addressing review comments

aaron-prindle · aaron-prindle · commit ff2a6da4432b · 2025-06-10T23:44:18.000Z
diff --git a/keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md b/keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md
@@ -62,6 +62,8 @@
     - [List Operations](#list-operations)
     - [Conditional Immutability](#conditional-immutability)
     - [Subresource-Specific Immutability](#subresource-specific-immutability)
+  - [Cross-Field Validation](#cross-field-validation)
+    - [Handling Ratcheting In Cross-Field Validation Tags](#handling-ratcheting-in-cross-field-validation-tags)
   - [Referencing Fields in Validation-Gen For Cross-Field Validation Rules](#referencing-fields-in-validation-gen-for-cross-field-validation-rules)
     - [Field Reference Strategies](#field-reference-strategies)
       - [Field Path Strategy](#field-path-strategy)
@@ -73,8 +75,6 @@
     - [Status-Type Subresources](#status-type-subresources)
     - [Scale-Type Subresources](#scale-type-subresources)
     - [Streaming Subresources](#streaming-subresources)
-  - [Cross-Field Validation](#cross-field-validation)
-    - [Handling Ratcheting In Cross-Field Validation Tags](#handling-ratcheting-in-cross-field-validation-tags)
   - [Ratcheting](#ratcheting)
     - [Core Principles](#core-principles)
     - [Default Ratcheting Behavior](#default-ratcheting-behavior)
@@ -613,7 +613,7 @@ The below rules are currently implemented or are very similar to an existing val
     `+k8s:minimum`, `+k8s:maximum`, `+k8s:exclusiveMinimum`, `+k8s:exclusiveMaximum`
    </td>
    <td>
-    minimum, maximum, exclusiveMinimum, exclusiveMaximum (for constants); x-kubernetes-validations (for field refs)
+    `minimum`, `maximum`, `exclusiveMinimum`, `exclusiveMaximum` (for constants); x-kubernetes-validations (for field refs)
    </td>
   </tr>
   <tr>
@@ -751,19 +751,62 @@ The below rules are currently implemented or are very similar to an existing val
    </td>
   </tr>
   <tr>
-   <td>
-    immutable value
+   <td style="background-color: null">
+    immutable after set
    </td>
-   <td>
-    +k8s:immutable
+   <td style="background-color: null">
+    `+k8s:immutable`
    </td>
-   <td>
-    x-kubernetes-validations (CEL: !has(oldSelf...) || self... == oldSelf...)
+   <td style="background-color: null">
+    N/A
+   </td>
+  </tr>
+  <tr>
+   <td style="background-color: null">
+    required once set
+   </td>
+   <td style="background-color: null">
+    `+k8s:requiredOnceSet`
+   </td>
+   <td style="background-color: null">
+    N/A
+   </td>
+  </tr>
+  <tr>
+   <td style="background-color: null">
+    immutable(frozen) at creation
+   </td>
+   <td style="background-color: null">
+    `+k8s:frozen`
+   </td>
+   <td style="background-color: null">
+    N/A
+   </td>
+  </tr>
+  <tr>
+   <td style="background-color: null">
+    group membership (virtual field)
+   </td>
+   <td style="background-color: null">
+    `+k8s:memberOf(group: &lt;groupname>)`
+   </td>
+   <td style="background-color: null">
+    N/A
+   </td>
+  </tr>
+  <tr>
+   <td style="background-color: null">
+    list map item reference (virtual field)
+   </td>
+   <td style="background-color: null">
+    `+k8s:listMapItem(list-map-key-field-name: value,...])`
+   </td>
+   <td style="background-color: null">
+    N/A
    </td>
   </tr>
 </table>
 
-
 ### Supporting Declarative Validation IDL tags On Shared Struct Fields
 
 IDL tags may be used directly on type declarations and indirectly on field and type aliases. For example:
@@ -1135,6 +1178,47 @@ type PodSpec struct {
     NodeName string `json:"nodeName,omitempty"`
 }
 ```
+
+### Cross-Field Validation
+
+A cross-field validation refers to any validation rule whose outcome depends on the value of more than one field within a given Kubernetes API object, potentially including fields from the previous version of the object (`oldSelf`) or external options (namely feature gates).  
