search

instrumenta / kubeval

Validate your Kubernetes configuration files, supports multiple Kubernetes versions
https://kubeval.com
Other
3.16k stars 229 forks source link

kubeval gets confused between OpenShift and Kubernetes ClusterRoleBinding #77

Closed monotykamary closed 5 years ago

monotykamary commented 6 years ago

After generating schemas for OpenShift v3.9.0, validating any k8s rbac:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
[...]

results in:

The document *-rbac.yaml contains an invalid ClusterRoleBinding
---> userNames: userNames is required
---> groupNames: groupNames is required

This is because there are 2 group definitions of ClusterRoleBinding:

      "x-kubernetes-group-version-kind": [
        {
          "kind": "ClusterRoleBinding", 
          "version": "v1beta1", 
          "group": "rbac.authorization.k8s.io"
        }
      ],
      "x-kubernetes-group-version-kind": [
        {
          "kind": "ClusterRoleBinding", 
          "version": "v1", 
          "group": ""
        }, 
        {
          "kind": "ClusterRoleBinding", 
          "version": "v1", 
          "group": "authorization.openshift.io"
        }
      ],

in which the one defined by authorization.openshift.io requires properties userNames and groupNames.

garethr commented 6 years ago

kubeval currently does a bad job of dealing with api versions of resources, some details in #57 and a potential fix in #63. I've unfortunately not had the time to address this yet.

garethr commented 5 years ago

I think this may now be resolved. The latest version 0.8.0 has new support for individual object versions. Let me know if that doesn't work and I'll try and take a closer look.