Add CEL rules to ResourceFlavor (kubernetes-sigs#1958)

* Add CEL rules to ResourceFlavor

* Update comments

* Add issue reference to TODO comment

* Group similar test cases with DescribeTable

* Update validation rule

Author: IrvingMg

apis/kueue/v1beta1/resourceflavor_types.go

@@ -65,6 +65,7 @@ type ResourceFlavorSpec struct {
 	// +optional
 	// +listType=atomic
 	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:XValidation:rule="self.all(x, x.effect in ['NoSchedule', 'PreferNoSchedule', 'NoExecute'])", message="supported taint effect values: 'NoSchedule', 'PreferNoSchedule', 'NoExecute'"
 	NodeTaints []corev1.Taint `json:"nodeTaints,omitempty"`
 
 	// tolerations are extra tolerations that will be added to the pods admitted in
@@ -78,6 +79,11 @@ type ResourceFlavorSpec struct {
 	// +optional
 	// +listType=atomic
 	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:XValidation:rule="self.all(x, !has(x.key) ? x.operator == 'Exists' : true)", message="operator must be Exists when 'key' is empty, which means 'match all values and all keys'"
+	// +kubebuilder:validation:XValidation:rule="self.all(x, has(x.tolerationSeconds) ? x.effect == 'NoExecute' : true)", message="effect must be 'NoExecute' when 'tolerationSeconds' is set"
+	// +kubebuilder:validation:XValidation:rule="self.all(x, !has(x.operator) || x.operator in ['Equal', 'Exists'])", message="supported toleration values: 'Equal'(default), 'Exists'"
+	// +kubebuilder:validation:XValidation:rule="self.all(x, has(x.operator) && x.operator == 'Exists' ? !has(x.value) : true)", message="a value must be empty when 'operator' is 'Exists'"
+	// +kubebuilder:validation:XValidation:rule="self.all(x, !has(x.effect) || x.effect in ['NoSchedule', 'PreferNoSchedule', 'NoExecute'])", message="supported taint effect values: 'NoSchedule', 'PreferNoSchedule', 'NoExecute'"
 	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 

charts/kueue/templates/crd/kueue.x-k8s.io_resourceflavors.yaml

@@ -118,6 +118,11 @@ spec:
                 maxItems: 8
                 type: array
                 x-kubernetes-list-type: atomic
+                x-kubernetes-validations:
+                - message: 'supported taint effect values: ''NoSchedule'', ''PreferNoSchedule'',
+                    ''NoExecute'''
+                  rule: self.all(x, x.effect in ['NoSchedule', 'PreferNoSchedule',
+                    'NoExecute'])
               tolerations:
                 description: |-
                   tolerations are extra tolerations that will be added to the pods admitted in
@@ -168,6 +173,23 @@ spec:
                 maxItems: 8
                 type: array
                 x-kubernetes-list-type: atomic
+                x-kubernetes-validations:
+                - message: operator must be Exists when 'key' is empty, which means
+                    'match all values and all keys'
+                  rule: 'self.all(x, !has(x.key) ? x.operator == ''Exists'' : true)'
+                - message: effect must be 'NoExecute' when 'tolerationSeconds' is
+                    set
+                  rule: 'self.all(x, has(x.tolerationSeconds) ? x.effect == ''NoExecute''
+                    : true)'
+                - message: 'supported toleration values: ''Equal''(default), ''Exists'''
+                  rule: self.all(x, !has(x.operator) || x.operator in ['Equal', 'Exists'])
+                - message: a value must be empty when 'operator' is 'Exists'
+                  rule: 'self.all(x, has(x.operator) && x.operator == ''Exists'' ?
+                    !has(x.value) : true)'
+                - message: 'supported taint effect values: ''NoSchedule'', ''PreferNoSchedule'',
+                    ''NoExecute'''
+                  rule: self.all(x, !has(x.effect) || x.effect in ['NoSchedule', 'PreferNoSchedule',
+                    'NoExecute'])
             type: object
         type: object
     served: true

