pepr 0.12.2 → 0.13.0

package/dist/lib.js

@@ -33,8 +33,9 @@ __export(lib_exports, {
   Capability: () => Capability,
   Log: () => logger_default,
   PeprModule: () => PeprModule,
-  PeprRequest: () => PeprRequest,
+  PeprMutateRequest: () => PeprMutateRequest,
   PeprUtils: () => utils_exports,
+  PeprValidateRequest: () => PeprValidateRequest,
   R: () => R,
   RegisterKind: () => RegisterKind,
   a: () => upstream_exports,
@@ -48,55 +49,63 @@ var k8s = __toESM(require("@kubernetes/client-node"));
 var import_http_status_codes2 = require("http-status-codes");
 var R = __toESM(require("ramda"));
 
+// src/lib/capability.ts
+var import_ramda = require("ramda");
+
 // src/lib/k8s/upstream.ts
 var upstream_exports = {};
 __export(upstream_exports, {
-  APIService: () => import_client_node.V1APIService,
-  CSIDriver: () => import_client_node.V1CSIDriver,
-  CSIStorageCapacity: () => import_client_node.V1CSIStorageCapacity,
-  CertificateSigningRequest: () => import_client_node.V1CertificateSigningRequest,
-  ConfigMap: () => import_client_node.V1ConfigMap,
-  ControllerRevision: () => import_client_node.V1ControllerRevision,
-  CronJob: () => import_client_node.V1CronJob,
-  CustomResourceDefinition: () => import_client_node.V1CustomResourceDefinition,
-  DaemonSet: () => import_client_node.V1DaemonSet,
-  Deployment: () => import_client_node.V1Deployment,
-  EndpointSlice: () => import_client_node.V1EndpointSlice,
+  APIService: () => import_client_node2.V1APIService,
+  CSIDriver: () => import_client_node2.V1CSIDriver,
+  CSIStorageCapacity: () => import_client_node2.V1CSIStorageCapacity,
+  CertificateSigningRequest: () => import_client_node2.V1CertificateSigningRequest,
+  ClusterRole: () => import_client_node2.V1ClusterRole,
+  ClusterRoleBinding: () => import_client_node2.V1ClusterRoleBinding,
+  ConfigMap: () => import_client_node2.V1ConfigMap,
+  ControllerRevision: () => import_client_node2.V1ControllerRevision,
+  CronJob: () => import_client_node2.V1CronJob,
+  CustomResourceDefinition: () => import_client_node2.V1CustomResourceDefinition,
+  DaemonSet: () => import_client_node2.V1DaemonSet,
+  Deployment: () => import_client_node2.V1Deployment,
+  EndpointSlice: () => import_client_node2.V1EndpointSlice,
   GenericKind: () => GenericKind,
-  HorizontalPodAutoscaler: () => import_client_node.V1HorizontalPodAutoscaler,
-  Ingress: () => import_client_node.V1Ingress,
-  IngressClass: () => import_client_node.V1IngressClass,
-  Job: () => import_client_node.V1Job,
-  LimitRange: () => import_client_node.V1LimitRange,
-  LocalSubjectAccessReview: () => import_client_node.V1LocalSubjectAccessReview,
-  MutatingWebhookConfiguration: () => import_client_node.V1MutatingWebhookConfiguration,
-  Namespace: () => import_client_node.V1Namespace,
-  NetworkPolicy: () => import_client_node.V1NetworkPolicy,
-  Node: () => import_client_node.V1Node,
-  PersistentVolume: () => import_client_node.V1PersistentVolume,
-  PersistentVolumeClaim: () => import_client_node.V1PersistentVolumeClaim,
-  Pod: () => import_client_node.V1Pod,
-  PodDisruptionBudget: () => import_client_node.V1PodDisruptionBudget,
-  PodTemplate: () => import_client_node.V1PodTemplate,
-  ReplicaSet: () => import_client_node.V1ReplicaSet,
-  ReplicationController: () => import_client_node.V1ReplicationController,
-  ResourceQuota: () => import_client_node.V1ResourceQuota,
-  RuntimeClass: () => import_client_node.V1RuntimeClass,
-  Secret: () => import_client_node.V1Secret,
-  SelfSubjectAccessReview: () => import_client_node.V1SelfSubjectAccessReview,
-  SelfSubjectRulesReview: () => import_client_node.V1SelfSubjectRulesReview,
-  Service: () => import_client_node.V1Service,
-  ServiceAccount: () => import_client_node.V1ServiceAccount,
-  StatefulSet: () => import_client_node.V1StatefulSet,
-  StorageClass: () => import_client_node.V1StorageClass,
-  SubjectAccessReview: () => import_client_node.V1SubjectAccessReview,
-  TokenReview: () => import_client_node.V1TokenReview,
-  ValidatingWebhookConfiguration: () => import_client_node.V1ValidatingWebhookConfiguration,
-  VolumeAttachment: () => import_client_node.V1VolumeAttachment
+  HorizontalPodAutoscaler: () => import_client_node2.V1HorizontalPodAutoscaler,
+  Ingress: () => import_client_node2.V1Ingress,
+  IngressClass: () => import_client_node2.V1IngressClass,
+  Job: () => import_client_node2.V1Job,
+  LimitRange: () => import_client_node2.V1LimitRange,
+  LocalSubjectAccessReview: () => import_client_node2.V1LocalSubjectAccessReview,
+  MutatingWebhookConfiguration: () => import_client_node2.V1MutatingWebhookConfiguration,
+  Namespace: () => import_client_node2.V1Namespace,
+  NetworkPolicy: () => import_client_node2.V1NetworkPolicy,
+  Node: () => import_client_node2.V1Node,
+  PersistentVolume: () => import_client_node2.V1PersistentVolume,
+  PersistentVolumeClaim: () => import_client_node2.V1PersistentVolumeClaim,
+  Pod: () => import_client_node2.V1Pod,
+  PodDisruptionBudget: () => import_client_node2.V1PodDisruptionBudget,
+  PodTemplate: () => import_client_node2.V1PodTemplate,
+  ReplicaSet: () => import_client_node2.V1ReplicaSet,
+  ReplicationController: () => import_client_node2.V1ReplicationController,
+  ResourceQuota: () => import_client_node2.V1ResourceQuota,
+  Role: () => import_client_node2.V1Role,
+  RoleBinding: () => import_client_node2.V1RoleBinding,
+  RuntimeClass: () => import_client_node2.V1RuntimeClass,
+  Secret: () => import_client_node2.V1Secret,
+  SelfSubjectAccessReview: () => import_client_node2.V1SelfSubjectAccessReview,
+  SelfSubjectRulesReview: () => import_client_node2.V1SelfSubjectRulesReview,
+  Service: () => import_client_node2.V1Service,
+  ServiceAccount: () => import_client_node2.V1ServiceAccount,
+  StatefulSet: () => import_client_node2.V1StatefulSet,
+  StorageClass: () => import_client_node2.V1StorageClass,
+  SubjectAccessReview: () => import_client_node2.V1SubjectAccessReview,
+  TokenReview: () => import_client_node2.V1TokenReview,
+  ValidatingWebhookConfiguration: () => import_client_node2.V1ValidatingWebhookConfiguration,
+  VolumeAttachment: () => import_client_node2.V1VolumeAttachment
 });
-var import_client_node = require("@kubernetes/client-node");
+var import_client_node2 = require("@kubernetes/client-node");
 
