mirror of
https://github.com/kubevela/kubevela.git
synced 2026-05-09 02:47:04 +00:00
e65938087d
* Feat: Validate undeclared parameters in application definitions (#6862) Add a new feature gate ValidateUndeclaredParameters that rejects parameters not declared in the CUE definition schema at admission time. When enabled, any parameter field not present in the template's parameter stanza will cause a validation error. Signed-off-by: majiayu000 <1835304752@qq.com> * Fix: Handle CUE pattern constraints and improve undeclared param validation - Detect pattern constraints ([string]: T) using LookupPath to avoid false positives on webservice labels/annotations fields - Use GetSelectorLabel() for safe selector extraction - Add klog debug logging when schema compilation fails - Sort undeclared field names for deterministic error messages - Add test cases for pattern constraints and sorted output Signed-off-by: majiayu000 <1835304752@qq.com> * Fix: go fmt alignment in validate_test.go Signed-off-by: majiayu000 <1835304752@qq.com> * fix: address review feedback on PR #7075 - Handle conditional parameter declarations via two-pass schema compilation: first without params for base fields, then with declared params to resolve CUE conditionals - Return nil from findUndeclaredFields when schema.Fields() errors to prevent false positives from empty declared map - Recurse into list elements containing structs using cue.AnyIndex so undeclared fields inside arrays are detected - Save/restore previous feature gate state in tests instead of resetting to fixed values Signed-off-by: majiayu000 <1835304752@qq.com> --------- Signed-off-by: majiayu000 <1835304752@qq.com>
177 lines
11 KiB
Go
177 lines
11 KiB
Go
/*
|
|
Copyright 2021 The KubeVela Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package features
|
|
|
|
import (
|
|
"k8s.io/apimachinery/pkg/util/runtime"
|
|
"k8s.io/apiserver/pkg/util/feature"
|
|
"k8s.io/component-base/featuregate"
|
|
)
|
|
|
|
const (
|
|
// Compatibility Features
|
|
|
|
// DeprecatedPolicySpec enable the use of deprecated policy spec
|
|
DeprecatedPolicySpec featuregate.Feature = "DeprecatedPolicySpec"
|
|
// LegacyObjectTypeIdentifier enable the use of legacy object type identifier for selecting ref-object
|
|
LegacyObjectTypeIdentifier featuregate.Feature = "LegacyObjectTypeIdentifier"
|
|
// DeprecatedObjectLabelSelector enable the use of deprecated object label selector for selecting ref-object
|
|
DeprecatedObjectLabelSelector featuregate.Feature = "DeprecatedObjectLabelSelector"
|
|
// LegacyResourceTrackerGC enable the gc of legacy resource tracker in managed clusters
|
|
LegacyResourceTrackerGC featuregate.Feature = "LegacyResourceTrackerGC"
|
|
// LegacyResourceOwnerValidation if enabled, the resource dispatch will allow existing resource not to have owner
|
|
// application and the current application will take over it
|
|
LegacyResourceOwnerValidation featuregate.Feature = "LegacyResourceOwnerValidation"
|
|
// DisableReferObjectsFromURL if set, the url ref objects will be disallowed
|
|
DisableReferObjectsFromURL featuregate.Feature = "DisableReferObjectsFromURL"
|
|
|
|
// ApplyResourceByReplace enforces the modification of resource through PUT requests.
|
|
// If not set, the resource modification will use patch requests (three-way-strategy-merge-patch).
|
|
// The side effect of enabling this feature is that the request traffic will increase due to
|
|
// the increase of bytes transferred and the more frequent resource mutation failure due to the
|
|
// potential conflicts.
|
|
// If set, KubeVela controller will enforce strong restriction on the managed resource that external
|
|
// system would be unable to make modifications to the KubeVela managed resource. In other words,
|
|
// no merge for modifications from multiple sources. Only KubeVela keeps the Source-of-Truth for the
|
|
// resource.
|
|
ApplyResourceByReplace featuregate.Feature = "ApplyResourceByReplace"
|
|
|
|
// Edge Features
|
|
|
|
// AuthenticateApplication enable the authentication for application
|
|
AuthenticateApplication featuregate.Feature = "AuthenticateApplication"
|
|
// ValidateDefinitionPermissions enables RBAC validation for definition access in applications
|
|
ValidateDefinitionPermissions featuregate.Feature = "ValidateDefinitionPermissions"
|
|
// GzipResourceTracker enables the gzip compression for ResourceTracker. It can be useful if you have large
|
|
// application that needs to dispatch lots of resources or large resources (like CRD or huge ConfigMap),
|
|
// which at the cost of slower processing speed due to the extra overhead for compression and decompression.
