feat: add CEL validation rules to MemberCluster taint API types

Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com>

Author: ytimocin

apis/cluster/v1/membercluster_types.go

@@ -71,6 +71,7 @@ type MemberClusterSpec struct {
 	//
 	// This field is beta-level and is for the taints and tolerations feature.
 	// +kubebuilder:validation:MaxItems=100
+	// +kubebuilder:validation:XValidation:rule="self.all(t, self.filter(u, u.key == t.key && (has(u.value) ? u.value : '') == (has(t.value) ? t.value : '') && u.effect == t.effect).size() == 1)",message="taints must be unique"
 	// +optional
 	Taints []Taint `json:"taints,omitempty"`
 }
@@ -136,12 +137,21 @@ type MemberClusterStatus struct {
 
 // Taint attached to MemberCluster has the "effect" on
 // any ClusterResourcePlacement that does not tolerate the Taint.
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.substring(self.key.indexOf('/') + 1) : self.key).matches('^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$')",message="taint key name segment must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.substring(0, self.key.indexOf('/')).matches('^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$')",message="taint key prefix must be a lowercase DNS subdomain"
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.size() - self.key.indexOf('/') - 1 : self.key.size()) <= 63",message="taint key name segment must be 63 characters or less"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.indexOf('/') <= 253",message="taint key prefix must be 253 characters or less"
+// +kubebuilder:validation:XValidation:rule="!has(self.value) || size(self.value) == 0 || self.value.matches('^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$')",message="taint value must be a valid label value"
 type Taint struct {
 	// The taint key to be applied to a MemberCluster.
+	// MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+	// +kubebuilder:validation:MaxLength=317
+	// +kubebuilder:validation:MinLength=1
 	// +required
 	Key string `json:"key"`
 
 	// The taint value corresponding to the taint key.
+	// +kubebuilder:validation:MaxLength=63
 	// +optional
 	Value string `json:"value,omitempty"`
 

apis/cluster/v1beta1/membercluster_types.go

@@ -72,6 +72,7 @@ type MemberClusterSpec struct {
 	//
 	// This field is beta-level and is for the taints and tolerations feature.
 	// +kubebuilder:validation:MaxItems=100
+	// +kubebuilder:validation:XValidation:rule="self.all(t, self.filter(u, u.key == t.key && (has(u.value) ? u.value : '') == (has(t.value) ? t.value : '') && u.effect == t.effect).size() == 1)",message="taints must be unique"
 	// +optional
 	Taints []Taint `json:"taints,omitempty"`
 
@@ -156,12 +157,21 @@ type MemberClusterStatus struct {
 
 // Taint attached to MemberCluster has the "effect" on
 // any ClusterResourcePlacement that does not tolerate the Taint.
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.substring(self.key.indexOf('/') + 1) : self.key).matches('^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$')",message="taint key name segment must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.substring(0, self.key.indexOf('/')).matches('^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$')",message="taint key prefix must be a lowercase DNS subdomain"
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.size() - self.key.indexOf('/') - 1 : self.key.size()) <= 63",message="taint key name segment must be 63 characters or less"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.indexOf('/') <= 253",message="taint key prefix must be 253 characters or less"
+// +kubebuilder:validation:XValidation:rule="!has(self.value) || size(self.value) == 0 || self.value.matches('^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$')",message="taint value must be a valid label value"
 type Taint struct {
 	// The taint key to be applied to a MemberCluster.
+	// MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+	// +kubebuilder:validation:MaxLength=317
+	// +kubebuilder:validation:MinLength=1
 	// +required
 	Key string `json:"key"`
 
 	// The taint value corresponding to the taint key.
+	// +kubebuilder:validation:MaxLength=63
 	// +optional
 	Value string `json:"value,omitempty"`
 