 // src/lib/k8s/types.ts
+var import_client_node = require("@kubernetes/client-node");
 var GenericKind = class {
   apiVersion;
   kind;
@@ -105,6 +114,46 @@ var GenericKind = class {
 
 // src/lib/k8s/kinds.ts
 var gvkMap = {
+  /**
+   * Represents a K8s ClusterRole resource.
+   * ClusterRole is a set of permissions that can be bound to a user or group in a cluster-wide scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole}
+   */
+  V1ClusterRole: {
+    kind: "ClusterRole",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s ClusterRoleBinding resource.
+   * ClusterRoleBinding binds a ClusterRole to a user or group in a cluster-wide scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding}
+   */
+  V1ClusterRoleBinding: {
+    kind: "ClusterRoleBinding",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s Role resource.
+   * Role is a set of permissions that can be bound to a user or group in a namespace scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole}
+   */
+  V1Role: {
+    kind: "Role",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s RoleBinding resource.
+   * RoleBinding binds a Role to a user or group in a namespace scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding}
+   */
+  V1RoleBinding: {
+    kind: "RoleBinding",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
   /**
    * Represents a K8s ConfigMap resource.
    * ConfigMap holds configuration data for pods to consume.
@@ -539,89 +588,24 @@ var RegisterKind = (model, groupVersionKind) => {
   gvkMap[name] = groupVersionKind;
 };
 
