Enable resource validation
Enable or disable resource validation in K8sGateway and view the current alidating admission webhook configuration.
View the current validating admission webhook configuration
You can check whether strict or permissive validation is enabled in your K8sGateway installation by checking the Settings resource.
-
Get the details of the default settings resource.
kubectl get settings default -n gloo-system -o yaml
-
In your CLI output, find the
spec.gateway.validation.alwaysAccept
setting.- If set to
true
, permissive mode is enabled in your K8sGateway setup and invalid Gloo resources are only logged, but not rejected. - If set to
false
, strict validation mode is enabled and invalid resource configuration is rejected before being applied in the cluster. - If
allowWarnings=false
is set alongsidealwaysAccept=false
, resources that result in aWarning
status are also rejected.
- If set to
Enable strict resource validation
Configure the validating admission webhook to reject invalid K8sGateway custom resources before they are applied in the cluster.
-
Enable strict resource validation. Resource validation is enabled by using the Settings resource in K8sGateway. You can update the Settings resource by editing it directly or by enabling it in your K8sGateway Helm installation.
Edit the Settings resource directly. Note that manually editing the Settings resource does not change the resource validation setting in the Helm installation. Because of that, this setting gets overwritten when you upgrade your Helm installation.
-
Edit the default Settings resource.
kubectl edit settings default -n gloo-system
-
In your Settings resource, set
spec.gateway.validation.alwaysAccept=false
to enable strict resource validation.... spec: gateway: enableGatewayController: true isolateVirtualHostsBySslConfig: false readGatewaysFromAllNamespaces: false validation: allowWarnings: true alwaysAccept: false disableTransformationValidation: false proxyValidationServerAddr: gloo:9988 serverEnabled: true validationServerGrpcMaxSizeBytes: 104857600 warnRouteShortCircuiting: false
- Get the current values for your Helm chart.
helm get values gloo-gateway -n gloo-system -o yaml > gloo-gateway.yaml open gloo-gateway.yaml
- In your Helm values file, enable strict resource validation.
gateway: validation: enabled: true alwaysAcceptResources: false
ℹ️To also reject K8sGateway custom resources that result in aWarning
status, includegateway.validation.allowWarnings: false
.- Upgrade your installation.
helm upgrade -n gloo-system gloo-gateway gloo/gloo \ --values gloo-gateway.yaml \ --version 1.18.0-beta34
-
-
Verify that the validating admission webhook is enabled.
-
Create a RouteOption resource with an invalid fault injection configuration. The following example aborts 50% of all incoming requests. However, no HTTP status code is defined.
kubectl apply -n httpbin -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: faults namespace: httpbin spec: options: faults: abort: percentage: 50 # httpStatus: 503 EOF
-
Verify that the RouteOption resource is rejected. You see an error message similar to the following.
Error from server: error when creating "STDIN": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred: * Validating *v1.RouteOption failed: validating *v1.RouteOption name:"faults" namespace:"httpbin": 1 error occurred: * Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name:
ℹ️You can also use the validating admission webhook by running thekubectl apply –dry-run=server
command to test your Gloo configuration before you apply it to your cluster. For more information, see Test resource configurations.
-
Disable resource validation
Because the validation admission webhook is set up automatically in K8sGateway, a ValidationWebhookConfiguration
resource is created in your cluster. You can disable the webhook, which prevents the ValidationWebhookConfiguration
resource from being created. When validation is disabled, any Gloo resources that you create in your cluster are translated to Envoy proxy config, even if the config has errors or warnings.
To disable validation, use the following --set
options during your Helm installation.
--set gateway.enabled=false
--set gateway.validation.enabled=false
--set gateway.validation.webhook.enabled=false