KEP-5073: Declarative Validation: Explain and update document with cross-field validation information #5290
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
kind/kep
aaron-prindle
force-pushed
the
kep-5073-update-cross-field
branch
2 times, most recently
from
63eae72 to
a65ce7c
Compare
|
/assign @deads2k @jpbetz @thockin |
| #### Cross-Field Validation and Ratcheting | ||
| For cross-field validations, the validation logic is evaluated at the common ancestor of the fields involved. This approach is necessary for supporting ratcheting. While validation tags (eg: +k8s:maximum=siblingField, +k8s:unionMember , etc.) may be placed on an individual field for clarity, the tag and its associated validation logic will be "hoisted" to the parent struct during code generation. This "hoisting" means the validation is treated as if it were defined on the common ancestor. By anchoring the cross-field alidation logic at the common ancestor, regardless of tag placement, the ratcheting design can more reliably determine how to perform equality checks across the relevant type nodes and decide if re-validation is necessary. | ||
|
|
||
| As noted in the Ratcheting section there is an additional challenge that arises if a cross-field validation rule (e.g. X < Y) is defined on a common ancestor struct/field, and an unrelated field (e.g. Z) within that same ancestor is modified. This change to Z makes the common ancestor “changed” overall, triggering re-validation of the X < Y rule. If this rule was recently evolved, it might now fail even if X and Y themselves are not modified by the user’s update. This could violate the principle “Unchanged fields do not cause update rejections”. In practice this means that the validation rules (or validation-gen generally) might have to be more explicit where each validation rule explains “I only care about these fields for ratcheting”. | ||
|
|
||
| For the initial implementation, this behavior will be documented, and cross-field validation rules must handle ratcheting themselves. This means that in the initial implementation of the cross-field dedicated tags referenced in the document (+k8s:unionMember, etc.), they will handle ratcheting of the fields they operate on directly. See the Ratcheting section for more information on this issue as well as longer term plans on addressing this challenge. |
There was a problem hiding this comment.
Do you think it is more nature that first paragraph is in cross-field section and the 2nd & 3rd paragraphs are in ratcheting section? Maybe you don't need to put a sub-title for that 1st paragraph and then refer to the ratcheting section of how to handle this challenge case?
There was a problem hiding this comment.
+1, I've combined paragraphs 2 & 3 into a single paragraph and de-duped the majority of text from the Ratcheting and Cross-Field Validation section in #5292. This paragraph now explains:
- cross-field tags "hoist" all cross-field tags to the parent struct
- cross-field tags implement ratcheting for the fields they operate on
keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md
Outdated
Show resolved
Hide resolved
aaron-prindle
force-pushed
the
kep-5073-update-cross-field
branch
from
e67cef8 to
8d62579
Compare
deads2k
left a comment
deads2k
left a comment
There was a problem hiding this comment.
I wasn't expecting to see CEL in the table. I agree with the rest, though particulars around usage of the tags will need to be worked out. Do you want to do it here, on a followup KEP update, on the implementation PR, or somewhere else?
keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md
Outdated
Show resolved
Hide resolved
| // +k8s:subfield({"type":"Denied", "status": "true"})=+k8s:unionMember | ||
|
|
||
| // +k8s:subfield({"type":"Failed"})=+k8s:optional | ||
| // +k8s:subfield({"type":"Failed"})=+k8s:immutable |
There was a problem hiding this comment.
The impl PR will go into the "immutable after create" versus "immutable once set"?
There was a problem hiding this comment.
Yes, the related impl KEP Update will go into the "immutable after create" versus "immutable once set".
keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md
Outdated
Show resolved
Hide resolved
|
oh, and a note that breaking on sentences makes it easier to comment on the right lines. |
aaron-prindle
force-pushed
the
kep-5073-update-cross-field
branch
from
f63f0af to
40bfe3a
Compare
k8s-ci-robot
added
size/L
Noted, I've updated the KEP Update changes here to break on sentences now. |
k8s-ci-robot
added
the
needs-rebase
…oss-field validation information
…tion-gen/README.md Co-authored-by: Joe Betz <[email protected]>
…tion-gen/README.md Co-authored-by: Joe Betz <[email protected]>
aaron-prindle
force-pushed
the
kep-5073-update-cross-field
branch
from
40bfe3a to
22e5865
Compare
k8s-ci-robot
removed
the
needs-rebase
aaron-prindle
force-pushed
the
kep-5073-update-cross-field
branch
2 times, most recently
from
f4378f8 to
2342156
Compare
aaron-prindle
force-pushed
the
kep-5073-update-cross-field
branch
from
2342156 to
ff2a6da
Compare
|
I think this still works well with the other bits we've landed. /lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aaron-prindle, deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
6 participants
One-line PR description: This addresses how we intend to handle cross-field validations with Declarative Validation.
Issue link: Declarative Validation Of Kubernetes Native Types With validation-gen #5073