MultiValidatingHandler returns as soon as one handler fails, making it impossible to follow convention of reporting all validation errors

[dlipovetsky]

The prevailing convention in Kubernetes resource validation is to report all validation errors, not only the first discovered error. The built-in API types follow this convention (example). The OpenAPI and CEL rule validation follows this convention, too. Most webhooks I have seen also follow it.

We provide a utility function for webhook authors that executes multiple validators:

controller-runtime/pkg/webhook/admission/multi.go

Lines 90 to 95 in 6ad5c1d

	// MultiValidatingHandler combines multiple validating webhook handlers into a single
	// validating webhook handler. Handlers are called in sequential order, and the first
	// `allowed: false` response may short-circuit the rest.
	func MultiValidatingHandler(handlers ...Handler) Handler {
	return multiValidating(handlers)
	}

It returns as soon as one validator fails. That means that subsequent validators are not called, and any errors they might discover are not reported.

I think we should provide an alternative implementation that calls all validators, even if some fail, and aggregates their errors.

Also, because the existing utility function does not follow the convention, I think we should consider deprecating it.

[dlipovetsky]

An implementation that aggregates errors from multiple handlers would have to merge handler responses., and I don't see a unambiguous way to do that.