|
|
GzipResourceTracker featuregate.Feature = "GzipResourceTracker"
|
|
// ZstdResourceTracker enables the zstd compression for ResourceTracker.
|
|
// Refer to GzipResourceTracker for its use-cases. It is much faster and more
|
|
// efficient than gzip, about 2x faster and compresses to smaller size.
|
|
// If you are dealing with very large ResourceTrackers (1MB or so), it should
|
|
// have almost NO performance penalties compared to no compression at all.
|
|
// If dealing with smaller ResourceTrackers (10KB - 1MB), the performance
|
|
// penalties are minimal.
|
|
ZstdResourceTracker featuregate.Feature = "ZstdResourceTracker"
|
|
|
|
// GzipApplicationRevision serves the same purpose as GzipResourceTracker,
|
|
// but for ApplicationRevision.
|
|
GzipApplicationRevision featuregate.Feature = "GzipApplicationRevision"
|
|
// ZstdApplicationRevision serves the same purpose as ZstdResourceTracker,
|
|
// but for ApplicationRevision.
|
|
ZstdApplicationRevision featuregate.Feature = "ZstdApplicationRevision"
|
|
|
|
// ApplyOnce enable the apply-once feature for all applications
|
|
// If enabled, no StateKeep will be run, ResourceTracker will also disable the storage of all resource data, only
|
|
// metadata will be kept
|
|
ApplyOnce featuregate.Feature = "ApplyOnce"
|
|
|
|
// MultiStageComponentApply enable multi-stage feature for component
|
|
// If enabled, the dispatch of manifests is performed in batches according to the stage
|
|
MultiStageComponentApply featuregate.Feature = "MultiStageComponentApply"
|
|
|
|
// PreDispatchDryRun enable dryrun before dispatching resources
|
|
// Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the
|
|
// user experiences of gc but at the cost of increasing network requests.
|
|
PreDispatchDryRun featuregate.Feature = "PreDispatchDryRun"
|
|
|
|
// ValidateComponentWhenSharding validate component in sharding mode
|
|
// In sharding mode, since ApplicationRevision will not be cached for webhook, the validation of component
|
|
// need to call Kubernetes APIServer which can be slow and take up some network traffic. So by default, the
|
|
// validation of component will be disabled.
|
|
ValidateComponentWhenSharding = "ValidateComponentWhenSharding"
|
|
|
|
// DisableWebhookAutoSchedule disable auto schedule for application mutating webhook when sharding enabled
|
|
// If set to true, the webhook will not make auto schedule for applications and users can make customized
|
|
// scheduler for assigning shards to applications
|
|
DisableWebhookAutoSchedule = "DisableWebhookAutoSchedule"
|
|
|
|
// DisableBootstrapClusterInfo disable the cluster info bootstrap at the starting of the controller
|
|
DisableBootstrapClusterInfo = "DisableBootstrapClusterInfo"
|
|
|
|
// InformerCacheFilterUnnecessaryFields filter unnecessary fields for informer cache
|
|
InformerCacheFilterUnnecessaryFields = "InformerCacheFilterUnnecessaryFields"
|
|
|
|
// SharedDefinitionStorageForApplicationRevision use definition cache to reduce duplicated definition storage
|
|
// for application revision, must be used with InformerCacheFilterUnnecessaryFields
|
|
SharedDefinitionStorageForApplicationRevision = "SharedDefinitionStorageForApplicationRevision"
|
|
|
|
// DisableWorkflowContextConfigMapCache disable the workflow context's configmap informer cache
|
|
DisableWorkflowContextConfigMapCache = "DisableWorkflowContextConfigMapCache"
|
|
|
|
// EnableCueValidation enable strict cue validation fields for the required parameter field verification
|
|
EnableCueValidation = "EnableCueValidation"
|
|
|
|
// EnableApplicationStatusMetrics enable the collection and export of application status metrics and structured logging
|
|
EnableApplicationStatusMetrics = "EnableApplicationStatusMetrics"
|
|
|
|
// ValidateResourcesExist enables webhook validation to check if resource types referenced in
|
|
// ComponentDefinition/TraitDefinition/WorkflowStepDefinition/PolicyDefinition CUE templates exist in the cluster
|
|
ValidateResourcesExist = "ValidateResourcesExist"
|
|
|
|
// EnableGlobalPolicies enables automatic discovery of global PolicyDefinitions
|
|
// Controls whether policies with global: true are discovered from vela-system and namespace
|
|
EnableGlobalPolicies featuregate.Feature = "EnableGlobalPolicies"
|
|
|
|
// EnableApplicationScopedPolicies enables the execution of Application-scoped policies.
