kube-cel 0.3.1

Kubernetes CEL extension functions for the cel crate
Documentation

kube-cel

Crates.io CI

Kubernetes CEL extension functions for Rust, built on top of cel.

Implements the Kubernetes-specific CEL libraries defined in k8s.io/apiserver/pkg/cel/library and cel-go/ext, enabling client-side evaluation of CRD validation rules.

Installation

[dependencies]
kube-cel = "0.3"
cel = "0.12"

Usage

use cel::{Context, Program};
use kube_cel::register_all;

let mut ctx = Context::default();
register_all(&mut ctx);

// String functions
let result = Program::compile("'hello'.upperAscii()")
    .unwrap().execute(&ctx).unwrap();

// Quantity comparison
let result = Program::compile("quantity('1Gi').isGreaterThan(quantity('500Mi'))")
    .unwrap().execute(&ctx).unwrap();

// Semver
let result = Program::compile("semver('1.2.3').isLessThan(semver('2.0.0'))")
    .unwrap().execute(&ctx).unwrap();

CRD Validation Pipeline

With the validation feature, you can compile and evaluate x-kubernetes-validations CEL rules client-side — no API server required.

[dependencies]
kube-cel = { version = "0.3", features = ["validation"] }

use kube_cel::validation::Validator;
use serde_json::json;

let schema = json!({
    "type": "object",
    "properties": {
        "spec": {
            "type": "object",
            "properties": {
                "replicas": {
                    "type": "integer",
                    "x-kubernetes-validations": [
                        {"rule": "self >= 0", "message": "replicas must be non-negative"}
                    ]
                }
            },
            "x-kubernetes-validations": [
                {"rule": "self.replicas >= 1", "message": "at least one replica"}
            ]
        }
    }
});

let object = json!({"spec": {"replicas": -1}});

let validator = Validator::new();
let errors = validator.validate(&schema, &object, None);

assert_eq!(errors.len(), 2);
assert_eq!(errors[0].field_path, "spec");
assert_eq!(errors[1].field_path, "spec.replicas");

The validator walks the schema tree, compiles rules at each node, and evaluates them with self bound to the corresponding object value. Transition rules (referencing oldSelf) are supported by passing old_object.

Schema-aware format support

Fields with format: "date-time" or format: "duration" in the schema are automatically converted to CEL Timestamp / Duration values, matching K8s API server behavior:

let schema = json!({
    "type": "object",
    "properties": {
        "expiresAt": { "type": "string", "format": "date-time" },
        "timeout":   { "type": "string", "format": "duration" }
    },
    "x-kubernetes-validations": [
        {"rule": "self.expiresAt > timestamp('2024-01-01T00:00:00Z')", "message": "expired"},
        {"rule": "self.timeout <= duration('1h')", "message": "too long"}
    ]
});

Invalid strings gracefully fall back to Value::String.

Field name escaping

JSON field names that are CEL reserved words or contain special characters are automatically escaped when converting to CEL map keys, matching K8s API server behavior:

JSON field name CEL access
namespace self.__namespace__
foo-bar self.foo__dash__bar
a.b self.a__dot__b
x/y self.x__slash__y
my_field self.my__field

Supported Functions

Strings

charAt, indexOf, lastIndexOf, lowerAscii, upperAscii, replace, split, substring, trim, join, strings.quote

Lists

isSorted, sum, min, max, indexOf, lastIndexOf, slice, flatten, reverse, distinct

Sets

sets.contains, sets.equivalent, sets.intersects

Regex

find, findAll

URLs

url, isURL, getScheme, getHost, getHostname, getPort, getEscapedPath, getQuery

IP / CIDR

ip, isIP, ip.isCanonical, family, isLoopback, isUnspecified, isLinkLocalMulticast, isLinkLocalUnicast, isGlobalUnicast, cidr, isCIDR, containsIP, containsCIDR, prefixLength, masked

Semver

semver, isSemver, major, minor, patch, isGreaterThan, isLessThan, compareTo

Quantity

quantity, isQuantity, isInteger, asInteger, asApproximateFloat, sign, add, sub, isGreaterThan, isLessThan, compareTo

Format

<string>.format(<list>) with verbs: %s, %d, %f, %e, %b, %o, %x, %X

Named Format Validation

format.dns1123Label, format.dns1123Subdomain, format.dns1035Label, format.dns1123LabelPrefix, format.dns1123SubdomainPrefix, format.qualifiedName, format.labelValue, format.uri, format.uuid, format.byte, format.date, format.datetime, format.named, validate

// Returns optional: none = valid, of([...errors]) = invalid
// K8s pattern: !format.<name>().validate(value).hasValue()
let result = Program::compile("!format.dns1123Label().validate('my-name').hasValue()")
    .unwrap().execute(&ctx).unwrap();
// Value::Bool(true)

// Dynamic format lookup
let result = Program::compile("!format.named('uuid').validate('550e8400-e29b-41d4-a716-446655440000').hasValue()")
    .unwrap().execute(&ctx).unwrap();
// Value::Bool(true)

JSONPatch

jsonpatch.escapeKey

// RFC 6901: ~ → ~0, / → ~1
let result = Program::compile("jsonpatch.escapeKey('k8s.io/my~label')")
    .unwrap().execute(&ctx).unwrap();
// Value::String("k8s.io~1my~0label")

Feature Flags

All features are enabled by default. Disable with default-features = false and pick what you need:

Feature Dependencies Description
strings - String extension functions
lists - List extension functions
sets - Set operations
regex_funcs regex Regex find/findAll
urls url URL parsing and accessors
ip ipnet IP/CIDR parsing and operations
semver_funcs semver Semantic versioning
format - String formatting
quantity - Kubernetes resource quantities
jsonpatch - JSONPatch key escaping (RFC 6901)
named_format - Named format validation (format.dns1123Label(), etc.)
validation serde_json, serde, chrono CRD validation pipeline (compile + evaluate x-kubernetes-validations, format: date-time/duration)

Related

License

Apache-2.0