Proposal: Validation for CustomResources.

[nikhita]

ThirdPartyResource (TPR) is deprecated and CustomResourceDefinition (CRD) is the successor which solves the fundamental issues of TPRs to form a stable base for further features.

Currently we do not provide validation for CustomResources (CR). This proposal proposes the design and describes a way to add JSON-Schema based validation for CustomResources.

cc @sttts @deads2k @enisoc @xiao-zhou @erictune @lavalamp @brendanburns @philips @fabxc @frankgreco @sdminonne

[sttts]

/cc @kubernetes/sig-api-machinery-api-reviews @kubernetes/sig-api-machinery-misc

[deads2k]

@sdminonne

[fabiand]

You might want to stick to markdown only, thus remove the anchor.

[enisoc]

cc @mbohlool

[enisoc]

Looks great to me overall.

[enisoc]

I'm not sure if there's a defined policy, but it seems like native k8s objects simply ignore unrecognized fields, at least on the server side. Is there any danger in even allowing CRD authors to violate this expectation/convention?

[bgrant0607]

Server-side validation needs to be optional:
kubernetes/kubernetes#5889 (comment)

[bgrant0607]

That is, schema validation needs to be optional. Value validation does not.

[enisoc]

To elaborate, my interpretation of the chain of comments @bgrant0607 linked is: Yes, there is danger in allowing CRD authors to set additionalProperties: false because it breaks version skew (new client sends new optional field to old server). At most, the client should be able to opt-in to "reject unrecognized fields" on a per-request basis. However, there is currently no such standard query param (AFAIK), so we should not allow CRD authors to set additionalProperties: false.

[nikhita]

Updated to not allow CRD authors to set additionalProperties: false.

[enisoc]

Could you also include some examples of what validation errors would look like in this proposal? For example, does the description field allow the author to inject hints into the error message?

One trade-off between this approach (using a JSON-Schema library) and alternatives (e.g. webhooks) is that the CRD author has less control over the content of validation error messages. Of course we're not limited to just printing whatever the library spits out, but if more work will be needed to improve on what the library gives us, we should scope it out here since telling the user how to fix the problem is arguably the most important part of validation.

[nikhita]

Added examples of validation errors.

[enisoc]

In the Google Doc, there was some discussion about ways to deal with CRs that exist before the introduction of validation on a given CRD for the first time. Can you summarize the findings in this proposal?

[nikhita]

Added.

[enisoc]

In general, it seems like this will be slower than native validation. We should consult with @kubernetes/sig-scalability-proprosals to define the performance bar this needs to meet and create regression tests for large numbers of objects.

[sttts]

This is certainly slower than hand crafted validation. The main point of this paragraph is not that's it might be slower by a factor of 10 (a guess), but that it cannot be used to bring down an API server because the validation algorithm is quadratic of even exponential in the input size.

But of course, having a performance bar with tests would be great.

[enisoc]

I think many people will see imperative validation (custom code inserted in the request path somehow) as the main alternative to this proposal. You mentioned above they are not mutually exclusive, but it would be good to document here why we think it makes sense to put our effort in creating the declarative version first.

[bgrant0607]

Schema validation performed by kubectl is driven by Swagger/OpenAPI models. An equivalent capability needs to move to the server (kubernetes/kubernetes#5889) as part of the general effort to move functionality to the server in order to improve extensibility and to simplify clients (kubernetes/kubernetes#12143).

I would like to see us move towards declarative validation generally for the API, as much as possible:
kubernetes/kubernetes#25460

@mbohlool may have already started on a proposal for that.

Also, ideally, I'd like the same spec to be usable to serve an OpenAPI spec for the CRD APIs, which would mean it would have to be an OpenAPI-compatible flavor of JSON schema. I really don't want multiple different schema languages in the system.

As for a hook-based approach, (potentially multiple) special-purpose hooks per resource would be harder to understand, as well as being more fragile, slower, etc. I'd prefer to find a way to use admission-control extension for that use case, so as not to add yet another hook mechanism:

https://github.com/kubernetes/community/blob/master/contributors/design-proposals/admission_control_extension.md

[sttts]

No need for another hook mechanism. We don't want that. I verified that CRDs play nicely with initializers in 1.7, same should be true for admission webhooks (not verified).

