Skip to main content

Crate kube_cel

Crate kube_cel 

Source
Expand description

Kubernetes CEL extension functions for the cel crate.

This crate provides the Kubernetes-specific CEL (Common Expression Language) functions that are available in Kubernetes CRD validation rules, built on top of the cel crate.

§Usage

Register the compiled-in functions onto a cel::Context via the KubeCelExt extension trait:

use kube_cel::{cel, KubeCelExt};

let ctx = cel::Context::default().with_all();

See KubeCelExt for the borrowed-context form and the function-group → upstream-source table.

§Version coherence

This crate’s public signatures use cel::Context and cel::Value, so a cel version mismatch between your crate and kube-cel surfaces as a cryptic Context type mismatch. To avoid it, import cel through this crate rather than declaring a separate cel dependency:

use kube_cel::cel; // re-export guaranteed to match kube-cel's `cel`

§Feature model

Granularity is controlled at compile time through cargo features — there is no runtime per-library registration method. The default feature set enables every extension-function group. To narrow the surface you must disable the defaults explicitly, otherwise the listed features are simply added on top of the (already complete) default set and have no narrowing effect:

# Only the string + list helpers:
kube-cel = { version = "0.6", default-features = false, features = ["strings", "lists"] }

The validation pipeline (CRD x-kubernetes-validations, VAP, static analysis) lives behind the validation feature (see below when it is enabled); it is not part of default.

The full umbrella feature enables everything — all extension-function groups and the validation engine. Use it to restore the whole surface after narrowing, or to opt into validation alongside the default functions:

kube-cel = { version = "0.6", features = ["full"] }

§Versioning and stability

kube-cel is pre-1.0 and cannot reach 1.0 until the cel crate does — its public surface exposes cel::Context/cel::Value, and a crate cannot be stable while its public dependencies are not (Rust API Guidelines C-STABLE). After cel 1.0, kube-cel 1.x tracks cel 1.y; a cel major forces a kube-cel major. Two stability tiers: Tier 1 (committed) is the registration surface — KubeCelExt and the cel re-export; Tier 2 (evolving, validation feature) is the validation engine, whose surface may still change across pre-1.0 minors. See the README for details.

§CRD Validation Pipeline (feature = validation)

Compile and evaluate x-kubernetes-validations CEL rules client-side, without an API server.

kube-cel = { version = "0.6", features = ["validation"] }
use kube_cel::Validator;
use serde_json::json;

let schema = json!({
    "type": "object",
    "x-kubernetes-validations": [
        {"rule": "self.replicas >= 0", "message": "must be non-negative"}
    ],
    "properties": { "replicas": {"type": "integer"} }
});

let object = json!({"replicas": -1});
let errors = Validator::new().validate(&schema, &object, None);
assert_eq!(errors.len(), 1);

For repeated validation against the same schema, pre-compile with compile_schema and use Validator::validate_compiled.

Re-exports§

pub use cel;

Structs§

AdmissionRequestvalidation
A request context for VAP evaluation.
AnalysisWarningvalidation
A warning produced by static analysis.
CompilationResultvalidation
The result of successfully compiling a Rule.
CompiledSchemavalidation
A pre-compiled schema tree. Compile once with compile_schema, then validate many objects via Validator::validate_compiled.
CompiledVapExpressionvalidation
A pre-compiled VAP expression for repeated evaluation.
GroupVersionKindvalidation
Group/Version/Kind identifier.
GroupVersionResourcevalidation
Group/Version/Resource identifier.
RootContextvalidation
CRD-level context variables available at the root schema node.
Rulevalidation
A single CRD x-kubernetes-validations rule.
ValidationErrorvalidation
An error produced when a CEL validation rule fails.
Validatorvalidation
Validates Kubernetes objects against CRD schema CEL validation rules.
VapErrorvalidation
An error produced when a VAP expression fails to compile.
VapEvaluatorvalidation
Client-side evaluator for Kubernetes ValidatingAdmissionPolicy CEL expressions.
VapEvaluatorBuildervalidation
Builder for VapEvaluator.
VapExpressionvalidation
A single CEL validation expression from a ValidatingAdmissionPolicy.
VapResultvalidation
The result of evaluating a single VapExpression.

Enums§

CompilationErrorvalidation
Errors that can occur during rule compilation.
ErrorKindvalidation
The kind of error that occurred during validation.
SchemaFormatvalidation
The format hint from an OpenAPI schema property.
ScopeContextvalidation
The context in which a CEL rule is evaluated.
WarningKindvalidation
The kind of warning produced by static analysis.

Traits§

KubeCelExt
Registers the compiled-in Kubernetes CEL extension functions onto a cel::Context.

Functions§

analyze_rulevalidation
Run all available static analyses on a CEL rule in a single pass.
apply_defaultsvalidation
Apply schema default values to a JSON value, returning a new value with missing fields filled in.
check_rule_scopevalidation
Check a CEL expression for variable scope violations.
compile_schemavalidation
Recursively compile all x-kubernetes-validations rules in a schema tree.
estimate_rule_costvalidation
Estimate cost of a CEL rule and warn if it may exceed K8s budget.
validatevalidation
Convenience function to validate without creating a Validator instance.
validate_compiledvalidation
Convenience function to validate using a pre-compiled schema.