+This differs from single-field validation which only considers the value of the field where the validation tag is placed.
+
+These types of validations often have more complex logic and can be more difficult UX-wise to create a dedicated tag for as there are more options for representing them (tag directly on N fields, tag on one of the fields with args for the other fields, on the parent struct with args for all fields, etc.).  
+From an analysis of current validation logic in `kubernetes/kubernetes` across native types in `pkg/apis`, a number of validation categories were identified:
+
+*   Conditional Requirement/Validation
+*   Non-Discriminated Unions
+*   Discriminated Unions
+*   List/Map Integrity
+*   Comparison
+*   Status Condition Validation
+*   Format/Value Dependencies
+    *   Rules where the validity or format of one field depends directly on the value of another field (or a value calculated from other fields). Includes: Checking if a generated string (like hostname + index) forms a valid DNS label, validating a field based on a prefix derived from another (like metadata name), or validating a field against a calculated aggregate value (like commonEncodingVersion).
+*   Transition Rules (Immutability, Ratcheting, etc.)
+*   At least "oneOf" Required
+*   Co-occurrence Requirements
+    *   Rules defining relationships where fields must appear together, be consistent if both present, or satisfy a bi-directional implication (A if and only if B).
+*   Complex/Custom Logic
+
+From this list of categories, the goal for Declarative Validation is to create dedicated tags capable of handling these categories similarly/identically to the current validation logic. 
+The table in "Catalog of Supported Validation Rules & Associated IDL Tags" includes a number of these cross-field validation tags targeting the above categories including:
+
+*   Non-Discriminated & Discriminated Unions: `+k8s:union[Member|Discriminator]`
+*   Comparison: `+k8s:[minimum|maximum]` w/ field ref support
+*   Transition Rules - Immutability: `+k8s:immutable`.
+
+
+#### Handling Ratcheting In Cross-Field Validation Tags
+For cross-field validations, the validation logic is evaluated at the common ancestor of the fields involved. 
+This approach is necessary for supporting ratcheting. While validation tags (eg: +k8s:maximum=siblingField, +k8s:unionMember , etc.) may be placed on an individual field for clarity, the tag and its associated validation logic will be "hoisted" to the parent struct during code generation. 
+This "hoisting" means the validation is treated as if it were defined on the common ancestor.  
+By anchoring the cross-field validation logic at the common ancestor, regardless of tag placement, the ratcheting design can more reliably determine how to perform equality checks across the relevant type nodes and decide if re-validation is necessary.
+
+As noted in the "Ratcheting and Cross-Field Validation" section there is an additional challenge that arises if a cross-field validation rule (e.g. X < Y) is defined on a common ancestor struct/field, and an unrelated field (e.g. Z) within that same ancestor is modified (see section for more information). 
+In practice this means that the validation rules (or validation-gen generally) need to be more explicit where each validation rule explains “I only use these fields as inputs" for ratcheting.  
+This means that in the initial implementation of the cross-field dedicated tags referenced in the document (+k8s:unionMember, etc.), they will handle ratcheting of the fields they operate on directly.
+
 ### Referencing Fields in Validation-Gen For Cross-Field Validation Rules
 
 Cross-field validation refers to validation rules that depend on the values of multiple fields within a struct or across nested structs. Cross-field validations require a method for referencing additional fields from validation-gen IDL tags.
@@ -1354,54 +1438,6 @@ is not stored, the use case is much simpler and only requires the "Subresource V
 
 The streamed data does not require declarative validation, as it is not structured resource data.
 
-### Cross-Field Validation
-
-A cross-field validation refers to any validation rule whose outcome depends on the value of more than one field within a given Kubernetes API object, potentially including fields from the previous version of the object (`oldSelf`) or external options (namely feature gates). This differs from single-field validation which only considers the value of the field where the validation tag is placed.
