feat: add CEL validation rules to MemberCluster taint API types#478
Open
ytimocin wants to merge 1 commit intokubefleet-dev:mainfrom
Open
feat: add CEL validation rules to MemberCluster taint API types#478ytimocin wants to merge 1 commit intokubefleet-dev:mainfrom
ytimocin wants to merge 1 commit intokubefleet-dev:mainfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
ytimocin
force-pushed
the
feat/cel-validation-membercluster
branch
12 times, most recently
from
6dfd0c7 to
90e59c0
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds CRD-level CEL validations for MemberCluster taints (v1 + v1beta1) so invalid taints are rejected at schema validation time, aligning with existing webhook validation for defense-in-depth.
Changes:
- Added CEL rules and length constraints to
MemberClusterSpec.Taints/Taintin both API versions (format, prefix/name/value limits, and uniqueness by(key,value,effect)). - Regenerated the
MemberClusterCRD schema to include the new validations. - Expanded validation coverage via API integration tests (v1 + v1beta1), updated validator unit tests, and adjusted an e2e assertion to match CEL error output.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
apis/cluster/v1/membercluster_types.go |
Adds CEL validations + length constraints for taints in v1 API types. |
apis/cluster/v1beta1/membercluster_types.go |
Adds the same CEL validations + constraints for v1beta1 API types. |
config/crd/bases/cluster.kubernetes-fleet.io_memberclusters.yaml |
CRD schema regeneration to include taint CEL validations and max/min length constraints. |
test/apis/cluster/v1/api_validation_integration_test.go |
Adds integration coverage for valid/invalid taint CEL cases (v1). |
test/apis/cluster/v1beta1/api_validation_integration_test.go |
Adds integration coverage for valid/invalid taint CEL cases (v1beta1). |
pkg/utils/validator/membercluster_test.go |
Adds a unit test covering “same key+effect, different value” as valid (uniqueness is by key+value+effect). |
test/e2e/webhook_test.go |
Updates expected error text to match CEL/CRD validation output. |
| var statusErr *k8sErrors.StatusError | ||
| g.Expect(errors.As(err, &statusErr)).To(BeTrue(), fmt.Sprintf("Update MC call produced error %s. Error type wanted is %s.", reflect.TypeOf(err), reflect.TypeOf(&k8sErrors.StatusError{}))) | ||
| g.Expect(statusErr.ErrStatus.Message).Should(MatchRegexp("name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character")) | ||
| g.Expect(statusErr.ErrStatus.Message).Should(MatchRegexp("taint key name segment must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character")) |
There was a problem hiding this comment.
This assertion uses MatchRegexp with a literal string that contains regex metacharacters (notably the unescaped "."), which can make the test pass for unintended messages. Consider using ContainSubstring for this check, or wrapping the expected message with regexp.QuoteMeta() before passing it to MatchRegexp to ensure the regex matches the literal text.
ytimocin
force-pushed
the
feat/cel-validation-membercluster
branch
from
90e59c0 to
d486583
Compare
Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com>
ytimocin
force-pushed
the
feat/cel-validation-membercluster
branch
from
d486583 to
d20fcc6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of your changes
Adds CRD CEL validation for
MemberClustertaints in both API versions (v1andv1beta1) to match existing webhook validation behavior (defense-in-depth).What changed
MemberClusterSpec.TaintsandTaintin:apis/cluster/v1/membercluster_types.goapis/cluster/v1beta1/membercluster_types.go(key, value, effect)config/crd/bases/cluster.kubernetes-fleet.io_memberclusters.yamltest/apis/cluster/v1/api_validation_integration_test.gotest/apis/cluster/v1beta1/api_validation_integration_test.gopkg/utils/validator/membercluster_test.gokey+effectwith differentvalueis valid.test/e2e/webhook_test.goWhy
How has this code been tested
go test ./pkg/utils/validator -run TestValidateTaints -count=1go test ./pkg/webhook/membercluster -count=1go test -c ./test/apis/cluster/v1 -o /tmp/test-apis-cluster-v1.testgo test -c ./test/apis/cluster/v1beta1 -o /tmp/test-apis-cluster-v1beta1.testgo test ./test/apis/cluster/v1 -run TestAPIs -count=1 -- -ginkgo.focus="MemberCluster taint CEL validation" -ginkgo.vgo test ./test/apis/cluster/v1beta1 -run TestAPIs -count=1 -- -ginkgo.focus="MemberCluster taint CEL validation" -ginkgo.vSpecial notes for your reviewer
I have:
make reviewableto ensure this PR is ready for review.