+// src/lib/k8s/index.ts
+var isWatchMode = process.env.PEPR_WATCH_MODE === "true";
+
 // src/lib/logger.ts
-var LogLevel = /* @__PURE__ */ ((LogLevel2) => {
-  LogLevel2[LogLevel2["debug"] = 0] = "debug";
-  LogLevel2[LogLevel2["info"] = 1] = "info";
-  LogLevel2[LogLevel2["warn"] = 2] = "warn";
-  LogLevel2[LogLevel2["error"] = 3] = "error";
-  return LogLevel2;
-})(LogLevel || {});
-var Logger = class {
-  _logLevel;
-  /**
-   * Create a new logger instance.
-   * @param logLevel - The minimum log level to log messages for.
-   */
-  constructor(logLevel) {
-    this._logLevel = logLevel;
-  }
-  /**
-   * Change the log level of the logger.
-   * @param logLevel - The log level to log the message at.
-   */
-  SetLogLevel(logLevel) {
-    this._logLevel = LogLevel[logLevel];
-    this.debug(`Log level set to ${logLevel}`);
-  }
-  /**
-   * Log a debug message.
-   * @param message - The message to log.
-   */
-  debug(message, prefix) {
-    this.log(0 /* debug */, message, prefix);
-  }
-  /**
-   * Log an info message.
-   * @param message - The message to log.
-   */
-  info(message, prefix) {
-    this.log(1 /* info */, message, prefix);
-  }
-  /**
-   * Log a warning message.
-   * @param message - The message to log.
-   */
-  warn(message, prefix) {
-    this.log(2 /* warn */, message, prefix);
-  }
-  /**
-   * Log an error message.
-   * @param message - The message to log.
-   */
-  error(message, prefix) {
-    this.log(3 /* error */, message, prefix);
-  }
-  /**
-   * Log a message at the specified log level.
-   * @param logLevel - The log level of the message.
-   * @param message - The message to log.
-   */
-  log(logLevel, message, callerPrefix = "") {
-    const color = {
-      [0 /* debug */]: "\x1B[30m" /* FgBlack */,
-      [1 /* info */]: "\x1B[36m" /* FgCyan */,
-      [2 /* warn */]: "\x1B[33m" /* FgYellow */,
-      [3 /* error */]: "\x1B[31m" /* FgRed */
-    };
-    if (logLevel >= this._logLevel) {
-      let prefix = "[" + LogLevel[logLevel] + "]	" + callerPrefix;
-      prefix = this.colorize(prefix, color[logLevel]);
-      if (typeof message !== "string") {
-        console.log(prefix);
-        console.debug("%o", message);
-      } else {
-        console.log(prefix + "	" + message);
-      }
-    }
-  }
-  colorize(text, color) {
-    return color + text + "\x1B[0m" /* Reset */;
+var import_pino = require("pino");
+var isPrettyLog = process.env.PEPR_PRETTY_LOGS === "true";
+var pretty = {
+  target: "pino-pretty",
+  options: {
+    colorize: true
   }
 };
-var Log = new Logger(1 /* info */);
+var transport = isPrettyLog ? pretty : void 0;
+var Log = (0, import_pino.pino)({
+  transport
+});
 if (process.env.LOG_LEVEL) {
-  Log.SetLogLevel(process.env.LOG_LEVEL);
+  Log.level = process.env.LOG_LEVEL;
 }
 var logger_default = Log;
 
@@ -630,8 +614,6 @@ var Capability = class {
   _name;
   _description;
   _namespaces;
-  // Currently everything is considered a mutation
-  _mutateOrValidate = "mutate" /* mutate */;
   _bindings = [];
   get bindings() {
     return this._bindings;
@@ -645,9 +627,6 @@ var Capability = class {
   get namespaces() {
     return this._namespaces || [];
   }
-  get mutateOrValidate() {
-    return this._mutateOrValidate;
-  }
   constructor(cfg) {
     this._name = cfg.name;
     this._description = cfg.description;
@@ -678,52 +657,63 @@ var Capability = class {
         namespaces: [],
         labels: {},
         annotations: {}
-      },
-      callback: () => void 0
+      }
     };
     const prefix = `${this._name}: ${model.name}`;
-    logger_default.info(`Binding created`, prefix);
-    const Then = (cb) => {
-      logger_default.info(`Binding action created`, prefix);
-      logger_default.debug(cb.toString(), prefix);
-      this._bindings.push({
-        ...binding,
-        callback: cb
-      });
-      return { Then };
+    const isNotEmpty = (value) => Object.keys(value).length > 0;
+    const log = (message, cbString) => {
+      const filteredObj = (0, import_ramda.pickBy)(isNotEmpty, binding.filters);
+      logger_default.info(`${message} configured for ${binding.event}`, prefix);
+      logger_default.info(filteredObj, prefix);
+      logger_default.debug(cbString, prefix);
     };
-    const ThenSet = (merge) => {
-      Then((req) => req.Merge(merge));
-      return { Then };
+    const Validate = (validateCallback) => {
+      if (!isWatchMode) {
+        log("Validate Action", validateCallback.toString());
+        this._bindings.push({
+          ...binding,
+          isValidate: true,
+          validateCallback
+        });
+      }
+    };
+    const Mutate = (mutateCallback) => {
+      if (!isWatchMode) {
+        log("Mutate Action", mutateCallback.toString());
+        this._bindings.push({
+          ...binding,
+          isMutate: true,
+          mutateCallback
+        });
+      }
+      return { Validate };
     };
     function InNamespace(...namespaces) {
       logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
       binding.filters.namespaces.push(...namespaces);
-      return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
+      return { ...commonChain, WithName };
     }
     function WithName(name) {
       logger_default.debug(`Add name filter ${name}`, prefix);
       binding.filters.name = name;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
+      return commonChain;
     }
     function WithLabel(key, value = "") {
       logger_default.debug(`Add label filter ${key}=${value}`, prefix);
       binding.filters.labels[key] = value;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
+      return commonChain;
     }
     const WithAnnotation = (key, value = "") => {
       logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
       binding.filters.annotations[key] = value;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
+      return commonChain;
     };
+    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate };
     const bindEvent = (event) => {
       binding.event = event;
       return {
+        ...commonChain,
         InNamespace,
-        Then,
-        ThenSet,
-        WithAnnotation,
-        WithLabel,
         WithName
       };
     };
@@ -743,7 +733,7 @@ var fetchRaw = import_node_fetch.default;
 async function fetch(url, init) {
   let data = void 0;
   try {
-    logger_default.debug(`Fetching ${url}`);
+    logger_default.debug(init, `Fetching ${url}`);
     const resp = await fetchRaw(url, init);
     const contentType = resp.headers.get("content-type") || "";
     if (resp.ok) {
@@ -780,14 +770,101 @@ async function fetch(url, init) {
 }
 
