Skip to content

Commit

Permalink
feat: Adding CEL validation for the EC2NodeClass (#4746)
Browse files Browse the repository at this point in the history
  • Loading branch information
@engedaam
engedaam authored Oct 17, 2023
1 parent 7ffa06a commit 4b56b1d
Show file tree
Hide file tree
Showing 8 changed files with 1,424 additions and 552 deletions.
100 changes: 94 additions & 6 deletions pkg/apis/crds/karpenter.k8s.aws_ec2nodeclasses.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,21 @@ spec:
description: Tags is a map of key/value tags used to select
subnets Specifying '*' for a value selects all values for
a given tag key.
maxProperties: 20
type: object
x-kubernetes-validations:
- message: empty tag keys or values aren't supported
rule: self.all(k, k != '' && self[k] != '')
type: object
maxItems: 30
type: array
x-kubernetes-validations:
- message: expected at least one, got none, ['tags', 'id', 'name']
rule: self.all(x, has(x.tags) || has(x.id) || has(x.name))
- message: '''id'' is mutually exclusive, cannot be set with a combination
of other fields in amiSelectorTerms'
rule: '!self.all(x, has(x.id) && (has(x.tags) || has(x.name)) ||
has(x.owner))'
blockDeviceMappings:
description: BlockDeviceMappings to be applied to provisioned nodes.
items:
Expand Down Expand Up @@ -133,29 +145,47 @@ spec:
format: int64
type: integer
volumeSize:
allOf:
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- pattern: ^((?:[1-9][0-9]{0,3}|[1-4][0-9]{4}|[5][0-8][0-9]{3}|59000)Gi|(?:[1-9][0-9]{0,3}|[1-5][0-9]{4}|[6][0-3][0-9]{3}|64000)G|([1-9]||[1-5][0-7]|58)Ti|([1-9]||[1-5][0-9]|6[0-3]|64)T)$
anyOf:
- type: integer
- type: string
description: "VolumeSize in GiBs. You must specify either
a snapshot ID or a volume size. The following are the
supported volumes sizes for each volume type: \n * gp2
and gp3: 1-16,384 \n * io1 and io2: 4-16,384 \n * st1
and sc1: 125-16,384 \n * standard: 1-1,024"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
description: "VolumeSize in `Gi`, `G`, `Ti`, or `T`. You
must specify either a snapshot ID or a volume size. The
following are the supported volumes sizes for each volume
type: \n * gp2 and gp3: 1-16,384 \n * io1 and io2: 4-16,384
\n * st1 and sc1: 125-16,384 \n * standard: 1-1,024"
x-kubernetes-int-or-string: true
volumeType:
description: VolumeType of the block device. For more information,
see Amazon EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html)
in the Amazon Elastic Compute Cloud User Guide.
enum:
- standard
- io1
- io2
- gp2
- sc1
- st1
- gp3
type: string
type: object
x-kubernetes-validations:
- message: snapshotID or volumeSize must be defined
rule: has(self.snapshotID) || has(self.volumeSize)
rootVolume:
description: RootVolume is a flag indicating if this device
is mounted as kubelet root dir. You can configure at most
one root volume in BlockDeviceMappings.
type: boolean
type: object
maxItems: 50
type: array
x-kubernetes-validations:
- message: must have only one blockDeviceMappings with rootVolume
rule: self.filter(x, has(x.rootVolume)?x.rootVolume==true:false).size()
<= 1
context:
description: Context is a Reserved field in EC2 APIs https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet.html
type: string
Expand Down Expand Up @@ -186,13 +216,19 @@ spec:
but this parameter is not specified, the default state is \"enabled\".
\n If you specify a value of \"disabled\", instance metadata
will not be accessible on the node."
enum:
- enabled
- disabled
type: string
httpProtocolIPv6:
default: disabled
description: HTTPProtocolIPv6 enables or disables the IPv6 endpoint
for the instance metadata service on provisioned nodes. If metadata
options is non-nil, but this parameter is not specified, the
default state is "disabled".
enum:
- enabled
- disabled
type: string
httpPutResponseHopLimit:
default: 2
Expand All @@ -202,6 +238,8 @@ spec:
values are integers from 1 to 64. If metadata options is non-nil,
