ActorTemplate: Enforce that all images must be pinned by ahmedtd · Pull Request #51 · agent-substrate/substrate

Taahir Ahmed (ahmedtd) · 2026-05-21T22:22:06Z

This commit adds a ValidatingAdmissionPolicy that checks that all images in an ActorTemplate must be pinned to a specific hash.

Fixes #10

Julian Gutierrez Oschmann (juli4n) · 2026-05-21T23:17:07Z

@@ -0,0 +1,39 @@
+#  Copyright 2026 Google LLC


Have you considered adding this validation as an XValidation in the CRD itself? The advantage is that it gets coupled to the CRD so there is no way to delete it. I don't know this, but I suspect error messages will be more precise too as the error is specific to the field.

Good point. We need VAP for cross-field work, but this is scoped to a single field.

https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/2876-crd-validation-expression-language/README.md

Done, it seems to work.

Julian Gutierrez Oschmann (juli4n)

You'll need to rebase on main and move this as the CRD types are under pkg/api/v1alpha1 now.

Benjamin Elder (BenTheElder) · 2026-05-28T18:48:22Z

https://github.com/agent-substrate/substrate/actions/runs/26594400905/job/78361379429?pr=51

envtest start failed: unable to install CRDs onto control plane: unable to create CRD instances: unable to create CRD "actortemplates.ate.dev": CustomResourceDefinition.apiextensions.k8s.io "actortemplates.ate.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[containers].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared), spec.validation.openAPIV3Schema.properties[spec].properties[containers].items.x-kubernetes-validations[0].rule: Forbidden: contributed to estimated rule cost total exceeding cost limit for entire OpenAPIv3 schema, spec.validation.openAPIV3Schema: Forbidden: x-kubernetes-validations estimated rule cost total for entire OpenAPIv3 schema exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)]

Julian Gutierrez Oschmann (juli4n) · 2026-05-28T19:28:59Z

https://github.com/agent-substrate/substrate/actions/runs/26594400905/job/78361379429?pr=51

envtest start failed: unable to install CRDs onto control plane: unable to create CRD instances: unable to create CRD "actortemplates.ate.dev": CustomResourceDefinition.apiextensions.k8s.io "actortemplates.ate.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[containers].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared), spec.validation.openAPIV3Schema.properties[spec].properties[containers].items.x-kubernetes-validations[0].rule: Forbidden: contributed to estimated rule cost total exceeding cost limit for entire OpenAPIv3 schema, spec.validation.openAPIV3Schema: Forbidden: x-kubernetes-validations estimated rule cost total for entire OpenAPIv3 schema exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)]

Should we set a limit in the number of containers on a given actor template spec?

Taahir Ahmed (ahmedtd) · 2026-05-28T19:38:06Z

Uh, I thought I tested this locally, and saw it correctly rejecting images without '@' symbols. Maybe I had forgotten to remove the VAP?

Taahir Ahmed (ahmedtd) · 2026-05-28T20:09:54Z

OK, I've limited us to 10 containers. I also applied the check to the pause image, which has the same problem.

Taahir Ahmed (ahmedtd) requested review from Benjamin Elder (BenTheElder) and Julian Gutierrez Oschmann (juli4n) May 21, 2026 22:22

Julian Gutierrez Oschmann (juli4n) reviewed May 21, 2026

View reviewed changes

ensemble-hcl Bot mentioned this pull request May 22, 2026

Support actortemplate secret env #20

Open

Taahir Ahmed (ahmedtd) force-pushed the actortemplate-vap branch from 406a125 to fde1995 Compare May 27, 2026 00:00

Julian Gutierrez Oschmann (juli4n) previously approved these changes May 27, 2026

View reviewed changes

Benjamin Elder (BenTheElder) assigned Julian Gutierrez Oschmann (juli4n) and Benjamin Elder (BenTheElder) May 27, 2026

