Enable resource validation

Enable resource validation

Enable or disable resource validation in K8sGateway and view the current alidating admission webhook configuration.

View the current validating admission webhook configuration

You can check whether strict or permissive validation is enabled in your K8sGateway installation by checking the Settings resource.

  1. Get the details of the default settings resource.

    kubectl get settings default -n gloo-system -o yaml
  2. In your CLI output, find the spec.gateway.validation.alwaysAccept setting.

    • If set to true, permissive mode is enabled in your K8sGateway setup and invalid Gloo resources are only logged, but not rejected.
    • If set to false, strict validation mode is enabled and invalid resource configuration is rejected before being applied in the cluster.
    • If allowWarnings=false is set alongside alwaysAccept=false, resources that result in a Warning status are also rejected.

Enable strict resource validation

Configure the validating admission webhook to reject invalid K8sGateway custom resources before they are applied in the cluster.

  1. Enable strict resource validation. Resource validation is enabled by using the Settings resource in K8sGateway. You can update the Settings resource by editing it directly or by enabling it in your K8sGateway Helm installation.

    Edit the Settings resource directly. Note that manually editing the Settings resource does not change the resource validation setting in the Helm installation. Because of that, this setting gets overwritten when you upgrade your Helm installation.

    1. Edit the default Settings resource.

      kubectl edit settings default -n gloo-system
    2. In your Settings resource, set spec.gateway.validation.alwaysAccept=false to enable strict resource validation.

      ...
      spec:
        gateway:
          enableGatewayController: true
          isolateVirtualHostsBySslConfig: false
          readGatewaysFromAllNamespaces: false
          validation:
            allowWarnings: true
            alwaysAccept: false
            disableTransformationValidation: false
            proxyValidationServerAddr: gloo:9988
            serverEnabled: true
            validationServerGrpcMaxSizeBytes: 104857600
            warnRouteShortCircuiting: false
    1. Get the current values for your Helm chart.
      helm get values gloo-gateway -n gloo-system -o yaml > gloo-gateway.yaml
      open gloo-gateway.yaml
    2. In your Helm values file, enable strict resource validation.
      gateway:
        validation:
          enabled: true
          alwaysAcceptResources: false    
    ℹ️
    To also reject K8sGateway custom resources that result in a Warning status, include gateway.validation.allowWarnings: false.
    1. Upgrade your installation.
      helm upgrade -n gloo-system gloo-gateway gloo/gloo \
       --values gloo-gateway.yaml \
       --version 1.18.0-beta32

  2. Verify that the validating admission webhook is enabled.

    1. Create a RouteOption resource with an invalid fault injection configuration. The following example aborts 50% of all incoming requests. However, no HTTP status code is defined.

      kubectl apply -n httpbin -f- <<EOF
      apiVersion: gateway.solo.io/v1
      kind: RouteOption
      metadata:
        name: faults
        namespace: httpbin
      spec:
        options:
          faults:
            abort:
              percentage: 50
              # httpStatus: 503
      EOF
    2. Verify that the RouteOption resource is rejected. You see an error message similar to the following.

      Error from server: error when creating "STDIN": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred:
      * Validating *v1.RouteOption failed: validating *v1.RouteOption name:"faults"  namespace:"httpbin": 1 error occurred:
      * Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name: 
      ℹ️
      You can also use the validating admission webhook by running the kubectl apply –dry-run=server command to test your Gloo configuration before you apply it to your cluster. For more information, see Test resource configurations.

Disable resource validation

Because the validation admission webhook is set up automatically in K8sGateway, a ValidationWebhookConfiguration resource is created in your cluster. You can disable the webhook, which prevents the ValidationWebhookConfiguration resource from being created. When validation is disabled, any Gloo resources that you create in your cluster are translated to Envoy proxy config, even if the config has errors or warnings.

To disable validation, use the following --set options during your Helm installation.

--set gateway.enabled=false
--set gateway.validation.enabled=false
--set gateway.validation.webhook.enabled=false