New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRD validation resource immutable #65973
Comments
/sig api-machinery |
what do you mean by immutable? do you want to have something you don't want to change after creating it? |
Yes,i want to some field can't be change。Is there any way? @mkumatag |
No, there is no way to mark fields as immutable right now. OpenAPI schema does have a construct called /area custom-resources |
/cc @mbohlool |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale
…On Mon, Oct 8, 2018 at 2:08 AM fejta-bot ***@***.***> wrote:
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually
close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta
<https://github.com/fejta>.
/lifecycle stale
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#65973 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/APXA0BbgLdKtoHwZQ5WS_5tD18EFoy8Sks5uimZhgaJpZM4VHqSR>
.
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Will this feature be considered to be implemented? This is quite useful, just like the native objects in kubernetes, not all fields are mutable after the object is created. For CRDs, there will be no different. |
You can use admission webhooks to validate any change including making sure the field is not changed. We may consider dedicated validation webhook in future but for now Admission webhooks do the job. |
For sure webhook is an option here. But IMHO webhooks are heavy (compared to specifying a field in the CRD yaml file), and most likely for more complicated cases, like the validation might involves some external API calls to some other services. It makes more sense to me that simple validations like |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
It would be fantastic to get this implemented as a none webhook based solution. The |
I absolutely support this feature. Webhooks require long time to develop and support, but we meet the use case of immutable fields again and again, the easy way is to add the field into status and mark the CR as failed in case the spec field has diverged but putting the fields to status only to support contract is a quite ugly way |
👍 I think this would be a very high value and logical feature to support. We've done the webhook path and indeed it was a big investment, and feels disproportionately heavy handed. All we've needed to use it for thus far was making fields immutable once set. |
I agree this would be awesome. But for being able to do that we have to restrict the OpenAPI features in a sane way that read-only can be derived in a consistent way for every field. We are working on this. |
Any progress or design doc on this? |
we need this feature |
We need this feature |
We have some statements in the KEP about this:
But this won't be in the alpha for 1.23, and we need to revisit the design and look through the edge cases a lot more carefully before we commit to implementing. cc @liggitt |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
Hello, any news on this topic? It'd be great to have it! |
We're working on a kep, can you share what your goals are? Now is the best time to ask! ;-) |
@apelisse , I'm implementing an operator that uses a CR to obtain some information needed to create/ update/ delete other different resources. Some specs of these resources are not upgradeable. I think it'd be good to make these CR fields immutable so the user cannot trigger the operator with the changes that cannot be properly maintained anyway. An error while trying to edit an immutable field would solve the problem with inconsistency between the CR and the spec of the other resources and would make the validation in the operator much easier |
Since I don't think it's been mentioned on this issue yet, I wanted to point out that x-kubernetes-validations transition rules can be used to enforce CRD immutability. The main caveat is that the feature is currently alpha. It is slated for beta in 1.25. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
We should be able to close this now, no? I'll pro-actively close, let me know in the comments if you disagree. |
Relevant blog post on this topic: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/ |
Is this a BUG REPORT or FEATURE REQUEST?:
FEATURE REQUEST
What happened:
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
I want some of my fields to be immutable in CRD, can I do that?
Environment:
kubectl version
):uname -a
):The text was updated successfully, but these errors were encountered: