@@ -226,6 +226,22 @@ kind: CustomResourceDefinition
226226 type : integer
227227` ` `
228228
229+ Example Validation Rules:
230+
231+ | Rule | Purpose |
232+ | ---------------- | ------------ |
233+ | ` minReplicas <= replicas <= maxReplicas` | Validate that the three fields defining replicas are ordered appropriately |
234+ | `'Available' in stateCounts` | Validate the 'Available' key exists in a map |
235+ | `(size(list1) == 0) != (size(list2) == 0)` | Validate that one of two lists is non-empty, but not both |
236+ | `created + ttl < expiry` | Validate that 'expiry' date is after a 'create' date plus a 'ttl' duration |
237+ | `health.startsWith('ok')` | Validate a 'health' string field has the prefix 'ok' |
238+ | `widgets.exists(w, w.key == 'x' && w.foo < 10)` | Validate that the 'foo' property of a listMap item with a key 'x' is less than 10 |
239+ | `type(limit) == string ? limit == '100%' : limit == 1000` | Validate an int-or-string field for both the the int and string cases |
240+ | `metadata.name == 'singleton` | Validate that an object's name matches a specific value (making it a singleton) |
241+ | `set1.all(e, !(e in set2))` | Validate that two listSets are disjoint |
242+ | `size(names) == size(details) && names.all(n, n in details)` | Validate the 'details' map is keyed by the items in the names listSet |
243+
244+
229245- Each validator may have multiple validation rules.
230246
231247- Each validation rule has an optional 'message' field for the error message that
@@ -297,22 +313,25 @@ like the `all` macro, e.g. `self.all(listItem, <predicate>)` or `self.all(mapKey
297313 identifiers](https://github.com/google/cel-spec/blob/master/doc/langdef.md#values)) it is not
298314 accessible as a root variable and must be accessed via `self`, .e.g. `self.int`.
299315
300- - If a object property name contains characters not allowed in CEL identifiers (`[a-zA-Z_][a-zA-Z0-9_]*`) it is escaped using these rules :
301- - Property names starting with a number are prefixed by `_`. Property names prefixed with `_`
302- followed by a number are prefixed with `__` and the number.
303- - ` __` (2 underscores) is escaped as `__underscores__` (and is used as the escape char for the below rules)
304- - All characters except `[a-zA-Z0-9]` are escaped either as `__{symbolName}__` or `__0x{unicodeHex}__`, the recognized symbol names are :
305- - ` dot` (`.`)
306- - `dash` (`-`)
307- - `space` (` `)
308- - `dollar` (`$`)
309- - `slash` (`/`)
316+ - Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
317+ If a property name is "self" or matches with a [reserved language identifier](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values)
318+ (`int`, `uint`, `double`, `bool`, `string`, `bytes`, `list`, `map`, `null_type`, `type`), it is
319+ not escaped, but it is excluded from the bound variables and can only be accessed via
320+ " self.{property name}" . All other accessible property names are escaped according to the following rules
321+ when accessed in the expression :
322+ - '__' escapes to '__underscores__'
323+ - '.' escapes to '__dot__'
324+ - '-' escapes to '__dash__'
325+ - '/' escapes to '__slash__'
326+ - CEL RESERVED keywords escape to '__{keyword}__'. The keywords are: "true", "false", "null",
327+ " in" , "as", "break", "const", "continue", "else", "for", "function", "if", "import", "let",
328+ " loop" , "package", "namespace", "return".
310329
311330- Rules may be written at the root of an object, and may make field selection into any fields
312331 declared in the OpenAPIv3 schema of the CRD as well as `apiVersion`, `kind`, `metadata.name` and
313332 ` metadata.generateName` . This includes selection of fields in both the `spec` and `status` in the
314333 same expression, e.g. `status.quantity <= spec.maxQuantity`. Because CRDs only allow the `name`
315- and `generatName ` to be declared in the `metadata` of an object, these are the only metadata
334+ and `generateName ` to be declared in the `metadata` of an object, these are the only metadata
316335 fields that may be validated using CEL validator rules. For example,
317336 ` metadata.name.endsWith('mySuffix')` is allowed, but `size(metadata.labels) < 3` it not
318337 allowed. The limit on which `metadata` fields may be validated is an intentional design choice
@@ -506,7 +525,7 @@ Types:
506525| 'object' with AdditionalProperties | map |
507526| 'object' with x-kubernetes-embedded-type | <treatment is the same as 'object' more details below> |
508527| 'object' with x-kubernetes-preserve-unknown-fields | <treatment is the same as 'object', more details below> |
509- | x-kubernetes-int-or-string | object with 'intVal' (type : int) and 'strVal' (type: string) fields |
528+ | x-kubernetes-int-or-string | dynamic object that is either an int or a string, `type(value)` can be used to check the type |
510529| 'array | list |
511530| 'array' with x-kubernetes-list-type=map | list with map based Equality & unique key guarantees |
512531| 'array' with x-kubernetes-list-type=set | list with set based Equality & unique entry guarantees |
@@ -594,9 +613,10 @@ developers to test their validation rules.
594613
595614# ### Beta
596615
616+ - x-kubernetes-int-or-string is upgraded to use a union type of just int or string, not a dynamic type (CEL go support is planned in lates 2021)
597617- Understanding of upper bounds of CPU/memory usage and appropriate limits set to prevent abuse.
598618- Build-in macro/function library is comprehensive and stable (any changes to this will be a breaking change)
599- - CEL numeric comparison issue is resolved
619+ - CEL numeric comparison issue is resolved (e.g. ability to compare ints to doubles)
600620
601621# # Production Readiness Review Questionnaire
602622
0 commit comments