Add validation and flag to support multi container

config/core/configmaps/defaults.yaml

@@ -88,3 +88,6 @@ data:
     # must be at or below this value.
     # Must be greater than 1.
     container-concurrency-max-limit: "1000"
+
+    # feature flag indicates whether to enable multi container support or not
+    enable-multi-container: "false"

pkg/apis/config/defaults.go

@@ -23,6 +23,7 @@ import (
 	"io/ioutil"
 	"math"
 	"strconv"
+	"strings"
 	"text/template"
 
 	corev1 "k8s.io/api/core/v1"
@@ -68,6 +69,9 @@ func defaultConfig() *Defaults {
 func NewDefaultsConfigFromMap(data map[string]string) (*Defaults, error) {
 	nc := defaultConfig()
 
+	// Process bool field.
+	nc.EnableMultiContainer = strings.EqualFold(data["enable-multi-container"], "true")
+
 	// Process int64 fields
 	for _, i64 := range []struct {
 		key   string
@@ -158,6 +162,9 @@ func NewDefaultsConfigFromConfigMap(config *corev1.ConfigMap) (*Defaults, error)
 
 // Defaults includes the default values to be populated by the webhook.
 type Defaults struct {
+	// Feature flag to enable multi container support
+	EnableMultiContainer bool
+
 	RevisionTimeoutSeconds int64
 	// This is the timeout set for cluster ingress.
 	// RevisionTimeoutSeconds must be less than this value.

pkg/apis/config/defaults_test.go

@@ -60,19 +60,34 @@ func TestDefaultsConfiguration(t *testing.T) {
 		name:    "specified values",
 		wantErr: false,
 		wantDefaults: &Defaults{
+			EnableMultiContainer:         true,
 			RevisionTimeoutSeconds:       123,
 			MaxRevisionTimeoutSeconds:    456,
 			ContainerConcurrencyMaxLimit: 1984,
 			RevisionCPURequest:           &oneTwoThree,
 			UserContainerNameTemplate:    "{{.Name}}",
 		},
 		data: map[string]string{
+			"enable-multi-container":          "true",
 			"revision-timeout-seconds":        "123",
 			"max-revision-timeout-seconds":    "456",
 			"revision-cpu-request":            "123m",
 			"container-concurrency-max-limit": "1984",
 			"container-name-template":         "{{.Name}}",
 		},
+	}, {
+		name:    "invalid multi container flag value",
+		wantErr: false,
+		wantDefaults: &Defaults{
+			EnableMultiContainer:         false,
+			RevisionTimeoutSeconds:       DefaultRevisionTimeoutSeconds,
+			MaxRevisionTimeoutSeconds:    DefaultMaxRevisionTimeoutSeconds,
+			UserContainerNameTemplate:    DefaultUserContainerName,
+			ContainerConcurrencyMaxLimit: DefaultMaxRevisionContainerConcurrency,
+		},
+		data: map[string]string{
+			"enable-multi-container": "invalid",
+		},
 	}, {
 		name:         "bad revision timeout",
 		wantErr:      true,

pkg/apis/serving/k8s_validation.go

@@ -17,6 +17,7 @@ limitations under the License.
 package serving
 
 import (
+	"context"
 	"fmt"
 	"math"
 	"path/filepath"
@@ -29,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	"knative.dev/pkg/apis"
 	"knative.dev/pkg/profiling"
+	"knative.dev/serving/pkg/apis/config"
 	"knative.dev/serving/pkg/apis/networking"
 )
 
@@ -236,7 +238,8 @@ func validateEnvFrom(envFromList []corev1.EnvFromSource) *apis.FieldError {
 	return errs
 }
 
-func ValidatePodSpec(ps corev1.PodSpec) *apis.FieldError {
+// ValidatePodSpec validates the pod spec
+func ValidatePodSpec(ctx context.Context, ps corev1.PodSpec) *apis.FieldError {
 	// This is inlined, and so it makes for a less meaningful
 	// error message.
 	// if equality.Semantic.DeepEqual(ps, corev1.PodSpec{}) {
@@ -257,7 +260,7 @@ func ValidatePodSpec(ps corev1.PodSpec) *apis.FieldError {
 		errs = errs.Also(ValidateContainer(ps.Containers[0], volumes).
 			ViaFieldIndex("containers", 0))
 	default:
-		errs = errs.Also(apis.ErrMultipleOneOf("containers"))
+		errs = errs.Also(validateContainers(ctx, ps.Containers, volumes))
 	}
 	if ps.ServiceAccountName != "" {
 		for range validation.IsDNS1123Subdomain(ps.ServiceAccountName) {
@@ -267,7 +270,82 @@ func ValidatePodSpec(ps corev1.PodSpec) *apis.FieldError {
 	return errs
 }
 
