feat(kuma-cp) Validation synced resources on K8S #919
Conversation
| apiVersion: admissionregistration.k8s.io/v1beta1 | ||
| kind: ValidatingWebhookConfiguration | ||
| metadata: | ||
| name: kuma-validating-webhook-configuration |
There was a problem hiding this comment.
Another one to keep in sync with the helm chart.
| - containerPort: 5443 | ||
| {{- if ne .KumaCpMode "global" }} |
| @@ -75,11 +79,27 @@ func (s *KubernetesStore) Create(ctx context.Context, r core_model.Resource, fs | |||
| return nil | |||
| } | |||
|
|
|||
| func markAsSynced(obj k8s_model.KubernetesObject) { | |||
| annotations := obj.GetAnnotations() | |||
There was a problem hiding this comment.
This functionality seems very internal. I think it's more of an annotation
| Allowed: false, | ||
| Result: &metav1.Status{ | ||
| Status: "Failure", | ||
| Message: "You are trying to apply policy on Remote CP. In multicluster setup, policies should be only applied on Global CP and synced to Remote CPs.", |
| @@ -57,6 +65,12 @@ func ModifiedAt(modificationTime time.Time) UpdateOptionsFunc { | |||
| } | |||
| } | |||
|
|
|||
| func UpdateSynced() UpdateOptionsFunc { | |||
There was a problem hiding this comment.
Why we need UpdateSynced? If some resource was created with CreateSynced then it should be staying synced for the whole lifetime scope, right? So it is a permanent characteristic of the resource
There was a problem hiding this comment.
Technically yes, but there is an exception - Mesh object. Remote can create default Mesh and then it's updated from the remote.
| @@ -72,6 +102,28 @@ func (h *validatingHandler) Handle(ctx context.Context, req admission.Request) a | |||
| return admission.Allowed("") | |||
| } | |||
|
|
|||
| func (h *validatingHandler) validateSync(resType core_model.ResourceType, obj k8s_model.KubernetesObject) admission.Response { | |||
| if resType == core_mesh.MeshType && len(obj.GetSpec()) == 0 { // skip validation for the default mesh | |||
There was a problem hiding this comment.
The comment says that we skip default mesh, but it skips every mesh with empty spec, isn't it? And why do we have to skip default mesh? Is it created by defaultingWebhook?
There was a problem hiding this comment.
Because Remote can create default Mesh and if we let the logic pass, it will fail because normally you should not create meshes on Remotes.
There was a problem hiding this comment.
To be honest I thought that since webhook disabled on Remote, mesh object always comes from Global, but I see that only ValidationWebhook was disabled. Maybe we can disable mesh-defaulter for Remote to have unified way of managing resources?
There was a problem hiding this comment.
I don't know... mesh defaulter does not make sense on remote 🤔 it's only useful when you apply a mesh with some settings, but it will be defaulted in global
jakubdyszkiewicz
force-pushed
the
feat/sync-resources-validation
branch
from
cf12dd1
to
ba09f50
Compare
Summary
This PR introduces validation on K8S that prevents users to apply policies on Remote by accident.
It relies on annotation
k8s.kuma.io/synced: "true"Documentation