Enable resource validation
Enable or disable resource validation in Gloo Gateway and view the current validating admission webhook configuration.
View the current validating admission webhook configuration
You can check whether strict or permissive validation is enabled in your Gloo Gateway installation by checking the Settings resource.
Get the details of the default settings resource.
kubectl get settings default -n gloo-system -o yamlIn your CLI output, find the
spec.gateway.validation.alwaysAcceptsetting.- If set to
true, permissive mode is enabled in your Gloo Gateway setup and invalid Gloo resources are only logged, but not rejected. - If set to
false, strict validation mode is enabled and invalid resource configuration is rejected before being applied in the cluster. - If
allowWarnings=falseis set alongsidealwaysAccept=false, resources that result in aWarningstatus are also rejected.
- If set to
Enable strict resource validation
Configure the validating admission webhook to reject invalid Gloo Gateway custom resources before they are applied in the cluster.
Enable strict resource validation. Resource validation is enabled by using the Settings resource in Gloo Gateway. You can update the Settings resource by editing it directly or by enabling it in your Gloo Gateway Helm installation.
Edit the Settings resource directly. Note that manually editing the Settings resource does not change the resource validation setting in the Helm installation. Because of that, this setting gets overwritten when you upgrade your Helm installation.
Edit the default Settings resource.
kubectl edit settings default -n gloo-systemIn your Settings resource, set
spec.gloo.gateway.validation.alwaysAccept=falseto enable strict resource validation.... spec: gloo: gateway: enableGatewayController: true isolateVirtualHostsBySslConfig: false readGatewaysFromAllNamespaces: false validation: allowWarnings: true alwaysAccept: false disableTransformationValidation: false proxyValidationServerAddr: gloo:9988 serverEnabled: true validationServerGrpcMaxSizeBytes: 104857600 warnRouteShortCircuiting: false
Get the current values for your Helm chart.
helm get values gloo -n gloo-system -o yaml > gloo-gateway.yaml open gloo-gateway.yamlIn your Helm values file, enable strict resource validation.
gloo: gateway: validation: enabled: true alwaysAcceptResources: falseTo also reject Gloo custom resources that result in aWarningstatus, includegateway.validation.allowWarnings: false.Upgrade your installation.
helm upgrade -n gloo-system gloo glooe/gloo-ee \ --values gloo-gateway.yaml \ --version 1.21.6
Verify that the validating admission webhook is enabled.
Create a RouteOption resource with an invalid fault injection configuration. The following example aborts 50% of all incoming requests. However, no HTTP status code is defined.
kubectl apply -n httpbin -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: faults namespace: httpbin spec: options: faults: abort: percentage: 50 # httpStatus: 503 EOFVerify that the RouteOption resource is rejected. You see an error message similar to the following.
Error from server: error when creating "STDIN": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred: * Validating *v1.RouteOption failed: validating *v1.RouteOption name:"faults" namespace:"httpbin": 1 error occurred: * Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name:You can also use the validating admission webhook by running thekubectl apply –dry-run=servercommand to test your Gloo configuration before you apply it to your cluster. For more information, see Test resource configurations.
Exclude resources from validation
When you enable resource validation, all supported resource types are automatically scanned and validated when you attempt to create, update, or delete them. However, you might not want all of the resources to be validated, but instead want to explicitly exclude certain resource types or resources with specific labels. You can set match conditions in your resource validation configuration to accomplish this task.
Match conditions are written in CEL. To target a particular resource, your CEL expression must adhere to the syntax of the validation API. For more information, see the Validation API reference.
For more information about how to use the match conditions in the validation webhook and find other match condition examples, see the Kubernetes documentation.
Follow the steps to enable resource validation.
Try to create an invalid RouteOptions resource and verify that the resource configuration is denied.
kubectl apply -n httpbin --dry-run=server -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: faults namespace: httpbin spec: options: faults: abort: percentage: 50 # httpStatus: 503 EOFExample output:
Error from server: error when creating "STDIN": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred: * Validating *v1.RouteOption failed: validating *v1.RouteOption name:"faults" namespace:"httpbin": 1 error occurred: * Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name:Add a match condition to your Gloo Gateway installation to exclude RouteOptions from being validated. In this example, you exclude all RouteOption resources with a
gateway.solo.ioAPI group that also have afoolabel.- In your Helm values file, add the following values.
gloo: gateway: validation: enabled: true alwaysAcceptResources: false failurePolicy: Fail matchConditions: - name: skip-routeoptions expression: '!(request.kind.group == "gateway.solo.io" && request.kind.kind == "RouteOption" && "labels" in object.metadata && "foo" in object.metadata.labels)' - Upgrade your Gloo Gateway installation.
helm upgrade -n gloo-system gloo glooe/gloo-ee \ --values gloo-gateway.yaml \ --version 1.21.6
- In your Helm values file, add the following values.
Try to apply the same RouteOption resource again. Verify that the RouteOption is still denied. Because the resource does not have a
foolabel, it does not match the matching condition.kubectl apply -n httpbin --dry-run=server -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: faults namespace: httpbin spec: options: faults: abort: percentage: 50 # httpStatus: 503 EOFExample output:
Error from server: error when creating "STDIN": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred: * Validating *v1.RouteOption failed: validating *v1.RouteOption name:"faults" namespace:"httpbin": 1 error occurred: * Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name:Apply the RouteOption with a
foolabel. This time, the matching condition is met and the resource is excluded from validation.kubectl apply -n httpbin --dry-run=server -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: faults namespace: httpbin labels: foo: bar spec: options: faults: abort: percentage: 50 # httpStatus: 503 EOFExample output:
routeoption.gateway.solo.io/faults created (server dry run)
Disable resource validation
Because the validation admission webhook is set up automatically in Gloo Gateway, a ValidationWebhookConfiguration resource is created in your cluster. You can disable the webhook, which prevents the ValidationWebhookConfiguration resource from being created. When validation is disabled, any Gloo resources that you create in your cluster are translated to Envoy proxy config, even if the config has errors or warnings.
To disable validation, use the following --set options during your Helm installation.
--set gloo.gateway.enabled=false
--set gloo.gateway.validation.enabled=false
--set gloo.gateway.validation.webhook.enabled=false