 // src/lib/module.ts
-var import_ramda2 = require("ramda");
+var import_ramda4 = require("ramda");
 
 // src/lib/controller.ts
 var import_express = __toESM(require("express"));
 var import_fs = __toESM(require("fs"));
 var import_https = __toESM(require("https"));
 
-// src/lib/processor.ts
+// src/lib/metrics.ts
+var import_prom_client = __toESM(require("prom-client"));
+var import_perf_hooks = require("perf_hooks");
+var loggingPrefix = "MetricsCollector";
+var MetricsCollector = class {
+  _registry;
+  _counters = /* @__PURE__ */ new Map();
+  _summaries = /* @__PURE__ */ new Map();
+  _prefix;
+  _metricNames = {
+    errors: "errors",
+    alerts: "alerts",
+    mutate: "Mutate",
+    validate: "Validate"
+  };
+  /**
+   * Creates a MetricsCollector instance with prefixed metrics.
+   * @param {string} [prefix='pepr'] - The prefix for the metric names.
+   */
+  constructor(prefix = "pepr") {
+    this._registry = new import_prom_client.Registry();
+    this._prefix = prefix;
+    this.addCounter(this._metricNames.errors, "Mutation/Validate errors encountered");
+    this.addCounter(this._metricNames.alerts, "Mutation/Validate bad api token received");
+    this.addSummary(this._metricNames.mutate, "Mutation operation summary");
+    this.addSummary(this._metricNames.validate, "Validation operation summary");
+  }
+  getMetricName(name) {
+    return `${this._prefix}_${name}`;
+  }
+  addMetric(collection, MetricType, name, help) {
+    if (collection.has(this.getMetricName(name))) {
+      logger_default.debug(`Metric for ${name} already exists`, loggingPrefix);
+      return;
+    }
+    const metric = new MetricType({
+      name: this.getMetricName(name),
+      help,
+      registers: [this._registry]
+    });
+    collection.set(this.getMetricName(name), metric);
+  }
+  addCounter(name, help) {
+    this.addMetric(this._counters, import_prom_client.default.Counter, name, help);
+  }
+  addSummary(name, help) {
+    this.addMetric(this._summaries, import_prom_client.default.Summary, name, help);
+  }
+  incCounter(name) {
+    this._counters.get(this.getMetricName(name))?.inc();
+  }
+  /**
+   * Increments the error counter.
+   */
+  error() {
+    this.incCounter(this._metricNames.errors);
+  }
+  /**
+   * Increments the alerts counter.
+   */
+  alert() {
+    this.incCounter(this._metricNames.alerts);
+  }
+  /**
+   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
+   * @returns {number} The timestamp.
+   */
+  observeStart() {
+    return import_perf_hooks.performance.now();
+  }
+  /**
+   * Observes the duration since the provided start time and updates the summary.
+   * @param {number} startTime - The start time.
+   * @param {string} name - The metrics summary to increment.
+   */
+  observeEnd(startTime, name = this._metricNames.mutate) {
+    this._summaries.get(this.getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
+  }
+  /**
+   * Fetches the current metrics from the registry.
+   * @returns {Promise<string>} The metrics.
+   */
+  async getMetrics() {
+    return this._registry.metrics();
+  }
+};
+
+// src/lib/mutate-processor.ts
 var import_fast_json_patch = __toESM(require("fast-json-patch"));
 
 // src/lib/filter.ts
@@ -797,7 +874,6 @@ function shouldSkipRequest(binding, req) {
   const operation = req.operation.toUpperCase();
   const srcObject = operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
   const { metadata } = srcObject || {};
-  console.log(metadata);
   if (!binding.event.includes(operation) && !binding.event.includes("*" /* Any */)) {
     return true;
   }
@@ -842,19 +918,19 @@ function shouldSkipRequest(binding, req) {
   return false;
 }
 
