KEP-3937: Declarative Validation

[jpbetz]

• One-line PR description: Declaratively validate Kubernetes built-in types and publish the validation rules in OpenAPI.

• Issue link: Declarative Validation #3937

• Other comments: I realize this is ambitious, but recent work in CEL and OpenAPI in recent releases has made this significantly more tractable. Please see the working prototype.

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jpbetz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-api-machinery/OWNERS [jpbetz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[apelisse]

Thanks for the doc, excited to see that happen!

I have a few questions that are mostly all rooting from the same place:

• Where is this going to happen in the apiserver, before decoding, after decoding?
• Will this use the openapi as the source of truth? Or will the code be generated like we do for defaults?
• Will you decode into unstructured and then do the validation and then decode into built-in type?
• Or will you run against decoded values? (i.e. null string becomes empty string for non-nil strings).
  There may be a few more questions depending on some answers :-)

[apelisse]

I would have expected in the goals section to know if you're going to publish in v2 and/or v3. I'd love to know how you come-up with that decision.

[jpbetz]

I could use some openapi expertise on this one, should we support both? How long do we expect to keep v2 around?

[apelisse]

IMO, v2 is deprecated, I wouldn't care so much about it. We don't plan on using it for any of the new usage. explain uses v3, kube-verify uses v3, everything should use v3.

[apelisse]

Maybe mention in this table those that already exist.

[apelisse]

is the list exhaustive?

[jpbetz]

That is the intent, yes. Let me know if I missed anything.

[apelisse]

I did check, I think it has all of it, thanks.

[apelisse]

Can we do that without requiring the two separate feature gate?

[apelisse]

Also, somewhat related: kubernetes/kubernetes#97733

[smarterclayton]

Would also be a minor security win - currently conversion to internal involves use of unsafe operations for performance, and doing validation before conversion reduces the risk of malformed data making it to conversion.

[apelisse]

Suggested change

	// +valdiation=rule:"!self.hostNetwork || self.containers.all(c, c.containerPort.all(cp, cp.hostPort == cp.containerPort))"
	// +validation=rule:"!self.hostNetwork || self.containers.all(c, c.containerPort.all(cp, cp.hostPort == cp.containerPort))"

[apelisse]

Not a requirement, but I would point/copy the code that this replace to give both an idea of the order of magnitude code that can possibly remove, and how different it is.

[apelisse]

Suggested change

	In this example, both `+valdiation`, `+minimum` and `+maximum` are IDL tags.
	In this example, both `+validation`, `+minimum` and `+maximum` are IDL tags.

😂

[apelisse]

IMO, v2 is deprecated, I wouldn't care so much about it. We don't plan on using it for any of the new usage. explain uses v3, kube-verify uses v3, everything should use v3.

[apelisse]

I did check, I think it has all of it, thanks.

[apelisse]

I think mapping directly between the IDL and the OpenAPI is the least confusing for people familiar with openapi. For people who are not, the difference between these can be hard to get initially, we should definitely have some linting if maxLength is used on non-string, maxProperties is used on non-maps, and maxItems is used on non-lists.

[jpbetz]

+1. Also, Kubebuilder has set significant precedent here, and Kuberbuilder uses a direct mapping (it's prefixed with "kubebuilder:validations:", but it otherwise direct).

[apelisse]

Wait, is this a CEL rule or is this something that goes in the format part of the openapi, I'm a little confused? It looks like it's not since you have the formats section right below, but still confused :-)

[jpbetz]

I'd like to almost all format validation to be done just with OpenAPI.

ObjectMeta.name has a problem. We have a single shared type for ObjectMeta, but different types have different format requirements for the name (and generateName), so we have to cope with that somehow.

I probably need to explain my thinking in the KEP more, but my current thinking is that we could do something like:

struct Pod type {

  // +objectNameFormat="dns1123subdomain"
  ObjectMeta `json:...`
}

And have this generate openAPI like:

  "io.k8s.api.core.v1.Pod": {
        "properties": {
          "metadata": {
            "allOf": [
              {
                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
              }
            ],
            "x-kubernetes-validations": [
              {"rule": "!has(self.name) || self.name.isFormat('dsn1123subbdomain')"},
              {"rule": "!has(self.generateName) || self.generateName.replace('_$', '_a').isFormat('dsn1123subbdomain')"},
            ]

If we could avoid this and instead put "format" directly on name, that would be amazing, but I don't know how.

[jpbetz]

@alexzielenski had the idea of using a second schema in allOf to validate the name directly (no CEL needed).

[apelisse]

That's a neat idea.

[apelisse]

Somewhat related to that, if we could validate whether namespace can or can not be present, that'd be nice. Also, I've been asked a few times how to know if a kind is namespaced or not, can we re-use that technic to detect it?

[jpbetz]

Something like this sounds good to me. Today, CRD resources declare scope, but the OpenAPI does not. A fix that can be applied to both CRDs and native types would be amazing. Of the fields in a CRD that do not appear in OpenAPI (scope, names, conversion, deprecated, deprecationWarning, additionalPrinterColumns), the ones that should probably be in OpenAPI (somehow) are scope, deprecated and deprecationWarning.

[apelisse]

Today validation for all the versions are done on internal, we might have discrepencies between versions now (since we'll require N validation instead of 1). We have to be sure that all the validations do the exact same thing.

[jpbetz]

/close
We're planning to do something along these lines. @alexzielenski will open a replacement KEP

[k8s-ci-robot]

@jpbetz: Closed this PR.

In response to this:

/close
We're planning to do something along these lines. @alexzielenski will open a replacement KEP

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.