config/crd/bases/cluster.kubernetes-fleet.io_memberclusters.yaml

@@ -128,17 +128,43 @@ spec:
                       - NoSchedule
                       type: string
                     key:
-                      description: The taint key to be applied to a MemberCluster.
+                      description: |-
+                        The taint key to be applied to a MemberCluster.
+                        MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+                      maxLength: 317
+                      minLength: 1
                       type: string
                     value:
                       description: The taint value corresponding to the taint key.
+                      maxLength: 63
                       type: string
                   required:
                   - effect
                   - key
                   type: object
+                  x-kubernetes-validations:
+                  - message: taint key name segment must consist of alphanumeric characters,
+                      '-', '_' or '.', and must start and end with an alphanumeric
+                      character
+                    rule: '(self.key.contains(''/'') ? self.key.substring(self.key.indexOf(''/'')
+                      + 1) : self.key).matches(''^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$'')'
+                  - message: taint key prefix must be a lowercase DNS subdomain
+                    rule: '!self.key.contains(''/'') || self.key.substring(0, self.key.indexOf(''/'')).matches(''^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$'')'
+                  - message: taint key name segment must be 63 characters or less
+                    rule: '(self.key.contains(''/'') ? self.key.size() - self.key.indexOf(''/'')
+                      - 1 : self.key.size()) <= 63'
+                  - message: taint key prefix must be 253 characters or less
+                    rule: '!self.key.contains(''/'') || self.key.indexOf(''/'') <=
+                      253'
+                  - message: taint value must be a valid label value
+                    rule: '!has(self.value) || size(self.value) == 0 || self.value.matches(''^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$'')'
                 maxItems: 100
                 type: array
+                x-kubernetes-validations:
+                - message: taints must be unique
+                  rule: 'self.all(t, self.filter(u, u.key == t.key && (has(u.value)
+                    ? u.value : '''') == (has(t.value) ? t.value : '''') && u.effect
+                    == t.effect).size() == 1)'
             required:
             - identity
             type: object
@@ -500,17 +526,43 @@ spec:
                       - NoSchedule
                       type: string
                     key:
-                      description: The taint key to be applied to a MemberCluster.
+                      description: |-
+                        The taint key to be applied to a MemberCluster.
+                        MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+                      maxLength: 317
+                      minLength: 1
                       type: string
                     value:
                       description: The taint value corresponding to the taint key.
+                      maxLength: 63
                       type: string
                   required:
                   - effect
                   - key
                   type: object
+                  x-kubernetes-validations:
+                  - message: taint key name segment must consist of alphanumeric characters,
+                      '-', '_' or '.', and must start and end with an alphanumeric
+                      character
+                    rule: '(self.key.contains(''/'') ? self.key.substring(self.key.indexOf(''/'')
+                      + 1) : self.key).matches(''^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$'')'
+                  - message: taint key prefix must be a lowercase DNS subdomain
+                    rule: '!self.key.contains(''/'') || self.key.substring(0, self.key.indexOf(''/'')).matches(''^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$'')'
+                  - message: taint key name segment must be 63 characters or less
+                    rule: '(self.key.contains(''/'') ? self.key.size() - self.key.indexOf(''/'')
+                      - 1 : self.key.size()) <= 63'
+                  - message: taint key prefix must be 253 characters or less
+                    rule: '!self.key.contains(''/'') || self.key.indexOf(''/'') <=
+                      253'
+                  - message: taint value must be a valid label value
+                    rule: '!has(self.value) || size(self.value) == 0 || self.value.matches(''^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$'')'
                 maxItems: 100
                 type: array
+                x-kubernetes-validations:
+                - message: taints must be unique
+                  rule: 'self.all(t, self.filter(u, u.key == t.key && (has(u.value)
+                    ? u.value : '''') == (has(t.value) ? t.value : '''') && u.effect
+                    == t.effect).size() == 1)'
             required:
             - identity
             type: object

pkg/utils/validator/membercluster.go

@@ -15,7 +15,6 @@ import (
 
 	clusterv1beta1 "github.com/kubefleet-dev/kubefleet/apis/cluster/v1beta1"
 	"github.com/kubefleet-dev/kubefleet/pkg/utils"
-	"github.com/kubefleet-dev/kubefleet/pkg/utils/validator"
 
 	fleetnetworkingv1alpha1 "go.goms.io/fleet-networking/api/v1alpha1"
 )
@@ -78,14 +77,8 @@ func (v *memberClusterValidator) Handle(ctx context.Context, req admission.Reque
 		return admission.Allowed("Member cluster is ready to leave")
 	}
 
-	if err := v.decoder.Decode(req, &mc); err != nil {
-		klog.ErrorS(err, "Failed to decode member cluster object for validating fields", "userName", req.UserInfo.Username, "groups", req.UserInfo.Groups)
-		return admission.Errored(http.StatusBadRequest, err)
-	}
-
-	if err := validator.ValidateMemberCluster(mc); err != nil {
-		klog.V(2).ErrorS(err, "Member cluster has invalid fields, request is denied", "operation", req.Operation, "memberCluster", mcObjectName)
-		return admission.Denied(err.Error())
-	}
+	// Taint validation is now handled by CRD-level CEL validation rules.
+	// CREATE/UPDATE requests with invalid taints are rejected at schema
+	// validation time before reaching this webhook.
 	return admission.Allowed("Member cluster has valid fields")
 }