Add Validation for NodeClassReference

[jonathan-innis]

Description

What problem are you trying to solve?

Right now, there's no CEL or webhook validation for what's passed through the NodeClassReference. This means that it can be easy to forget the version portion or not properly capitalize kinds, etc. when specifying the reference.

It probably also makes sense for the cloudprovider to inject its own CEL validation when it pulls the NodePool CRD into its helm chart (similar to what AWS does here in scripts: https://github.com/aws/karpenter-provider-aws/tree/main/hack/validation)

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[sftim]

How about using a ValidatingAdmissionPolicy with a custom, singleton params kind, and then having controllers write to that custom resource based on a watch for their node class (or whatever).

We'd make the extra CRD part of the CRDs chart, leaving the controller to actually add make an instance of that CR and / or add itself in.

It's more to implement, but as a pattern it leaves room for multiple providers in one cluster, and it avoids [should avoid] the risk of different implementations clashing over CRD writes.

---

This is an outline, let me know if folks want details clarified.