gloo icon indicating copy to clipboard operation
gloo copied to clipboard

Published 20 hours ago verified publisher icon solo-io

Kube Gateway Policy Validation

Open lgadban opened this issue 1 year ago • 2 comments

Description

Implements webhook validation for Gloo Gateway Policies in the context of Kubernetes Gateway API. RouteOption and VirtualHostOption CRs will be hermetically validated to prevent admission for semantically incorrect resources. Referential errors (i.e. "warnings" in the Gloo Edge API) will not be checked.

Context

Validation is implemented in the existing webhook but does NOT do a full translation like the original Gloo Edge API validation. There are many challenges associated with performing a full translation (see design doc for more analysis). This approach gives us semantic validation/rejection via a. webhook without needing a snapshot-based full translation.

Testing steps

Manually verified with resources such as:

apiVersion: gateway.solo.io/v1
kind: RouteOption
metadata:
  name: policy-attached
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: example-route
  options:
    faults:
      abort:
        percentage: 100
        # httpStatus: 500 <-- commented out to break plugin, this causes error

Error from server: error when creating "projects/gateway2/examples/example-http-route-with-attached-options.yaml": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred:
	* Validating *v1.RouteOption failed: validating *v1.RouteOption name:"policy-attached" namespace:"default": 1 error occurred:
	* Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name:

apiVersion: gateway.solo.io/v1
kind: VirtualHostOption
metadata:
  name: policy-attached
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gw
  options:
    bufferPerRoute:
      buffer: {}

Error from server: error when creating "projects/gateway2/examples/example-http-route-with-attached-vhost-options.yaml": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.VirtualHostOption failed: 1 error occurred:
	* Validating *v1.VirtualHostOption failed: validating *v1.VirtualHostOption name:"policy-attached" namespace:"default": 1 error occurred:
	* VirtualHost Error: ProcessingError. Reason: invalid virtual host [vhost]: invalid BufferPerRoute.Buffer: embedded message failed validation | caused by: invalid Buffer.MaxRequestBytes: value is required and must not be nil.

Still exploring how we can test this in the new e2e testing framework

Checklist:

  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [ ] I have added tests that prove my fix is effective or that my feature works

BOT NOTES: resolves https://github.com/solo-io/solo-projects/issues/6063

lgadban avatar May 07 '24 03:05 lgadban

Issues linked to changelog: https://github.com/solo-io/solo-projects/issues/6063

solo-changelog-bot[bot] avatar May 07 '24 14:05 solo-changelog-bot[bot]

Visit the preview URL for this PR (updated for commit 79f32a6):

https://gloo-edge--pr9456-ggv2-validation-9fqddthj.web.app

(expires Thu, 23 May 2024 17:29:06 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 77c2b86e287749579b7ff9cadb81e099042ef677

github-actions[bot] avatar May 07 '24 20:05 github-actions[bot]

Per standup, @jbohanon @npolshakova @sam-heilbron are happy to have this merge as is.

Sam is going to resolve the comments to allow the PR to merge

sam-heilbron avatar May 16 '24 14:05 sam-heilbron

/kick build-bot

npolshakova avatar May 16 '24 17:05 npolshakova