Provide the capability for 3rd parties to integrate in our validation webhook

[tomkerkhove]

Proposal

Provide the capability for 3rd parties to integrate in our validation webhook so that they integrate their own logic.

This should be done by introducing a new CRD which defines an HTTP/gRPC endpoint that KEDA will call during validation. If the validation endpoint becomes unreachable/non responding, then the status of the new CRD should reflect this but validation will be skipped for a while to avoid it causing KEDA to fail/time out.

Use-Case

Provide the capability for 3rd parties to integrate in our validation webhook so that they integrate their own logic.

This allows platform builders/cluster operators to enforce their own best practices and tie in to our validation process.

Is this a feature you are interested in implementing yourself?

No

Anything else?

No response

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[tomkerkhove]

Any thoughts on this @kedacore/keda-maintainers?

[zroubalik]

We should have this.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed due to inactivity.

[pokgak]

Since no one has commented on this yet; 3rd-party validation can be done with the upcoming feature ValidatingAdmissionPolicy without any changes required on keda part.

https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/

[Tomer20]

Good call @pokgak!

That configuration worked well for me:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "limit-apps-replicas.example.com"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments", "replicasets"]
  validations:
    - expression: "object.spec.replicas <= 10"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "limit-keda-replicas.example.com"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["keda.sh"]
      apiVersions: ["v1alpha1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["scaledobjects"]
  validations:
    - expression: "object.spec.maxReplicaCount <= 10"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "limit-apps-replicas-binding.example.com"
spec:
  policyName: "limit-apps-replicas.example.com"
  validationActions: [Deny]
  matchResources:
    namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: k8s-limitations
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "limit-keda-replicas-binding.example.com"
spec:
  policyName: "limit-keda-replicas.example.com"
  validationActions: [Deny]
  matchResources:
    namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: k8s-limitations

[zroubalik]

@Tomer20 this is great, could you please contribute this to our documentation? Probably here: https://keda.sh/docs/2.15/operate/admission-webhooks/

[Tomer20]

@Tomer20 this is great, could you please contribute this to our documentation? Probably here: https://keda.sh/docs/2.15/operate/admission-webhooks/

Sure thing @zroubalik 😄 Here's the PR, any feedback is welcome: kedacore/keda-docs#1471.