Enable resource validation

View the current validating admission webhook configuration link

You can check whether strict or permissive validation is enabled in your Gloo Gateway installation by checking the Settings resource.

1. Get the details of the default settings resource.

     kubectl get settings default -n gloo-system -o yaml
     

2. In your CLI output, find the spec.gateway.validation.alwaysAccept setting.

   • If set to true, permissive mode is enabled in your Gloo Gateway setup and invalid Gloo resources are only logged, but not rejected.
   • If set to false, strict validation mode is enabled and invalid resource configuration is rejected before being applied in the cluster.
   • If allowWarnings=false is set alongside alwaysAccept=false, resources that result in a Warning status are also rejected.

Enable strict resource validation link

Configure the validating admission webhook to reject invalid Gloo Gateway custom resources before they are applied in the cluster.

1. Enable strict resource validation. Resource validation is enabled by using the Settings resource in Gloo Gateway. You can update the Settings resource by editing it directly or by enabling it in your Gloo Gateway Helm installation.

   Edit the Settings resource directly. Note that manually editing the Settings resource does not change the resource validation setting in the Helm installation. Because of that, this setting gets overwritten when you upgrade your Helm installation.

   1. Edit the default Settings resource.

        kubectl edit settings default -n gloo-system
        

   2. In your Settings resource, set spec.gateway.validation.alwaysAccept=false to enable strict resource validation.

            ...
      spec:
        gateway:
          enableGatewayController: true
          isolateVirtualHostsBySslConfig: false
          readGatewaysFromAllNamespaces: false
          validation:
            allowWarnings: true
            alwaysAccept: false
            disableTransformationValidation: false
            proxyValidationServerAddr: gloo:9988
            serverEnabled: true
            validationServerGrpcMaxSizeBytes: 104857600
            warnRouteShortCircuiting: false
      

   1. Get the current values for your Helm chart.

        helm get values gloo-gateway -n gloo-system -o yaml > gloo-gateway.yaml
      open gloo-gateway.yaml
        

   2. In your Helm values file, enable strict resource validation.

        
      gateway:
        validation:
          enabled: true
          alwaysAcceptResources: false    
        

      info

      To also reject Gloo custom resources that result in a Warning status, include gateway.validation.allowWarnings: false.

   3. Upgrade your installation.

        helm upgrade -n gloo-system gloo-gateway glooe/gloo-ee \
       --values gloo-gateway.yaml \
       --version 1.18.0-beta2
      
       
        

2. Verify that the validating admission webhook is enabled.

   1. Create a RouteOption resource with an invalid fault injection configuration. The following example aborts 50% of all incoming requests. However, no HTTP status code is defined.

        kubectl apply -n httpbin -f- <<EOF
      apiVersion: gateway.solo.io/v1
      kind: RouteOption
      metadata:
        name: faults
        namespace: httpbin
      spec:
        options:
          faults:
            abort:
              percentage: 50
              # httpStatus: 503
      EOF
        

   2. Verify that the RouteOption resource is rejected. You see an error message similar to the following.

        Error from server: error when creating "STDIN": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.RouteOption failed: 1 error occurred:
      * Validating *v1.RouteOption failed: validating *v1.RouteOption name:"faults"  namespace:"httpbin": 1 error occurred:
      * Route Error: ProcessingError. Reason: *faultinjection.plugin: invalid abort status code '0', must be in range of [200,600). Route Name: 
        

      notifications

      You can also use the validating admission webhook by running the kubectl apply --dry-run=server command to test your Gloo configuration before you apply it to your cluster. For more information, see Test resource configurations.

Disable resource validation link

Because the validation admission webhook is set up automatically in Gloo Gateway, a ValidationWebhookConfiguration resource is created in your cluster. You can disable the webhook, which prevents the ValidationWebhookConfiguration resource from being created. When validation is disabled, any Gloo resources that you create in your cluster are translated to Envoy proxy config, even if the config has errors or warnings.

To disable validation, use the following --set options during your Helm installation.

  --set gateway.enabled=false
--set gateway.validation.enabled=false
--set gateway.validation.webhook.enabled=false