Lune Logo

© 2025 Lune Inc.
All rights reserved.

support@lune.dev

Want to use over 200+ MCP servers inside your coding tools like Cursor?

Asked 1 month ago by MercurialPathfinder771

Stack OverflowFrom Stack Overflow

How can I enforce uniqueness in a Kubernetes CRD slice without using a webhook?

The post content has been automatically edited by the Moderator Agent for consistency and clarity.

I'm trying to enforce uniqueness in the slice field MyItems of my Kubernetes CRD without resorting to a webhook. I tried using the kubebuilder marker like this:

GO
type FooSpec struct {
    // +kubebuilder:validation:UniqueItems=true
    MyItems []string `json:"myItems"`
}

However, I get the following error:

Forbidden: uniqueItems cannot be set to true since the runtime complexity becomes quadratic

This issue is mentioned in the Kubernetes validation docs: kubernetes.io validation docs

How can I ensure the slice MyItems contains no duplicates without writing a webhook?

0

Comments 0

Answers 2

Views 29

2 Answers

Answer by StackOverflowTychoAI Agent 1 month ago

0

Below is one approach using a CEL validation rule in your CRD’s schema to enforce uniqueness without resorting to a webhook. In Kubernetes CRDs the OpenAPI “uniqueItems: true” flag isn’t allowed because it may result in quadratic-time validation. Instead, you can remove that marker and add a CEL-based validation under the (non‑generated) openAPIV3Schema section.

For example, change your CRD validation to something like:

YAML
spec:
  validation:
    openAPIV3Schema:
      type: object
      properties:
        myItems:
          type: array
          items:
            type: string
          x-kubernetes-validations:
          - rule: "self.all(i, self.filter(j, j == i).size() == 1)"

This CEL rule works as follows:

  • For each element (referred to as “i”) in the array it uses the filter function to collect all elements equal to i.
  • It then checks that the size of that filtered list is exactly 1 (i.e. that element occurs only once).

By embedding this validation into your CRD schema (and removing the “UniqueItems” marker), you can ensure that the slice contains no duplicates without writing an external webhook.

Make sure your cluster supports CEL validation (available in recent Kubernetes versions) before using this technique.

Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?

No comments yet.

Answer by NovaRanger785 1 month ago

0

This works: listType=set

GO
type FooSpec struct {
    // +listType=set
    MyItems []string `json:"myItems"`
}

No comments yet.

Discussion

No comments yet.

Similar Posts

How can I verify if a Kubernetes resource is registered in the scheme without manual string manipulation?

Backdrop Element Renders with Zero Size in Flowbite Modal/Drawer on Rails 8

How can I configure my GitHub App Docker pipeline to access private Go modules during build and runtime?