure that the validation is always required and perform validation, setting `failurePolicy` to `Fail` is required. + +In particular, the admission webhooks for HPA ownership validation can be skipped by setting the annotation `validations.keda.sh/hpa-ownership` to `"false"`. Be cautious when doing so as it exposes the system to potential risks.