-// src/lib/request.ts
-var import_ramda = require("ramda");
-var PeprRequest = class {
+// src/lib/mutate-request.ts
+var import_ramda2 = require("ramda");
+var PeprMutateRequest = class {
   /**
-   * Creates a new instance of the Action class.
+   * Creates a new instance of the action class.
    * @param input - The request object containing the Kubernetes resource to modify.
    */
   constructor(_input) {
     this._input = _input;
     if (_input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda.clone)(_input.oldObject);
+      this.Raw = (0, import_ramda2.clone)(_input.oldObject);
     } else {
-      this.Raw = (0, import_ramda.clone)(_input.object);
+      this.Raw = (0, import_ramda2.clone)(_input.object);
     }
     if (!this.Raw) {
       throw new Error("unable to load the request object into PeprRequest.RawP");
@@ -891,13 +967,13 @@ var PeprRequest = class {
    * @param obj - The object to merge with the current resource.
    */
   Merge(obj) {
-    this.Raw = (0, import_ramda.mergeDeepRight)(this.Raw, obj);
+    this.Raw = (0, import_ramda2.mergeDeepRight)(this.Raw, obj);
   }
   /**
    * Updates a label on the Kubernetes resource.
    * @param key - The key of the label to update.
    * @param value - The value of the label.
-   * @returns The current Action instance for method chaining.
+   * @returns The current action instance for method chaining.
    */
   SetLabel(key, value) {
     const ref = this.Raw;
@@ -910,7 +986,7 @@ var PeprRequest = class {
    * Updates an annotation on the Kubernetes resource.
    * @param key - The key of the annotation to update.
    * @param value - The value of the annotation.
-   * @returns The current Action instance for method chaining.
+   * @returns The current action instance for method chaining.
    */
   SetAnnotation(key, value) {
     const ref = this.Raw;
@@ -1003,30 +1079,33 @@ function base64Encode(data) {
   return Buffer.from(data).toString("base64");
 }
 
-// src/lib/processor.ts
-async function processor(config, capabilities, req, parentPrefix) {
-  const wrapped = new PeprRequest(req);
+// src/lib/mutate-processor.ts
+async function mutateProcessor(config, capabilities, req, reqMetadata) {
+  const wrapped = new PeprMutateRequest(req);
   const response = {
     uid: req.uid,
     warnings: [],
     allowed: false
   };
-  let matchedCapabilityAction = false;
+  let matchedAction = false;
   let skipDecode = [];
   const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
   if (isSecret) {
     skipDecode = convertFromBase64Map(wrapped.Raw);
   }
-  logger_default.info(`Processing request`, parentPrefix);
+  logger_default.info(reqMetadata, `Processing request`);
   for (const { name, bindings } of capabilities) {
-    const prefix = `${parentPrefix} ${name}:`;
+    const actionMetadata = { ...reqMetadata, name };
     for (const action of bindings) {
+      if (!action.mutateCallback) {
+        continue;
+      }
       if (shouldSkipRequest(action, req)) {
         continue;
       }
-      const label = action.callback.name;
-      logger_default.info(`Processing matched action ${label}`, prefix);
-      matchedCapabilityAction = true;
+      const label = action.mutateCallback.name;
+      logger_default.info(actionMetadata, `Processing matched action ${label}`);
+      matchedAction = true;
       const updateStatus = (status) => {
         if (req.operation == "DELETE") {
           return;
@@ -1038,26 +1117,28 @@ async function processor(config, capabilities, req, parentPrefix) {
       };
       updateStatus("started");
       try {
-        await action.callback(wrapped);
-        logger_default.info(`Action succeeded`, prefix);
+        await action.mutateCallback(wrapped);
+        logger_default.info(actionMetadata, `Action succeeded`);
         updateStatus("succeeded");
       } catch (e) {
+        logger_default.warn(actionMetadata, `Action failed: ${e}`);
+        updateStatus("warning");
         response.warnings = response.warnings || [];
         response.warnings.push(`Action failed: ${e}`);
-        if (config.onError) {
-          logger_default.error(`Action failed: ${e}`, prefix);
-          response.result = "Pepr module configured to reject on error";
-          return response;
-        } else {
-          logger_default.warn(`Action failed: ${e}`, prefix);
-          updateStatus("warning");
+        switch (config.onError) {
+          case "reject":
+            logger_default.error(actionMetadata, `Action failed: ${e}`);
+            response.result = "Pepr module configured to reject on error";
+            return response;
+          case "audit":
+            break;
         }
       }
     }
   }
   response.allowed = true;
-  if (!matchedCapabilityAction) {
-    logger_default.info(`No matching capability action found`, parentPrefix);
+  if (!matchedAction) {
+    logger_default.info(reqMetadata, `No matching actions found`);
     return response;
   }
   if (req.operation == "DELETE") {
@@ -1070,126 +1151,192 @@ async function processor(config, capabilities, req, parentPrefix) {
   const patches = import_fast_json_patch.default.compare(req.object, transformed);
   if (patches.length > 0) {
     response.patchType = "JSONPatch";
-    response.patch = Buffer.from(JSON.stringify(patches)).toString("base64");
+    response.patch = base64Encode(JSON.stringify(patches));
   }
   if (response.warnings && response.warnings.length < 1) {
     delete response.warnings;
   }
-  logger_default.debug(patches, parentPrefix);
+  logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
   return response;
 }
 