Benjamin Elder (BenTheElder) added the cleanup Small fixes that are not bugs, for example a typo in a code comment label May 27, 2026

Taahir Ahmed (ahmedtd) dismissed Julian Gutierrez Oschmann (juli4n)’s stale review via ae07ae2 May 27, 2026 03:10

Taahir Ahmed (ahmedtd) force-pushed the actortemplate-vap branch from fde1995 to ae07ae2 Compare May 27, 2026 03:10

Benjamin Elder (BenTheElder) reviewed May 27, 2026

View reviewed changes

Comment thread pkg/api/v1alpha1/actortemplate_types.go Outdated

a4-a4s1 Bot mentioned this pull request May 27, 2026

feat(actor-template): per-container securityContext #73

Open

5 tasks

Taahir Ahmed (ahmedtd) force-pushed the actortemplate-vap branch from ae07ae2 to ea40829 Compare May 28, 2026 18:32

Benjamin Elder (BenTheElder) previously approved these changes May 28, 2026

View reviewed changes

Julian Gutierrez Oschmann (juli4n) previously approved these changes May 28, 2026

View reviewed changes

Taahir Ahmed (ahmedtd) dismissed stale reviews from Julian Gutierrez Oschmann (juli4n) and Benjamin Elder (BenTheElder) via 907f20b May 28, 2026 19:45

Taahir Ahmed (ahmedtd) force-pushed the actortemplate-vap branch 2 times, most recently from 907f20b to fe0910c Compare May 28, 2026 20:08

Julian Gutierrez Oschmann (juli4n) previously approved these changes May 28, 2026

View reviewed changes

ActorTemplate: Enforce that all images must be pinned

db2027e

Taahir Ahmed (ahmedtd) dismissed Julian Gutierrez Oschmann (juli4n)’s stale review via db2027e May 28, 2026 20:14

Taahir Ahmed (ahmedtd) force-pushed the actortemplate-vap branch from fe0910c to db2027e Compare May 28, 2026 20:14

Taahir Ahmed (ahmedtd) merged commit 9291df0 into agent-substrate:main May 28, 2026
8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ActorTemplate: Enforce that all images must be pinned#51

ActorTemplate: Enforce that all images must be pinned#51
Taahir Ahmed (ahmedtd) merged 1 commit into
agent-substrate:mainfrom
ahmedtd:actortemplate-vap

Taahir Ahmed (ahmedtd) commented May 21, 2026

Uh oh!

Julian Gutierrez Oschmann (juli4n) May 21, 2026 •

edited

Loading

Uh oh!

Benjamin Elder (BenTheElder) May 21, 2026

Uh oh!

Taahir Ahmed (ahmedtd) May 27, 2026

Uh oh!

Julian Gutierrez Oschmann (juli4n) left a comment

Uh oh!

Uh oh!

Benjamin Elder (BenTheElder) commented May 28, 2026

Uh oh!

Julian Gutierrez Oschmann (juli4n) commented May 28, 2026

Uh oh!

Taahir Ahmed (ahmedtd) commented May 28, 2026

Uh oh!

Taahir Ahmed (ahmedtd) commented May 28, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Taahir Ahmed (ahmedtd) commented May 21, 2026

Uh oh!

Julian Gutierrez Oschmann (juli4n) May 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Benjamin Elder (BenTheElder) May 21, 2026

Choose a reason for hiding this comment

Uh oh!

Taahir Ahmed (ahmedtd) May 27, 2026

Choose a reason for hiding this comment

Uh oh!

Julian Gutierrez Oschmann (juli4n) left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Benjamin Elder (BenTheElder) commented May 28, 2026

Uh oh!

Julian Gutierrez Oschmann (juli4n) commented May 28, 2026

Uh oh!

Taahir Ahmed (ahmedtd) commented May 28, 2026

Uh oh!

Taahir Ahmed (ahmedtd) commented May 28, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Julian Gutierrez Oschmann (juli4n) May 21, 2026 •

edited

Loading