|
|
// When disabled, policies with scope: Application will not be applied (both global and explicit).
|
|
// This gates the core Application transform functionality. Use EnableGlobalPolicies to
|
|
// separately control global policy discovery.
|
|
EnableApplicationScopedPolicies featuregate.Feature = "EnableApplicationScopedPolicies"
|
|
|
|
// ValidateUndeclaredParameters enables validation that rejects parameters not declared in the
|
|
// CUE definition schema. When enabled, any parameter field not present in the template's
|
|
// parameter stanza will cause a validation error at admission time.
|
|
ValidateUndeclaredParameters = "ValidateUndeclaredParameters"
|
|
)
|
|
|
|
var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
|
|
DeprecatedPolicySpec: {Default: false, PreRelease: featuregate.Alpha},
|
|
LegacyObjectTypeIdentifier: {Default: false, PreRelease: featuregate.Alpha},
|
|
DeprecatedObjectLabelSelector: {Default: false, PreRelease: featuregate.Alpha},
|
|
LegacyResourceTrackerGC: {Default: false, PreRelease: featuregate.Beta},
|
|
LegacyResourceOwnerValidation: {Default: false, PreRelease: featuregate.Alpha},
|
|
DisableReferObjectsFromURL: {Default: false, PreRelease: featuregate.Alpha},
|
|
ApplyResourceByReplace: {Default: false, PreRelease: featuregate.Alpha},
|
|
AuthenticateApplication: {Default: false, PreRelease: featuregate.Alpha},
|
|
ValidateDefinitionPermissions: {Default: false, PreRelease: featuregate.Alpha},
|
|
GzipResourceTracker: {Default: false, PreRelease: featuregate.Alpha},
|
|
ZstdResourceTracker: {Default: false, PreRelease: featuregate.Alpha},
|
|
ApplyOnce: {Default: false, PreRelease: featuregate.Alpha},
|
|
MultiStageComponentApply: {Default: true, PreRelease: featuregate.Alpha},
|
|
GzipApplicationRevision: {Default: false, PreRelease: featuregate.Alpha},
|
|
ZstdApplicationRevision: {Default: false, PreRelease: featuregate.Alpha},
|
|
PreDispatchDryRun: {Default: true, PreRelease: featuregate.Alpha},
|
|
ValidateComponentWhenSharding: {Default: false, PreRelease: featuregate.Alpha},
|
|
DisableWebhookAutoSchedule: {Default: false, PreRelease: featuregate.Alpha},
|
|
DisableBootstrapClusterInfo: {Default: false, PreRelease: featuregate.Alpha},
|
|
InformerCacheFilterUnnecessaryFields: {Default: true, PreRelease: featuregate.Alpha},
|
|
SharedDefinitionStorageForApplicationRevision: {Default: true, PreRelease: featuregate.Alpha},
|
|
DisableWorkflowContextConfigMapCache: {Default: true, PreRelease: featuregate.Alpha},
|
|
EnableCueValidation: {Default: false, PreRelease: featuregate.Beta},
|
|
EnableApplicationStatusMetrics: {Default: false, PreRelease: featuregate.Alpha},
|
|
ValidateResourcesExist: {Default: false, PreRelease: featuregate.Alpha},
|
|
EnableGlobalPolicies: {Default: false, PreRelease: featuregate.Alpha},
|
|
EnableApplicationScopedPolicies: {Default: false, PreRelease: featuregate.Alpha},
|
|
ValidateUndeclaredParameters: {Default: false, PreRelease: featuregate.Alpha},
|
|
}
|
|
|
|
func init() {
|
|
runtime.Must(feature.DefaultMutableFeatureGate.Add(defaultFeatureGates))
|
|
}
|