github.com/argoproj/argo-events@v1.9.1/docs/validating-admission-webhook.md

github.com/argoproj/argo-events@v1.9.1/docs/validating-admission-webhook.md (about)

     1  # Validating Admission Webhook
     2  
     3  ![alpha](assets/alpha.svg)
     4  
     5  > v1.3 and after
     6  
     7  ## Overview
     8  
     9  Starting from v1.3, a
    10  [Validating Admission Webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook)
    11  is introduced to the project. To install the validating webhook, use following
    12  command (change the version):
    13  
    14  ```shell
    15  kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/{version}/manifests/install-validating-webhook.yaml
    16  ```
    17  
    18  ## Benefits
    19  
    20  Using the validating webhook has following benefits:
    21  
    22  - It notifies the error at the time applying the faulty spec, so that you don't
    23    need to check the CRD object `status` field to see if there's any condition
    24    errors later on.
    25  
    26    e.g. Creating an `exotic` NATS EventBus without `ClusterID` specified:
    27  
    28  ```sh
    29  cat <<EOF | kubectl create -f -
    30  > apiVersion: argoproj.io/v1alpha1
    31  > kind: EventBus
    32  > metadata:
    33  >   name: default
    34  > spec:
    35  >   nats:
    36  >     exotic: {}
    37  > EOF
    38  Error from server (BadRequest): error when creating "STDIN": admission webhook "webhook.argo-events.argoproj.io" denied the request: "spec.nats.exotic.clusterID" is missing
    39  ```
    40  
    41  - Spec updating behavior can be validated.
    42  
    43    Updating existing specs requires more validation, besides checking if the new
    44    spec is valid, we also need to check if there's any immutable fields being
    45    updated. This can not be done in the controller reconciliation, but we can do
    46    it by using the validating webhook.
    47  
    48    For example, updating Auth Strategy for a native NATS EventBus is prohibited,
    49    a denied response as following will be returned.
    50  
    51  ```sh
    52  Error from server (BadRequest): error when applying patch:
    53  {"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"EventBus\",\"metadata\":{\"annotations\":{},\"name\":\"default\",\"namespace\":\"argo-events\"},\"spec\":{\"nats\":{\"native\":{\"replicas\":3}}}}\n"}},"spec":{"nats":{"native":{"auth":null,"maxAge":null,"securityContext":null}}}}
    54  to:
    55  Resource: "argoproj.io/v1alpha1, Resource=eventbus", GroupVersionKind: "argoproj.io/v1alpha1, Kind=EventBus"
    56  Name: "default", Namespace: "argo-events"
    57  for: "test-eventbus.yaml": admission webhook "webhook.argo-events.argoproj.io" denied the request: "spec.nats.native.auth" is immutable, can not be updated
    58  ```