[nikhita]

Added a note about intializers.

[brendandburns]

Commented above. The commentary assumes/implies that webhooks are harder and less useful than json-schema. I think exactly the opposite is true.

Personally, I would argue for webhook validation in the CRD resource because conceptually it is part of the resource. While it is possible to do it in an extension admission controller, the user experience is way worse, because suddenly I have to create/manage/synchronize two different objects to implement my desired experience.

Instead, I think we should add webhooks to the CRD, and then implement a controller that reflects that webhook into an admission control extension. (similar to how ReplicaSet creates Pod objects, etc)

IMHO we shouldn't mix our desires around implementation complexity (only one kind of webhook) with our designs around API complexity (everything relating to a particular object should be in that object)

[enisoc]

I just realized there are examples of giving fields default values below. Is it a goal of this proposal to support defaulting? Either way, defaulting should be added to either Goals or Non-Goals to make it clear.

[sttts]

I went into go-openapi this morning and prototyped defaulting support: go-openapi/validate#27.

So this is not available currently upstream, but is feasible. The only support that exists is that errors of required fields are surpressed if a default value is given. My PR adds support to actually take that default and write it into the field.

[sttts]

@nikhita has added a link to that prototype below.

[bgrant0607]

Original description of this GSOC project:
https://summerofcode.withgoogle.com/organizations/6540924424290304/#5982049109278720

[bgrant0607]

Ref kubernetes/kubernetes#38117

[bgrant0607]

@kubernetes/sig-api-machinery-proposals

[fabiand]

You might want to drop the <sup> tag

[nikhita]

Github Flavored Markdown does not support footnotes without the <sup> tags.

Please let me know if this is indeed possible and I'm missing something here!

[fabiand]

You probably want to drop <sup> here as well.

[deads2k]

CRDs are inherently a cluster-admin resource since they affect the resources for the entire cluster. I don't feel bad about allowing a cluster-admin to make an expensive resource.

[sttts]

Will cluster-admins understand complexity?

[deads2k]

Will cluster-admins understand complexity?

Will they care? I suspect that first line of defense would simply be to scale out the masters.

[deads2k]

@mbohlool this is going to require changes to the openapi aggregation triggers.

[mbohlool]

Sorry that I see this late. I have two points here:

1. If we register CRDs with aggregation server (which I think we should), this will be aggregated automatically.
2. OpenAPI supports a subset of json schema. I think instead of asking users to provide JSON Schema we should ask them to provide OpenAPI spec that has a Definition model in it (that is a subset of JSON Schema).

[sttts]

about 2) why should we restrict ourselfes to openapi? The openapi spec is a side-product of this validation and I don't want to loose expressivity because openapi hasn't updated to the JSON schema draft 4 yet.

Moreover, some day openapi v3 is finalized, we will support v3 and v2 for backward compatibility. Do you suggest that we stay at the common denominator, i.e. to that JSON schema subset supported by v2? In other words, at some point we will have to diverge anyway.

Is there anything that stops us from stripping the given spec from unsupported features for consumation by the openapi aggregator? As far as I see all JSON Schema fields are monotonic in the sense that stripping fields makes the spec weaker. That's what we need for easy openapi consumation.

[deads2k]

I'm not really a fan of this. It seems like it should mirror kube-apis: it's the responsibility of the APi author and fixups are performed client-side.

[deads2k]

I think you actually just want to update the strategy.

[sttts]

yes, that's actually meant here.

[nikhita]

Yes, will be passing the CRD to the strategy.

[deads2k]

minor comments. This lgtm.

[sdminonne]

I liked the declarative approach defining validation but I would love to have a way to reuse definitions similar to swagger multiple files
Even better would be to reuse swagger as already reported by @bgrant0607-nocc

The same mechanism should be used to reference native resources like PodSpec.
To be more clear: If my CDR contains a v1.PodSpec I would like references the swagger definition of the io.k8s.kubernetes.pkg.api.v1.PodSpec avoiding cut & paste of the swagger.json.