config/components/crd/bases/kueue.x-k8s.io_resourceflavors.yaml

@@ -103,6 +103,11 @@ spec:
                 maxItems: 8
                 type: array
                 x-kubernetes-list-type: atomic
+                x-kubernetes-validations:
+                - message: 'supported taint effect values: ''NoSchedule'', ''PreferNoSchedule'',
+                    ''NoExecute'''
+                  rule: self.all(x, x.effect in ['NoSchedule', 'PreferNoSchedule',
+                    'NoExecute'])
               tolerations:
                 description: |-
                   tolerations are extra tolerations that will be added to the pods admitted in
@@ -153,6 +158,23 @@ spec:
                 maxItems: 8
                 type: array
                 x-kubernetes-list-type: atomic
+                x-kubernetes-validations:
+                - message: operator must be Exists when 'key' is empty, which means
+                    'match all values and all keys'
+                  rule: 'self.all(x, !has(x.key) ? x.operator == ''Exists'' : true)'
+                - message: effect must be 'NoExecute' when 'tolerationSeconds' is
+                    set
+                  rule: 'self.all(x, has(x.tolerationSeconds) ? x.effect == ''NoExecute''
+                    : true)'
+                - message: 'supported toleration values: ''Equal''(default), ''Exists'''
+                  rule: self.all(x, !has(x.operator) || x.operator in ['Equal', 'Exists'])
+                - message: a value must be empty when 'operator' is 'Exists'
+                  rule: 'self.all(x, has(x.operator) && x.operator == ''Exists'' ?
+                    !has(x.value) : true)'
+                - message: 'supported taint effect values: ''NoSchedule'', ''PreferNoSchedule'',
+                    ''NoExecute'''
+                  rule: self.all(x, !has(x.effect) || x.effect in ['NoSchedule', 'PreferNoSchedule',
+                    'NoExecute'])
             type: object
         type: object
     served: true

pkg/webhooks/resourceflavor_webhook.go

@@ -111,8 +111,6 @@ func validateNodeTaints(taints []corev1.Taint, fldPath *field.Path) field.ErrorL
 		if errs := validation.IsValidLabelValue(currTaint.Value); len(errs) != 0 {
 			allErrors = append(allErrors, field.Invalid(idxPath.Child("value"), currTaint.Value, strings.Join(errs, ";")))
 		}
-		// validate the taint effect
-		allErrors = append(allErrors, validateTaintEffect(&currTaint.Effect, false, idxPath.Child("effect"))...)
 
 		// validate if taint is unique by <key, effect>
 		if len(uniqueTaints[currTaint.Effect]) > 0 && uniqueTaints[currTaint.Effect].Has(currTaint.Key) {
@@ -131,6 +129,7 @@ func validateNodeTaints(taints []corev1.Taint, fldPath *field.Path) field.ErrorL
 	return allErrors
 }
 
+// TODO(#463): Remove this function when CEL validations are added to workload type
 // validateTaintEffect is extracted from git.k8s.io/kubernetes/pkg/apis/core/validation/validation.go
 func validateTaintEffect(effect *corev1.TaintEffect, allowEmpty bool, fldPath *field.Path) field.ErrorList {
 	if !allowEmpty && len(*effect) == 0 {

pkg/webhooks/resourceflavor_webhook_test.go

@@ -49,16 +49,6 @@ func TestValidateResourceFlavor(t *testing.T) {
 					Effect: corev1.TaintEffectNoSchedule,
 				}).Obj(),
 		},
-		{
-			// Taint validation is not exhaustively tested, because the code was copied from upstream k8s.
-			name: "invalid taint",
-			rf: utiltesting.MakeResourceFlavor("resource-flavor").Taint(corev1.Taint{
-				Key: "skdajf",
-			}).Obj(),
-			wantErr: field.ErrorList{
-				field.Required(field.NewPath("spec", "nodeTaints").Index(0).Child("effect"), ""),
-			},
-		},
 		{
 			name: "invalid label name",
 			rf:   utiltesting.MakeResourceFlavor("resource-flavor").Label("@abc", "foo").Obj(),

test/integration/webhook/resourceflavor_test.go

@@ -51,8 +51,24 @@ var _ = ginkgo.Describe("ResourceFlavor Webhook", func() {
 	})
 
 	ginkgo.When("Creating a ResourceFlavor", func() {
+		ginkgo.It("Should be valid", func() {
+			resourceFlavor := testing.MakeResourceFlavor("resource-flavor").Label("foo", "bar").
+				Taint(corev1.Taint{
+					Key:    "spot",
+					Value:  "true",
+					Effect: corev1.TaintEffectNoSchedule,
+				}).Obj()
+			gomega.Expect(k8sClient.Create(ctx, resourceFlavor)).Should(gomega.Succeed())
+			defer func() {
+				var rf kueue.ResourceFlavor
+				gomega.Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(resourceFlavor), &rf)).Should(gomega.Succeed())
+				controllerutil.RemoveFinalizer(&rf, kueue.ResourceInUseFinalizerName)
+				gomega.Expect(k8sClient.Update(ctx, &rf)).Should(gomega.Succeed())
+				util.ExpectResourceFlavorToBeDeleted(ctx, k8sClient, resourceFlavor, true)
+			}()
+		})
 		ginkgo.It("Should have a finalizer", func() {
-			ginkgo.By("Creating a new resourceFlavor")
+			ginkgo.By("Creating a new empty resourceFlavor")
 			resourceFlavor := testing.MakeResourceFlavor("resource-flavor").Obj()
 			gomega.Expect(k8sClient.Create(ctx, resourceFlavor)).Should(gomega.Succeed())
 			defer func() {
@@ -69,20 +85,6 @@ var _ = ginkgo.Describe("ResourceFlavor Webhook", func() {
 		})
 	})
 
