Skip to content

Make ValidatingWebhookConfiguration validate rule.APIGroups #130006

New issue
New issue
Open
Open
Make ValidatingWebhookConfiguration validate rule.APIGroups#130006
Labels
area/usabilitykind/featureCategorizes issue or PR as related to a new feature.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.
@guettli

Description

@guettli
guettli
opened on Feb 6, 2025

What would you like to be added?

there isn't any validation in the admission of a ValidatingWebhookConfiguration that checks that rule.APIGroups only contains valid group names.

But for a CRD, the group is validated to be a DNS1123Subdomain, so perhaps we can leverage that validation, combined with validation for the built-in groups?

(thank you JoelSpeed for providing the details)

Some days ago it took me some time to find the root cause why my new webhook was not called.

Would it make sense to add validation there, so that typos (like "mygroup/v1beta1" instead of "mygroup") get detected?

Why is this needed?

This is needed so that invalid group names create an error.

Otherwise, the validation web hook might not be called and invalid resources can get created.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/usabilitykind/featureCategorizes issue or PR as related to a new feature.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions