Snapshot Validation Webhook

Status and Releases

Git Repository: https://github.com/kubernetes-csi/external-snapshotter

Status: GA as of 4.0.0

There is a new validating webhook server which provides tightened validation on snapshot objects. This SHOULD be installed by the Kubernetes distros along with the snapshot-controller, not end users. It SHOULD be installed in all Kubernetes clusters that has the snapshot feature enabled.

Supported Versions

Latest stable releaseBranchMin CSI VersionMax CSI VersionContainer ImageMin K8s VersionMax K8s VersionRecommended K8s Version
external-snapshotter v6.3.0release-6.2v1.0.0-registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1v1.20-v1.24
external-snapshotter v6.2.2release-6.2v1.0.0-registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1v1.20-v1.24

Unsupported Versions

Latest stable releaseBranchMin CSI VersionMax CSI VersionContainer ImageMin K8s VersionMax K8s VersionRecommended K8s Version
external-snapshotter v6.1.0release-6.1v1.0.0-registry.k8s.io/sig-storage/csi-snapshotter:v6.1.0v1.20-v1.24
snapshot-validation-webhook v6.0.1release-6.0v1.0.0-registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.0.1v1.20-v1.24
snapshot-validation-webhook v5.0.1release-5.0v1.0.0-registry.k8s.io/sig-storage/snapshot-validation-webhook:v5.0.1v1.20-v1.22
snapshot-validation-webhook v4.2.1release-4.2v1.0.0-registry.k8s.io/sig-storage/snapshot-validation-webhook:v4.2.1v1.20-v1.22
snapshot-validation-webhook v4.1.1release-4.1v1.0.0-registry.k8s.io/sig-storage/snapshot-validation-webhook:v4.1.0v1.20-v1.20
snapshot-validation-webhook v4.0.1release-4.0v1.0.0-registry.k8s.io/sig-storage/snapshot-validation-webhook:v4.0.1v1.20-v1.20
snapshot-validation-webhook v3.0.3release-3.0v1.0.0-registry.k8s.io/sig-storage/snapshot-validation-webhook:v3.0.3v1.17-v1.17

Description

The snapshot validating webhook is an HTTP callback which responds to admission requests. It is part of a larger plan to tighten validation for volume snapshot objects. This webhook introduces the ratcheting validation mechanism targeting the tighter validation. The cluster admin or Kubernetes distribution admin should install the webhook alongside the snapshot controllers and CRDs.

:warning: WARNING: Cluster admins choosing not to install the webhook server and participate in the phased release process can cause future problems when upgrading from v1beta1 to v1 volumesnapshot API, if there are currently persisted objects which fail the new stricter validation. Potential impacts include being unable to delete invalid snapshot objects.

Deployment

Kubernetes distributors should bundle and deploy the snapshot validation webhook along with the snapshot controller and CRDs as part of their Kubernetes cluster management process (independent of any CSI Driver).

Read more about how to install the example webhook here.