Skip to content

[main] Add admission validation for WebhookDeploymentCustomization#1465

Merged
crobby merged 4 commits into
rancher:mainfrom
crobby:webhook-deployment-validation
Jun 11, 2026
Merged

[main] Add admission validation for WebhookDeploymentCustomization#1465
crobby merged 4 commits into
rancher:mainfrom
crobby:webhook-deployment-validation

Conversation

@crobby

@crobby crobby commented May 13, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Issue: rancher/rancher#54090

Problem

Invalid WebhookDeploymentCustomization values (zero replicas, malformed toleration keys, conflicting PDB fields) pass through the API and only fail at Helm install time on the downstream cluster, making errors difficult to diagnose.

Solution

Add admission validators for WebhookDeploymentCustomization

  • replicaCount must be >= 1
  • Toleration keys validated against k8s label name rules
  • Affinity label selectors validated via apimachinery
  • PDB: must be non-negative int or 0-100% string; minAvailable and maxUnavailable cannot both be non-zero

@crobby crobby marked this pull request as ready for review May 18, 2026 18:39
@crobby crobby requested a review from a team as a code owner May 18, 2026 18:39
@crobby crobby force-pushed the webhook-deployment-validation branch 2 times, most recently from 764e852 to ff06e2a Compare May 26, 2026 20:40
This was referenced May 26, 2026
Draft
Closed
@crobby crobby changed the title Add admission validation for WebhookDeploymentCustomization [main] Add admission validation for WebhookDeploymentCustomization May 26, 2026
@crobby crobby force-pushed the webhook-deployment-validation branch from ff06e2a to 018aebb Compare May 27, 2026 09:57
@crobby crobby force-pushed the webhook-deployment-validation branch 3 times, most recently from ebc4e54 to 0d410d1 Compare June 4, 2026 19:04
@crobby
Add admission validation for WebhookDeploymentCustomization
1090534 
Validate WebhookDeploymentCustomization fields on both provisioning.cattle.io/v1
and management.cattle.io/v3 Cluster resources:
- replicaCount must be >= 1
- appendTolerations keys validated against k8s label name rules
- overrideAffinity label selectors validated
- PDB minAvailable/maxUnavailable: non-negative int or 0-100% string,
  cannot both be non-zero simultaneously

Shared validation logic lives in pkg/resources/common/deployment_customization.go
to avoid duplication across API groups.
@crobby crobby force-pushed the webhook-deployment-validation branch from 0d410d1 to 1090534 Compare June 8, 2026 14:51
ericpromislow
ericpromislow approved these changes Jun 8, 2026
View reviewed changes

@ericpromislow ericpromislow left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

rohitsakala
rohitsakala reviewed Jun 8, 2026
View reviewed changes
Comment thread pkg/resources/management.cattle.io/v3/cluster/validator.go Outdated
rohitsakala
rohitsakala reviewed Jun 8, 2026
View reviewed changes
Comment thread docs.md
@crobby crobby requested a review from rohitsakala June 9, 2026 17:38
@crobby crobby force-pushed the webhook-deployment-validation branch from 614826a to fed25b1 Compare June 9, 2026 17:39
@crobby crobby merged commit f1542dd into rancher:main Jun 11, 2026
2 checks passed
@crobby crobby deleted the webhook-deployment-validation branch June 11, 2026 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericpromislow ericpromislow ericpromislow approved these changes
@rohitsakala rohitsakala Awaiting requested review from rohitsakala

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@crobby @ericpromislow @rohitsakala