+func validateContainers(ctx context.Context, containers []corev1.Container, volumes sets.String) *apis.FieldError {
+	var errs *apis.FieldError
+	cfg := config.FromContextOrDefaults(ctx).Defaults
+	if !cfg.EnableMultiContainer {
+		errs = errs.Also(&apis.FieldError{Message: fmt.Sprintf("enable-multi-container is off, "+
+			"but found %d containers", len(containers))})
+	} else {
+		errs = errs.Also(validateContainersPorts(containers).ViaField("containers"))
+		for i := range containers {
+			// Probes are not allowed on other than serving container,
+			// ref: http://bit.ly/probes-condition
+			if len(containers[i].Ports) == 0 {
+				errs = errs.Also(validateSidecarContainer(containers[i], volumes).ViaFieldIndex("containers", i))
+			} else {
+				errs = errs.Also(ValidateContainer(containers[i], volumes).ViaFieldIndex("containers", i))
+			}
+		}
+	}
+	return errs
+}
+
+// validateContainersPorts validates port when specified multiple containers
+func validateContainersPorts(containers []corev1.Container) *apis.FieldError {
+	var count int
+	for i := range containers {
+		count += len(containers[i].Ports)
+	}
+	// When no container ports are specified.
+	if count == 0 {
+		return apis.ErrMissingField("ports")
+	}
+	// More than one container sections have ports.
+	if count > 1 {
+		return apis.ErrMultipleOneOf("ports")
+	}
+	return nil
+}
+
+// validateSidecarContainer validate fields for non serving containers
+func validateSidecarContainer(container corev1.Container, volumes sets.String) *apis.FieldError {
+	var errs *apis.FieldError
+	if container.LivenessProbe != nil {
+		errs = errs.Also(apis.CheckDisallowedFields(*container.LivenessProbe,
+			*ProbeMask(&corev1.Probe{})).ViaField("livenessProbe"))
+	}
+	if container.ReadinessProbe != nil {
+		errs = errs.Also(apis.CheckDisallowedFields(*container.ReadinessProbe,
+			*ProbeMask(&corev1.Probe{})).ViaField("readinessProbe"))
+	}
+	return errs.Also(validate(container, volumes))
+}
+
+// ValidateContainer validate fields for serving containers
 func ValidateContainer(container corev1.Container, volumes sets.String) *apis.FieldError {
+	var errs *apis.FieldError
+	// Single container cannot have multiple ports
+	errs = errs.Also(portValidation(container.Ports).ViaField("ports"))
+	// Liveness Probes
+	errs = errs.Also(validateProbe(container.LivenessProbe).ViaField("livenessProbe"))
+	// Readiness Probes
+	errs = errs.Also(validateReadinessProbe(container.ReadinessProbe).ViaField("readinessProbe"))
+	return errs.Also(validate(container, volumes))
+}
+
+func portValidation(containerPorts []corev1.ContainerPort) *apis.FieldError {
+	if len(containerPorts) > 1 {
+		return &apis.FieldError{
+			Message: "More than one container port is set",
+			Paths:   []string{apis.CurrentField},
+			Details: "Only a single port is allowed",
+		}
+	}
+	return nil
+}
+
+func validate(container corev1.Container, volumes sets.String) *apis.FieldError {
 	if equality.Semantic.DeepEqual(container, corev1.Container{}) {
 		return apis.ErrMissingField(apis.CurrentField)
 	}
@@ -296,12 +374,8 @@ func ValidateContainer(container corev1.Container, volumes sets.String) *apis.Fi
 		}
 		errs = errs.Also(fe)
 	}
-	// Liveness Probes
-	errs = errs.Also(validateProbe(container.LivenessProbe).ViaField("livenessProbe"))
 	// Ports
 	errs = errs.Also(validateContainerPorts(container.Ports).ViaField("ports"))
-	// Readiness Probes
-	errs = errs.Also(validateReadinessProbe(container.ReadinessProbe).ViaField("readinessProbe"))
 	// Resources
 	errs = errs.Also(validateResources(&container.Resources).ViaField("resources"))
 	// SecurityContext
@@ -397,14 +471,6 @@ func validateContainerPorts(ports []corev1.ContainerPort) *apis.FieldError {
 	// user can set container port which names "user-port" to define application's port.
 	// Queue-proxy will use it to send requests to application
 	// if user didn't set any port, it will set default port user-port=8080.
-	if len(ports) > 1 {
-		errs = errs.Also(&apis.FieldError{
-			Message: "More than one container port is set",
-			Paths:   []string{apis.CurrentField},
-			Details: "Only a single port is allowed",
-		})
-	}
-
 	userPort := ports[0]
 
 	errs = errs.Also(apis.CheckDisallowedFields(userPort, *ContainerPortMask(&userPort)))