Validate networking annotations on RevisionTemplateSpec

linkvt · linkvt · commit 8bf896f15282 · 2025-12-05T17:01:04.000+01:00
Add validation to reject unknown networking.knative.dev/* annotations
on the RevisionTemplate early at Service creation time, rather than
failing silently when creating the ServerlessService.
diff --git a/pkg/apis/serving/v1/revision_validation.go b/pkg/apis/serving/v1/revision_validation.go
@@ -25,6 +25,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/api/validation"
+	"knative.dev/networking/pkg/apis/networking"
 	"knative.dev/pkg/apis"
 	"knative.dev/pkg/kmap"
 	"knative.dev/pkg/kmp"
@@ -66,6 +67,7 @@ func (rts *RevisionTemplateSpec) Validate(ctx context.Context) *apis.FieldError
 	errs := rts.Spec.Validate(apis.WithinSpec(ctx)).ViaField("spec")
 	errs = errs.Also(autoscaling.ValidateAnnotations(ctx, config.FromContextOrDefaults(ctx).Autoscaler,
 		rts.GetAnnotations()).ViaField("metadata.annotations"))
+	errs = errs.Also(networking.ValidateAnnotations(rts.GetAnnotations()).ViaField("metadata.annotations"))
 
 	// If the RevisionTemplateSpec has a name specified, then check that
 	// it follows the requirements on the name.
diff --git a/pkg/apis/serving/v1/revision_validation_test.go b/pkg/apis/serving/v1/revision_validation_test.go
@@ -1092,6 +1092,57 @@ func TestRevisionTemplateSpecValidation(t *testing.T) {
 			Message: "progress-deadline=-1m3s must be positive",
 			Paths:   []string{serving.ProgressDeadlineAnnotationKey},
 		}).ViaField("metadata.annotations"),
+	}, {
+		name: "invalid networking.knative.dev/visibility annotation",
+		rts: &RevisionTemplateSpec{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"networking.knative.dev/visibility": "cluster-local",
+				},
+			},
+			Spec: RevisionSpec{
+				PodSpec: corev1.PodSpec{
+					Containers: []corev1.Container{{
+						Image: "helloworld",
+					}},
+				},
+			},
+		},
+		want: apis.ErrInvalidKeyName("networking.knative.dev/visibility", "metadata.annotations"),
+	}, {
+		name: "invalid unknown networking.knative.dev annotation",
+		rts: &RevisionTemplateSpec{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"networking.knative.dev/foo": "bar",
+				},
+			},
+			Spec: RevisionSpec{
+				PodSpec: corev1.PodSpec{
+					Containers: []corev1.Container{{
+						Image: "helloworld",
+					}},
+				},
+			},
+		},
+		want: apis.ErrInvalidKeyName("networking.knative.dev/foo", "metadata.annotations"),
+	}, {
+		name: "valid networking.knative.dev/ingress.class annotation",
+		rts: &RevisionTemplateSpec{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"networking.knative.dev/ingress.class": "istio.ingress.networking.knative.dev",
+				},
+			},
+			Spec: RevisionSpec{
+				PodSpec: corev1.PodSpec{
+					Containers: []corev1.Container{{
+						Image: "helloworld",
+					}},
+				},
+			},
+		},
+		want: nil,
 	}}
 
 	for _, test := range tests {
