Closed rothgar closed 7 years ago
Thanks for reporting.
I think the answer here is additionalProperties
, which should throw an error whenever a key not in the schema is used. This isn't in the upstream schema, but that might be an openapi vs json schema difference. I'll check and hopefully add that to everything.
So, according to the spec https://github.com/garethr/kubernetes-json-schema/blob/master/master-standalone/daemonset.json this should be valid.
Hopefully this is a generic behaviour of the API and I can patch kubeval accordingly. When I get a moment I'll ask on SIG API Machinery and open an upstream bug.
Posted to API SIG Machinery to sanity check https://groups.google.com/forum/#!topic/kubernetes-sig-api-machinery/sz948IbCH2A
So, looking into this further this behaviour is from kubectl
not the Kubernetes API: https://github.com/kubernetes/kubernetes/blob/225b9119d6a8f03fcbe3cc3d590c261965d928d0/pkg/kubectl/validation/schema.go#L312
The deal appears to be:
kubectl
(since https://github.com/kubernetes/kubernetes/pull/11914) will try and steer you towards avoiding additional properties, although you can ignore than with --validate=false
So kubeval
is right, in the sense that the document is valid for the API. But it's probably more useful at least to allow this to do the same checks as kubectl. My plan at the moment is:
"additionalProperties": false
on everything that doesn't already have itkubeval
to switch to using these schemasI have a PR up with a fix for this in #32, I need a bit of time to add a few tests and some documentation but if you want to build from source you could check it out.
On the sample manifest with additional properties this now correctly flags the replica
key.
kubeval --strict .\fixtures\extra_property.yaml
The document .\fixtures\extra_property.yaml contains an invalid DaemonSet
---> replicas: Additional property replicas is not allowed
Example
kubeval verifies the yaml
replicas is invalid for a DaemonSet
I didn't look at the code (I'm assuming it a straight forward fix) but wanted to report it in case I don't get to it.