search

instrumenta / kubeval

Validate your Kubernetes configuration files, supports multiple Kubernetes versions
https://kubeval.com
Other
3.16k stars 229 forks source link

Namespace name isn't validated #85

Open davidxia opened 6 years ago

davidxia commented 6 years ago

Thanks for this useful tool.

I noticed Namespace names aren't validated. Here's my Namespace manifest.

apiVersion: v1
kind: Namespace
metadata:
  name: example.com/dxia-test
kubectl apply -f namespace.yaml

error: error when retrieving current configuration of:
&{0xc4204e1140 0xc4203be0e0 namespace.yaml 0xc420d52458  false}
from server for: "namespace.yaml": invalid resource name "example.com/dxia-test": [may not contain '/']

Expected behavior

The validator gives me the same error as kubectl

Actual behavior

But when I run the validator on that file I get an OK.

docker run -t --rm \
  -v parent-dir-of-namespace-yaml:ro \
  garethr/kubeval \
  --kubernetes-version=1.10.4

The document namespace.yaml contains a valid Namespace

More info

I think these are the k8s validation rules. So I think it's lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc', regex used for validation is [a-z0-9]([-a-z0-9]*[a-z0-9])?).

kubectl version

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.7", GitCommit:"dd5e1a2978fd0b97d9b78e1564398aeea7e7fe92", GitTreeState:"clean", BuildDate:"2018-04-19T00:05:56Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.5-gke.3", GitCommit:"6265b9797fc8680c8395abeab12c1e3bad14069a", GitTreeState:"clean", BuildDate:"2018-07-19T23:02:51Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}
garethr commented 6 years ago

This is a bug in the Kubernetes OpenAPI schemas on which kubeval relies unfortunately. It's likely worth filing upstream too.

davidxia commented 6 years ago

@garethr, thanks for responding. I guess the validation should've been generated here? Do you mind creating an issue upstream? I'm afraid I'm not familiar enough with how things should be setup in a way that'll work.

nlamirault commented 5 years ago

@garethr Any idea how to fix that ? Create an issue on the main kubernetes repository ?

scovl commented 1 year ago

The error is saying that the namespace name "example.com/dxia-test" is invalid because it contains the slash '/' which is not allowed. The namespace name must follow the DNS naming rules, this means that it can only contain lowercase letters, numbers and hyphens and cannot begin or end with hyphens.

The solution would be to change the namespace name to something like "example-com-dxia-test". In fact, this needs to be added to kubeval for better code checking.