-
Notifications
You must be signed in to change notification settings - Fork 903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce immutable fields using CEL rules #4128
Comments
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
/fresh |
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
/fresh |
Reopening this and removing the good first issue tag. @NeerajNagure got the ball rolling in #5682, but I think we need to do a more thorough scan for immutable fields and replicate the pattern there. This will probably require someone familiar enough with Crossplane APIs to know what should and shouldn't be mutable. |
What problem are you facing?
Many Crossplane API fields are immutable - you can't change them after they're first set. Typically today when a field is immutable we'll let you update it, and will just silently ignore the update. This is obviously a terrible user experience.
We've wanted to be able to enforce immutability at the schema level for a long time, but until recently doing so was pretty involved. You essentially had to write a webhook (e.g. #727) for every type to enforce immutability.
Now with CEL and kubebuilder it's possible to do this much more conveniently with comment markers - see https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/. Once these comment markers are added any API server that supports CEL will reject updates to immutable fields.
How could Crossplane help solve your problem?
We should use CEL-based immutability.
In many cases we've already added
// +immutable
comment markers on fields we know are immutable. These comment markers don't do anything - they're just placeholders and should be replaced with CEL ones.The text was updated successfully, but these errors were encountered: