I'm developing a controller with a CRD. The CRD includes our custom stuff along with an embedded core.v1.PodSpec. (v1.13.1)
I define a validation section in the CRD that can validate and enforce constraints on our custom fields but I can't figure out how to do this for the embedded PodSpec. PodSpec is far too large and far too many options to manually add this to the validate section of the CRD:
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: mystuff.example.com
spec:
group: mystuff.example.com
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: MyStuff
plural: mystuffs
singular: mystuff
shortNames:
- ms
scope: Namespaced
additionalPrinterColumns:
- JSONPath: .status.phase
name: Status
type: string
- JSONPath: .metadata.resourceVersion
name: Version
type: string
validation:
openAPIV3Schema:
properties:
spec:
required:
- myVar1
- myVar2
- podSpec
properties:
myVar1:
type: boolean
myVar2:
type: boolean
# Here I need to validate a valid core.v1.PodSpec
podSpec:
type: core.v1.PodSpecHow do other people approach this?
I also need validation for any mechanism in which a user can submit a workload, ie directly using the kube apiserver or with kubectl.
Thanks for any help.
In general CRD doesn't allow to put references to other objects. There was a discussion on that: https://github.com/kubernetes/kubernetes/issues/54579. Decision was made not to add references.
Workaround is described in this comment: https://github.com/kubernetes/kubernetes/issues/54579#issuecomment-370372942 I haven't use it but you may try.
There are multiple ways to perform CRD validation. Static validation via .validation is one way as you know. Other way is to perform dynamic via a ValidatingAdmissionWebhook. This allows you to implement and deploy a server that the Kubernetes API server will call just prior to resource admission.