-// src/lib/metrics.ts
-var import_prom_client = __toESM(require("prom-client"));
-var import_perf_hooks = require("perf_hooks");
-var MetricsCollector = class {
-  _registry;
-  _errors;
-  _alerts;
-  _summary;
+// src/lib/validate-request.ts
+var import_ramda3 = require("ramda");
+var PeprValidateRequest = class {
   /**
-   * Creates a MetricsCollector instance with prefixed metrics.
-   * @param {string} [prefix='pepr'] - The prefix for the metric names.
+   * Creates a new instance of the Action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
    */
-  constructor(prefix = "pepr") {
-    this._registry = new import_prom_client.default.Registry();
-    this._errors = new import_prom_client.default.Counter({
-      name: `${prefix}_errors`,
-      help: "error counter",
-      registers: [this._registry]
-    });
-    this._alerts = new import_prom_client.default.Counter({
-      name: `${prefix}_alerts`,
-      help: "alerts counter",
-      registers: [this._registry]
-    });
-    this._summary = new import_prom_client.default.Summary({
-      name: `${prefix}_summary`,
-      help: "summary",
-      registers: [this._registry]
-    });
+  constructor(_input) {
+    this._input = _input;
+    if (_input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda3.clone)(_input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda3.clone)(_input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.RawP");
+    }
   }
+  Raw;
   /**
-   * Increments the error counter.
+   * Provides access to the old resource in the request if available.
+   * @returns The old Kubernetes resource object or null if not available.
    */
-  error() {
-    this._errors.inc();
+  get OldResource() {
+    return this._input.oldObject;
   }
   /**
-   * Increments the alerts counter.
+   * Provides access to the request object.
+   * @returns The request object containing the Kubernetes resource.
    */
-  alert() {
-    this._alerts.inc();
+  get Request() {
+    return this._input;
   }
   /**
-   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
-   * @returns {number} The timestamp.
+   * Check if a label exists on the Kubernetes resource.
+   *
+   * @param key the label key to check
+   * @returns
    */
-  observeStart() {
-    return import_perf_hooks.performance.now();
+  HasLabel(key) {
+    return this.Raw.metadata?.labels?.[key] !== void 0;
   }
   /**
-   * Observes the duration since the provided start time and updates the summary.
-   * @param {number} startTime - The start time.
+   * Check if an annotation exists on the Kubernetes resource.
+   *
+   * @param key the annotation key to check
+   * @returns
    */
-  observeEnd(startTime) {
-    this._summary.observe(import_perf_hooks.performance.now() - startTime);
+  HasAnnotation(key) {
+    return this.Raw.metadata?.annotations?.[key] !== void 0;
   }
   /**
-   * Fetches the current metrics from the registry.
-   * @returns {Promise<string>} The metrics.
+   * Create a validation response that allows the request.
+   *
+   * @returns The validation response.
    */
-  async getMetrics() {
-    return this._registry.metrics();
+  Approve() {
+    return {
+      allowed: true
+    };
+  }
+  /**
+   * Create a validation response that denies the request.
+   *
+   * @param statusMessage Optional status message to return to the user.
+   * @param statusCode Optional status code to return to the user.
+   * @returns The validation response.
+   */
+  Deny(statusMessage, statusCode) {
+    return {
+      allowed: false,
+      statusCode,
+      statusMessage
+    };
   }
 };
 
