Add schema validation for all Cilium CRDs

[joestringer]

Kubernetes 1.19 will remove deprecate v1beta1 support for Custom Resource Definitions.

In v1 of the CRD API, CRDs must be accompanied with schema validation. All fields need to be covered by this.

Implement schema validation for all CRDs.

• CiliumNode
• CiliumNetworkPolicy / CiliumClusterwideNetworkPolicy
• CiliumEndpoint
• CiliumIdentity

Note that if entries are injected into k8s v1beta1 CRDs without validation, then we migrate to v1 CRDs, we may only discover that the entries do not follow the schema when attempting to insert new entries or upgrading the CRD.

Related: #10727

This issue tracks implementing schemas and switching the code over to v1.

In an ideal world, we would generate the schema code from the definition in code using k8s controlle-tools. @aanm attempted this previously and hit the following issue:

• controller-tools creates schema with '$ref' which is not supported in k8s kubernetes-sigs/controller-tools#324

[christarazi]

After investigating, it turns out that CRD schema validation only applies to the Spec field. In this case, CEP already has a schema to validate an empty Spec. The Identity CRD will just need the same added to it.

As of K8s 1.19, here are the relevant CRD types:

// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
// <.spec.name>.<.spec.group>.
type CustomResourceDefinition struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec describes how the user wants the resources to appear
	Spec CustomResourceDefinitionSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
	// Status indicates the actual state of the CustomResourceDefinition
	// +optional
	Status CustomResourceDefinitionStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}

The Spec field expands into this:

// CustomResourceDefinitionSpec describes how a user wants their resource to appear
type CustomResourceDefinitionSpec struct {
	Group string `json:"group" protobuf:"bytes,1,opt,name=group"`

	Names CustomResourceDefinitionNames `json:"names" protobuf:"bytes,3,opt,name=names"`

	Scope ResourceScope `json:"scope" protobuf:"bytes,4,opt,name=scope,casttype=ResourceScope"`

	Versions []CustomResourceDefinitionVersion `json:"versions" protobuf:"bytes,7,rep,name=versions"`

	// `conversion` defines conversion settings for the CRD.
	// +optional
	Conversion *CustomResourceConversion `json:"conversion,omitempty" protobuf:"bytes,9,opt,name=conversion"`

	// preserveUnknownFields disables pruning of object fields which are not
	// specified in the OpenAPI schema. apiVersion, kind, metadata and known
	// fields inside metadata are always preserved.
	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
	// +optional
	PreserveUnknownFields bool `json:"preserveUnknownFields,omitempty" protobuf:"varint,10,opt,name=preserveUnknownFields"`
}

Under Versions, we have:

// CustomResourceDefinitionVersion describes a version for CRD.
type CustomResourceDefinitionVersion struct {
	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`

	Served bool `json:"served" protobuf:"varint,2,opt,name=served"`

	Storage bool `json:"storage" protobuf:"varint,3,opt,name=storage"`
	// Schema describes the schema for CustomResource used in validation, pruning, and defaulting.
	// +optional
	Schema *CustomResourceValidation `json:"schema,omitempty" protobuf:"bytes,4,opt,name=schema"`

	Subresources *CustomResourceSubresources `json:"subresources,omitempty" protobuf:"bytes,5,opt,name=subresources"`

	AdditionalPrinterColumns []CustomResourceColumnDefinition `json:"additionalPrinterColumns,omitempty" protobuf:"bytes,6,rep,name=additionalPrinterColumns"`
}

And here we see the Schema field. Now looking at the Status field:

// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
type CustomResourceDefinitionStatus struct {
	Conditions []CustomResourceDefinitionCondition `json:"conditions" protobuf:"bytes,1,opt,name=conditions"`

	AcceptedNames CustomResourceDefinitionNames `json:"acceptedNames" protobuf:"bytes,2,opt,name=acceptedNames"`

	StoredVersions []string `json:"storedVersions" protobuf:"bytes,3,rep,name=storedVersions"`
}

No mention of Schemas, so I don't think it is possible to validate the Status field. I'm not sure we'd get any value out of it either. After all, in general we read from the Spec, do some action, and then write into the Status. /cc @aanm

[aanm]

@christarazi yes that is correct. Status does not need schema validation.