According to @sttts this mechanism may be added in a second step (brief discussion on slack). So I'm in general OK with this approach.

[sttts]

Adding to @sdminonne's comment:

The languages of native kube object specs in swagger and those proposed here are the same. Hence, a schema reference could be used to link a CRD to a native object spec, using a JSON-Schema reference with a certain URL.

The main conceptual problem to solve is to define this URL namespace. Note that we are coupling non-kube-CRDs with the kube type universe, maybe even with a number of user provided API servers. One could use the service names of those API servers to reference their specs, e.g. https://kubernetes/api/v1/pods/schema.json and https://kubernetes/apis/you.group.com/your-custom-resources/schema.json. But this needs deep thought as we are coupling independent components, after splitting them apart into single API servers with a lot of effort.

Hence, I see this as a follow-up to this proposal. Right now, we will keep schema references local and the schemas self-contained.

[deads2k]

Right, but my point is that I may actually want multiple web hooks, or a
JSON schema and a webhook. I think an array captures this more elegantly
than a single top-level struct.

The current struct does not preclude introducing a slice of webhooks. Your example also highlights a deficiency of an array of validators, since some combinations like multiple JSON-schemas don't make sense. Rather than enforce that in resource validation, I would make the struct represent the valid combinations.

[agonzalezro]

If multiple validations are added (as @brendanburns mentioned) I suppose it's going to be a new struct field here: CRD.Spec.Validation.*.

Is the order of this validations important? For example, somebody would like to run JSON Schema validations before calling a webhook.

In case it's important what do you think about something like this (please, read this as pseudo code 😬):

type CustomResourceDefinitionSpec struct {
   ...
   Validations []CustomResourceValidation `json:"validation,omitempty"`
}

type CustomResourceValidation interface{
  Validate() []error
}

This would allow us to even repeat validations which can be good and bad at the same time:

• good: we could validate with JSON Schema, webhook A (microservice from dev team), webhook B (microservice from finance team -> billing).
• bad: you could as well add several JSON Schemas validation to the same CRD that could end up fighting between them (one returning true and the other false).

[jamiehannaford]

Is 90% literal here, or just an example?

[nikhita]

Just an example.

[jamiehannaford]

Ah okay, can we change to express the vast majority of validations or something? Just for folks who might take this literally

[jamiehannaford]

Is it outside the scope of this doc to briefly mention what those issues are? Perhaps just as links

[nikhita]

Will add them. 👍

[jamiehannaford]

Nit: maybe we can pin to a specific commit in the URL? I've lost track of the amount of times I've followed master links and the lines are outdated 😄

[nikhita]

good point. :)
will do.

[jamiehannaford]

Could we use a json schema lib like https://github.com/xeipuuv/gojsonschema instead of defining this ourselves? I know folks are wary of more imports but just thought I'd float the idea

[nikhita]

I believe we don't really want to import here and end up making our types depend on external types.

Had considered using https://github.com/xeipuuv/gojsonschema but instead decided to go with go-openapi because we want to be able to express the schema via openapi docs.

[jamiehannaford]

Yeah, it's also defined here. Just wondering if we can avoid duplication and the risk of feature drift.

@liggitt should we be avoiding external types here?

[liggitt]

external types don't have the protobuf annotations needed by our API types. tying our API to an external API is not something we want to do.

[nikhita]

@agonzalezro That looks like a nice approach but what I am concerned about is that we can end up with multiple JSON schemas and allow invalid combinations. We need the JSON schema to only have one entry point (not multiple).

[sttts]

To address @brendanburns's comment #708 (comment):

This way we can make the validation generic and add other validation options in the future. Even multiple validation options could be used at the same time within one CustomResourceDefinition.

[sttts]

I can see value in @agonzalezro's example with multiple webhooks. Also the possibility to rely on static JSON-schema validation before calling a webhook sounds reasonable.

