search

instrumenta / kubeval

Validate your Kubernetes configuration files, supports multiple Kubernetes versions
https://kubeval.com
Other
3.16k stars 229 forks source link

CronJob validation False positive #103

Closed Hiruma31 closed 5 years ago

Hiruma31 commented 5 years ago

With for example a CronJob definition like

# kubetpl:syntax:go-template
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: test-cronjob
  namespace: {{ .namespace }}
spec:
  concurrencyPolicy: Allow
  failedJobsHistoryLimit: 1
  schedule: 0 4 * * *
  successfulJobsHistoryLimit: 3
  suspend: false
  jobTemplate:
    spec:
      template:
        annotations:
          version: 1.0.0
        spec:
          containers:
          - command:

kubeval -v 1.8.2 passes.

The document stdin contains a valid CronJob

However, the spec.jobTemplate.spec.annotations is missing metadata so when applying, kubectl throw an error pointing out to the right syntax which would be spec.jobTemplate.spec.metadata.annotations

r0fls commented 5 years ago

The cronjob validation also passes when using the wrong apiVersion

garethr commented 5 years ago

Could you try with --strict as well and let me know what you get?

The Kubernetes API is fine with unknown fields, but the strict flag will check for anything not described in the schema.

garethr commented 5 years ago

I'm going to close this issue as this should fail with the strict flag, which is also now documented. Kubeval 8.0+ also correctly handles the apiVersion issue.