+// src/lib/validate-processor.ts
+async function validateProcessor(capabilities, req, reqMetadata) {
+  const wrapped = new PeprValidateRequest(req);
+  const response = {
+    uid: req.uid,
+    allowed: true
+    // Assume it's allowed until a validation check fails
+  };
+  logger_default.info(reqMetadata, `Processing validation request`);
+  for (const { name, bindings } of capabilities) {
+    const actionMetadata = { ...reqMetadata, name };
+    for (const action of bindings) {
+      if (!action.validateCallback) {
+        continue;
+      }
+      if (shouldSkipRequest(action, req)) {
+        continue;
+      }
+      const label = action.validateCallback.name;
+      logger_default.info(actionMetadata, `Processing matched action ${label}`);
+      try {
+        const resp = await action.validateCallback(wrapped);
+        response.allowed = resp.allowed;
+        if (resp.statusCode || resp.statusMessage) {
+          response.status = {
+            code: resp.statusCode || 400,
+            message: resp.statusMessage || `Validation failed for ${name}`
+          };
+        }
+        logger_default.info(actionMetadata, `Validation Action completed: ${resp.allowed ? "allowed" : "denied"}`);
+      } catch (e) {
+        logger_default.error(actionMetadata, `Action failed: ${e}`);
+        response.allowed = false;
+        response.status = {
+          code: 500,
+          message: `Action failed with error: ${e}`
+        };
+        return response;
+      }
+    }
+  }
+  return response;
+}
+
 // src/lib/controller.ts
 var Controller = class {
-  constructor(config, capabilities, beforeHook, afterHook) {
-    this.config = config;
-    this.capabilities = capabilities;
-    this.beforeHook = beforeHook;
-    this.afterHook = afterHook;
-    this.app.use(this.logger);
-    this.app.use(import_express.default.json({ limit: "2mb" }));
-    this.app.get("/healthz", this.healthz);
-    this.app.get("/metrics", this.metrics);
-    this.app.post("/mutate/:token", this.mutate);
-    if (beforeHook) {
-      console.info(`Using beforeHook: ${beforeHook}`);
+  constructor(_config, _capabilities, _beforeHook, _afterHook) {
+    this._config = _config;
+    this._capabilities = _capabilities;
+    this._beforeHook = _beforeHook;
+    this._afterHook = _afterHook;
+    this._app.use(this.logger);
+    this._app.use(import_express.default.json({ limit: "2mb" }));
+    if (_beforeHook) {
+      logger_default.info(`Using beforeHook: ${_beforeHook}`);
     }
-    if (afterHook) {
-      console.info(`Using afterHook: ${afterHook}`);
+    if (_afterHook) {
+      logger_default.info(`Using afterHook: ${_afterHook}`);
     }
+    this.bindEndpoints();
   }
-  app = (0, import_express.default)();
-  running = false;
+  _app = (0, import_express.default)();
+  _running = false;
   metricsCollector = new MetricsCollector("pepr");
   // The token used to authenticate requests
-  token = "";
+  _token = "";
+  bindEndpoints = () => {
+    this._app.get("/healthz", this.healthz);
+    this._app.get("/metrics", this.metrics);
+    if (isWatchMode) {
+      return;
+    }
+    this._app.use(["/mutate/:token", "/validate/:token"], this.validateToken);
+    this._app.post("/mutate/:token", this.admissionReq("Mutate"));
+    this._app.post("/validate/:token", this.admissionReq("Validate"));
+  };
   /** Start the webhook server */
   startServer = (port) => {
-    if (this.running) {
+    if (this._running) {
       throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
     }
     const options = {
       key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
       cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
     };
-    this.token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
-    console.info(`Using API token: ${this.token}`);
-    if (!this.token) {
-      throw new Error("API token not found");
+    if (!isWatchMode) {
+      this._token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
+      logger_default.info(`Using API token: ${this._token}`);
+      if (!this._token) {
+        throw new Error("API token not found");
+      }
     }
-    const server = import_https.default.createServer(options, this.app).listen(port);
+    const server = import_https.default.createServer(options, this._app).listen(port);
     server.on("listening", () => {
-      console.log(`Server listening on port ${port}`);
-      this.running = true;
+      logger_default.info(`Server listening on port ${port}`);
+      this._running = true;
     });
     server.on("error", (e) => {
       if (e.code === "EADDRINUSE") {
-        console.log(
+        logger_default.warn(
           `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
         );
         setTimeout(() => {
@@ -1199,80 +1346,128 @@ var Controller = class {
       }
     });
     process.on("SIGTERM", () => {
-      console.log("Received SIGTERM, closing server");
+      logger_default.info("Received SIGTERM, closing server");
       server.close(() => {
-        console.log("Server closed");
+        logger_default.info("Server closed");
         process.exit(0);
       });
     });
   };
+  /**
+   * Middleware for logging requests
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   * @param next the next middleware function
+   */
   logger = (req, res, next) => {
     const startTime = Date.now();
     res.on("finish", () => {
-      const now = (/* @__PURE__ */ new Date()).toISOString();
       const elapsedTime = Date.now() - startTime;
-      const message = `[${now}] ${req.method} ${req.originalUrl} [${res.statusCode}] ${elapsedTime} ms
-`;
-      res.statusCode >= 400 ? console.error(message) : console.info(message);
+      const message = {
+        uid: req.body?.request?.uid,
+        method: req.method,
+        url: req.originalUrl,
+        status: res.statusCode,
+        duration: `${elapsedTime} ms`
+      };
+      res.statusCode >= 300 ? logger_default.warn(message) : logger_default.info(message);
     });
     next();
   };
+  /**
+   * Validate the token in the request path
+   *
+   * @param req The incoming request
+   * @param res The outgoing response
+   * @param next The next middleware function
+   * @returns
+   */
+  validateToken = (req, res, next) => {
+    const { token } = req.params;
+    if (token !== this._token) {
+      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
+      logger_default.warn(err);
+      res.status(401).send(err);
+      this.metricsCollector.alert();
+      return;
+    }
+    next();
+  };
+  /**
+   * Health check endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   */
   healthz = (req, res) => {
     try {
       res.send("OK");
     } catch (err) {
-      console.error(err);
+      logger_default.error(err);
       res.status(500).send("Internal Server Error");
     }
   };
+  /**
+   * Metrics endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   */
   metrics = async (req, res) => {
     try {
       res.send(await this.metricsCollector.getMetrics());
     } catch (err) {
-      console.error(err);
+      logger_default.error(err);
       res.status(500).send("Internal Server Error");
     }
   };
-  mutate = async (req, res) => {
-    const startTime = this.metricsCollector.observeStart();
-    try {
-      const { token } = req.params;
-      if (token !== this.token) {
-        const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
-        console.warn(err);
-        res.status(401).send(err);
-        this.metricsCollector.alert();
-        return;
+  /**
+   * Admission request handler for both mutate and validate requests
+   *
+   * @param admissionKind the type of admission request
+   * @returns the request handler
+   */
+  admissionReq = (admissionKind) => {
+    return async (req, res) => {
+      const startTime = this.metricsCollector.observeStart();
+      try {
+        const request = req.body?.request || {};
+        this._beforeHook && this._beforeHook(request || {});
+        const name = request?.name ? `/${request.name}` : "";
+        const namespace = request?.namespace || "";
+        const gvk = request?.kind || { group: "", version: "", kind: "" };
+        const reqMetadata = {
+          uid: request.uid,
+          namespace,
+          name
+        };
+        logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
+        logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
+        let response;
+        if (admissionKind === "Mutate") {
+          response = await mutateProcessor(this._config, this._capabilities, request, reqMetadata);
+        } else {
+          response = await validateProcessor(this._capabilities, request, reqMetadata);
+        }
+        this._afterHook && this._afterHook(response);
+        logger_default.debug({ ...reqMetadata, response }, "Outgoing response");
+        res.send({
+          apiVersion: "admission.k8s.io/v1",
+          kind: "AdmissionReview",
+          response
+        });
+        this.metricsCollector.observeEnd(startTime, admissionKind);
+      } catch (err) {
+        logger_default.error(err);
+        res.status(500).send("Internal Server Error");
+        this.metricsCollector.error();
       }
-      const request = req.body?.request || {};
-      this.beforeHook && this.beforeHook(request || {});
-      const name = request?.name ? `/${request.name}` : "";
-      const namespace = request?.namespace || "";
-      const gvk = request?.kind || { group: "", version: "", kind: "" };
-      const prefix = `${request.uid} ${namespace}${name}`;
-      logger_default.info(`Mutate [${request.operation}] ${gvk.group}/${gvk.version}/${gvk.kind}`, prefix);
-      const response = await processor(this.config, this.capabilities, request, prefix);
-      this.afterHook && this.afterHook(response);
-      logger_default.debug(response, prefix);
-      res.send({
-        apiVersion: "admission.k8s.io/v1",
-        kind: "AdmissionReview",
-        response
-      });
-      this.metricsCollector.observeEnd(startTime);
-    } catch (err) {
-      console.error(err);
-      res.status(500).send("Internal Server Error");
-      this.metricsCollector.error();
-    }
+    };
   };
 };
 