-
-These types of validations often have more complex logic and can be more difficult UX-wise to create a dedicated tag for as there are more options for representing them (tag directly on N fields, tag on one of the fields with args for the other fields, on the parent struct with args for all fields, etc.). From an analysis of current validation logic in `kubernetes/kubernetes` across native types in `pkg/apis`, a number of validation categories were identified:
-
-*   Conditional Requirement/Validation
-*   Non-Discriminated Unions
-*   Discriminated Unions
-*   List/Map Integrity
-*   Comparison
-*   Status Condition Validation
-*   Format/Value Dependencies
-    *   Rules where the validity or format of one field depends directly on the value of another field (or a value calculated from other fields). Includes: Checking if a generated string (like hostname + index) forms a valid DNS label, validating a field based on a prefix derived from another (like metadata name), or validating a field against a calculated aggregate value (like commonEncodingVersion).
-*   Transition Rules (Immutability, Ratcheting, etc.)
-*   At least "oneOf" Required
-*   Co-occurrence Requirements
-    *   Rules defining relationships where fields must appear together, be consistent if both present, or satisfy a bi-directional implication (A if and only if B).
-*   Complex/Custom Logic
-
-From this list of categories, the goal for Declarative Validation is to create dedicated tags capable of handling these categories similarly/identically to the current validation logic. The table in "Catalog of Supported Validation Rules & Associated IDL Tags" includes a number of these cross-field validation tags targeting the above categories including:
-
-*   Non-Discriminated & Discriminated Unions: `+k8s:union[Member|Discriminator]`
-*   Comparison: `+k8s:[minimum|maximum]` w/ field ref support
-*   Transition Rules - Immutability: `+k8s:immutable`.
-
-Some categories can be covered by extending and or/chaining a combination of tags. For example “Status Condition Validation” can, for identified cases (example below for CertificateSigningRequest), be handled using a combination of `+k8s:subfield` (enhanced to support targeting list entries) and `+k8s:unionMember`:
-
-```go
-type CertificateSigningRequestStatus struct {
-       // +k8s:subfield({"type":"Approved"})=+k8s:optional
-       // +k8s:subfield({"type":"Approved", "status": "true"})=+k8s:unionMember
-
-       // +k8s:subfield({"type":"Denied"})=+k8s:optional
-       // +k8s:subfield({"type":"Denied", "status": "true"})=+k8s:unionMember
-
-       // +k8s:subfield({"type":"Failed"})=+k8s:optional
-       // +k8s:subfield({"type":"Failed"})=+k8s:immutable
-	Conditions []CertificateSigningRequestCondition
-}
-```
-
-#### Handling Ratcheting In Cross-Field Validation Tags
-For cross-field validations, the validation logic is evaluated at the common ancestor of the fields involved. This approach is necessary for supporting ratcheting. While validation tags (eg: +k8s:maximum=siblingField, +k8s:unionMember , etc.) may be placed on an individual field for clarity, the tag and its associated validation logic will be "hoisted" to the parent struct during code generation. This "hoisting" means the validation is treated as if it were defined on the common ancestor.  By anchoring the cross-field validation logic at the common ancestor, regardless of tag placement, the ratcheting design can more reliably determine how to perform equality checks across the relevant type nodes and decide if re-validation is necessary.
-
-As noted in the "Ratcheting and Cross-Field Validation" section there is an additional challenge that arises if a cross-field validation rule (e.g. X < Y) is defined on a common ancestor struct/field, and an unrelated field (e.g. Z) within that same ancestor is modified (see section for more information). In practice this means that the validation rules (or validation-gen generally) need to be more explicit where each validation rule explains “I only use these fields as inputs" for ratcheting.  This means that in the initial implementation of the cross-field dedicated tags referenced in the document (+k8s:unionMember, etc.), they will handle ratcheting of the fields they operate on directly.
-
-
 ### Ratcheting
 
 As Kubernetes APIs evolve, validation rules change. To minimize disruption for users with existing objects created under older rules, declarative validation will incorporate **Validation Ratcheting**. This mechanism aims to selectively bypass new or changed validation rules during object updates (`UPDATE`, `PATCH`, `APPLY`) for fields that have not been modified from their previously persisted state.