-	ginkgo.When("Creating a ResourceFlavor with invalid taints", func() {
-		ginkgo.It("Should fail to create", func() {
-			ginkgo.By("Creating a new resourceFlavor")
-			resourceFlavor := testing.MakeResourceFlavor("resource-flavor").Taint(corev1.Taint{
-				Key:    "@foo",
-				Value:  "bar",
-				Effect: corev1.TaintEffectNoSchedule,
-			}).Obj()
-			err := k8sClient.Create(ctx, resourceFlavor)
-			gomega.Expect(err).To(gomega.HaveOccurred())
-			gomega.Expect(errors.IsForbidden(err)).To(gomega.BeTrue(), "error: %v", err)
-		})
-	})
-
 	ginkgo.DescribeTable("invalid number of properties", func(taintsCount int, nodeSelectorCount int, isInvalid bool) {
 		rf := testing.MakeResourceFlavor("resource-flavor")
 		for i := 0; i < taintsCount; i++ {
@@ -139,7 +141,69 @@ var _ = ginkgo.Describe("ResourceFlavor Webhook", func() {
 			ginkgo.By("Updating the resourceFlavor with invalid labels")
 			err := k8sClient.Update(ctx, &created)
 			gomega.Expect(err).To(gomega.HaveOccurred())
-			gomega.Expect(errors.IsForbidden(err)).To(gomega.BeTrue(), "error: %v", err)
+			gomega.Expect(err).Should(testing.BeAPIError(testing.InvalidError))
 		})
 	})
+
+	ginkgo.DescribeTable("Validate resourceFlavor on creation", func(rf *kueue.ResourceFlavor, errorType int) {
+		err := k8sClient.Create(ctx, rf)
+		if err == nil {
+			defer func() {
+				util.ExpectResourceFlavorToBeDeleted(ctx, k8sClient, rf, true)
+			}()
+		}
+		switch errorType {
+		case isForbidden:
+			gomega.Expect(err).Should(gomega.HaveOccurred())
+			gomega.Expect(err).Should(testing.BeAPIError(testing.ForbiddenError), "error: %v", err)
+		case isInvalid:
+			gomega.Expect(err).Should(gomega.HaveOccurred())
+			gomega.Expect(err).Should(testing.BeAPIError(testing.InvalidError), "error: %v", err)
+		default:
+			gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
+		}
+	},
+		ginkgo.Entry("Should fail to create with invalid taints",
+			testing.MakeResourceFlavor("resource-flavor").
+				Taint(corev1.Taint{
+					Key: "skdajf",
+				}).
+				Taint(corev1.Taint{
+					Key:    "@foo",
+					Value:  "bar",
+					Effect: corev1.TaintEffectNoSchedule,
+				}).Obj(),
+			isInvalid),
+		ginkgo.Entry("Should fail to create with invalid label name",
+			testing.MakeResourceFlavor("resource-flavor").Label("@abc", "foo").Obj(),
+			isForbidden),
+		ginkgo.Entry("Should fail to create with invalid tolerations",
+			testing.MakeResourceFlavor("resource-flavor").
+				Toleration(corev1.Toleration{
+					Key:      "@abc",
+					Operator: corev1.TolerationOpEqual,
+					Value:    "v",
+					Effect:   corev1.TaintEffectNoSchedule,
+				}).
+				Toleration(corev1.Toleration{
+					Key:      "abc",
+					Operator: corev1.TolerationOpExists,
+					Value:    "v",
+					Effect:   corev1.TaintEffectNoSchedule,
+				}).
+				Toleration(corev1.Toleration{
+					Key:      "abc",
+					Operator: corev1.TolerationOpEqual,
+					Value:    "v",
+					Effect:   corev1.TaintEffect("not-valid"),
+				}).
+				Toleration(corev1.Toleration{
+					Key:      "abc",
+					Operator: corev1.TolerationOpEqual,
+					Value:    "v",
+					Effect:   corev1.TaintEffectNoSchedule,
+				}).
+				Obj(),
+			isInvalid),
+	)
 })