 // src/lib/module.ts
-var alwaysIgnore = {
-  namespaces: ["kube-system", "pepr-system"],
-  labels: [{ "pepr.dev": "ignore" }]
-};
 var PeprModule = class {
   _controller;
   /**
@@ -1283,10 +1478,14 @@ var PeprModule = class {
    * @param _deferStart (optional) If set to `true`, the Pepr runtime will not be started automatically. This can be used to start the Pepr runtime manually with `start()`.
    */
   constructor({ description, pepr }, capabilities = [], opts = {}) {
-    const config = (0, import_ramda2.mergeDeepWith)(import_ramda2.concat, pepr, alwaysIgnore);
+    const config = (0, import_ramda4.clone)(pepr);
     config.description = description;
-    if (process.env.PEPR_MODE === "build") {
-      process.send?.({ capabilities });
+    const validOnErrors = ["ignore", "warn", "fail"];
+    if (!validOnErrors.includes(config.onError || "")) {
+      throw new Error(`Invalid onErrors value: ${config.onError}`);
+    }
+    if (process.env.PEPR_MODE === "build" && process.send) {
+      process.send(capabilities);
       return;
     }
     this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
@@ -1310,8 +1509,9 @@ var PeprModule = class {
   Capability,
   Log,
   PeprModule,
-  PeprRequest,
+  PeprMutateRequest,
   PeprUtils,
+  PeprValidateRequest,
   R,
   RegisterKind,
   a,