Though I am not so sure about introducing any more structure, i.e. a whole slice of validation mechanisms. As the next step we would want to define the parallalism, i.e. sequential or in parallel, eventually leading to complete pipeline semantics. I agree with @deads2k that having a struct { JSONSchema, []WebHook } is a good line to draw. If some day we have some embedded interpreter of some sort, we could have struct { JSONSchema, Script, []WebHook }.

[agonzalezro]

I see struct { JSONSchema, []WebHook } reasonable. In the case that it's EXTREMELY important for somebody to to run the webhooks before the schema they could implement the schema validation in their latest webhook. Of course, this case would be like the 0.1% of the people :)

Looks pretty good, good job you all.

[deads2k]

/lgtm

[frankgreco]

I am very interested in contributing to this change. Is this the right issue to be following for that. I assume at some point this thread will turn into more of implementation discussion once the final design is finished.

[enisoc]

@frankgreco There is work in progress here: kubernetes/kubernetes#47263

[deads2k]

I am very interested in contributing to this change. Is this the right issue to be following for that. I assume at some point this thread will turn into more of implementation discussion once the final design is finished.

I figured I'd give a day for closing arguments and merge this tomorrow.

[deads2k]

I figured I'd give a day for closing arguments and merge this tomorrow.

Ok. I'll merge this as a starting point. Specific issues are welcome as are comments on the WIP kubernetes/kubernetes#47263

[mbohlool]

OpenAPI v3 is release and we are going to support it but even v3 Schema is a subset of JSON schema. I don't think OpenAPI supports complete JSON schema any time soon if ever. If we provide JSON schema for CRDs there is no path forward for converting it to OpenAPI (hence at least the proposal's assertion that it is compatible with OpenAPI is false). If we are thinking of also asking users to provide OpenAPI spec that would be a bad design in my opinion. Two very similar things. I don't think OpenAPI's Schema is that restrictive and I do believe we should use that as it widely accepted (not that JSON schema is not but for the puropose of describing API objects, OpenAPI designed for that).

…

On Jul 31, 2017 8:04 AM, "Dr. Stefan Schimanski" ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In contributors/design-proposals/customresources-validation.md <#708 (comment)>: > + +ObjectMeta and TypeMeta are implicitly specified. They do not have to be added to the JSON-Schema of a CRD. The validation already happens today as part of the apiextensions-apiserver REST handlers. + +### Server-Side Validation + +The server-side validation is carried out after sending the request to the apiextensions-apiserver, i.e. inside the CREATE and UPDATE handlers for CRs. + +We do a schema pass there using the https://github.com/go-openapi/validate validator with the provided schema in the corresponding CRD. Validation errors are returned to the caller as for native resources. + +JSON-Schema also allows us to reject additional fields that are not defined in the schema and only allow the fields that are specified. This can be achieved by using `"additionalProperties": false` in the schema. However, there is danger in allowing CRD authors to set `"additionalProperties": false` because it breaks version skew (new client can send new optional fields to the old server). So we should not allow CRD authors to set `"additionalProperties": false`. + +### Client-Side Validation + +The client-side validation is carried out before sending the request to the api-server, or even completely offline. This can be achieved while creating resources through the client i.e. kubectl using the --validate option. + +If the API type serves the JSON-Schema in the swagger spec, the existing kubectl code will already be able to also validate CRs. This will be achieved as a follow-up. about 2) why should we restrict ourselfes to openapi? The openapi spec is a side-product of this validation and I don't want to loose expressivity because openapi hasn't updated to the JSON schema draft 4 yet. Moreover, some day openapi v3 is finalized, we will support v3 and v2 for backward compatibility. Do you suggest that we stay at the common denominator, i.e. to that JSON schema subset supported by v2? In other words, at some point we will have to diverge anyway. Is there anything that stops us from stripping the given spec from unsupported features for consumation by the openapi aggregator? As far as I see all JSON Schema fields are monotonic in the sense that stripping fields makes the spec weaker. That's what we need for easy openapi consumation. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#708 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABic4ExRsgiRbp5YqRtIJG3ejb2nRX4Eks5sTezkgaJpZM4N3YUj> .

[sttts]

@mbohlool let's continue in the issue kubernetes/kubernetes#49879