but this parameter is not specified, the default value is 2.
format: int64
maximum: 64
minimum: 1
type: integer
httpTokens:
default: required
Expand All @@ -218,6 +256,9 @@ spec:
retrieval requests. In this state, retrieving the IAM role credentials
always returns the version 2.0 credentials; the version 1.0
credentials are not available."
enum:
- required
- optional
type: string
type: object
role:
Expand All @@ -228,6 +269,9 @@ spec:
collection and drift handling is implemented for the old instance
profiles on an update.
type: string
x-kubernetes-validations:
- message: immutable field changed
rule: self == oldSelf
securityGroupSelectorTerms:
description: SecurityGroupSelectorTerms is a list of or security group
selector terms. The terms are ORed.
Expand All @@ -250,9 +294,25 @@ spec:
description: Tags is a map of key/value tags used to select
subnets Specifying '*' for a value selects all values for
a given tag key.
maxProperties: 20
type: object
x-kubernetes-validations:
- message: empty tag keys or values aren't supported
rule: self.all(k, k != '' && self[k] != '')
type: object
maxItems: 30
type: array
x-kubernetes-validations:
- message: securityGroupSelectorTerms cannot be empty
rule: self.size() != 0
- message: expected at least one, got none, ['tags', 'id', 'name']
rule: self.all(x, has(x.tags) || has(x.id) || has(x.name))
- message: '''id'' is mutually exclusive, cannot be set with a combination
of other fields in securityGroupSelectorTerms'
rule: '!self.all(x, has(x.id) && (has(x.tags) || has(x.name)))'
- message: '''name'' is mutually exclusive, cannot be set with a combination
of other fields in securityGroupSelectorTerms'
rule: '!self.all(x, has(x.name) && (has(x.tags) || has(x.id)))'
subnetSelectorTerms:
description: SubnetSelectorTerms is a list of or subnet selector terms.
The terms are ORed.
Expand All @@ -271,15 +331,39 @@ spec:
description: Tags is a map of key/value tags used to select
subnets Specifying '*' for a value selects all values for
a given tag key.
maxProperties: 20
type: object
x-kubernetes-validations:
- message: empty tag keys or values aren't supported
rule: self.all(k, k != '' && self[k] != '')
type: object
maxItems: 30
type: array
x-kubernetes-validations:
- message: subnetSelectorTerms cannot be empty
rule: self.size() != 0
- message: expected at least one, got none, ['tags', 'id']
rule: self.all(x, has(x.tags) || has(x.id))
- message: '''id'' is mutually exclusive, cannot be set with a combination
of other fields in subnetSelectorTerms'
rule: '!self.all(x, has(x.id) && has(x.tags))'
tags:
additionalProperties:
type: string
description: Tags to be applied on ec2 resources like instances and
launch templates.
type: object
x-kubernetes-validations:
- message: empty tag keys aren't supported
rule: self.all(k, k != '')
- message: tag contains a restricted tag matching kubernetes.io/cluster/
rule: self.all(k, !k.startsWith('kubernetes.io/cluster') )
- message: tag contains a restricted tag matching karpenter.sh/provisioner-name
rule: self.all(k, k != 'karpenter.sh/provisioner-name')
- message: tag contains a restricted tag matching karpenter.sh/nodepool
rule: self.all(k, k != 'karpenter.sh/nodepool')
- message: tag contains a restricted tag matching karpenter.sh/managed-by
rule: self.all(k, k !='karpenter.sh/managed-by')
userData:
description: UserData to be applied to the provisioned nodes. It must
be in the appropriate format based on the AMIFamily in use. Karpenter
Expand All @@ -292,6 +376,10 @@ spec:
- securityGroupSelectorTerms
- subnetSelectorTerms
type: object
x-kubernetes-validations:
- message: amiSelectorTerms is required when amiFamily == 'Custom'
rule: 'self.amiFamily == ''Custom'' ? self.amiSelectorTerms.size() !=
0 : true'
status:
description: EC2NodeClassStatus contains the resolved state of the EC2NodeClass
properties:
Expand Down
Loading

0 comments on commit 4b56b1d

Please sign in to comment.