Enable Advanced Validation in Cluster Client #3659
Description
Background
Skipper’s Kubernetes cluster client currently performs only basic validation when fetching Ingress and RouteGroup resources from the cluster. This leads to inconsistencies between what the admission webhook validates at creation time and what the runtime client actually loads and builds routes from.
Problem
Some Skipper installations either don’t run the admission webhook (due to operational complexity or legacy setup) or occasionally bypass it. For example, during manual edits, forcedly applies, or temporary webhook outages. When that happens, the cluster client still ingests these resources without advanced validation.
Proposal
Enhance the Kubernetes data client by threading the filter registry, predicate specs, and metrics into it. Enable
EnableAdvancedValidation for both IngressV1Validator and RouteGroupValidator.
This ensures that:
- The same validation logic used by the admission webhook is also applied when the cluster client fetches resources
- Invalid resources are tracked via metrics instead of being silently dropped
- Validation behavior remains consistent across all environments, even when the webhook is absent