kubeval doesn't reject invalid deployment when kubectl does

[nicksnyder]

Consider this (invalid) deployment.

# my.Deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sourcegraph-frontend
spec:
  template:
    spec:

kubectl complains

$ kubectl apply --dry-run --validate -f my.Deployment.yaml
error validating "my.Deployment.yaml": error validating data: ValidationError(Deployment.spec): missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors, turn validation off with --validate=false

kubeval doesn't

$ kubeval my.Deployment.yaml
The document my.Deployment.yaml contains a valid Deployment

I expect kubeval to complain.

More meta question, does kubeval validate things that kubectl --validate doesn't?

[liaden]

An additional case that I ran into was kubeval being ok with a deployment yaml, but kubectl gave me this complaint:

env[3].valueFrom.secretKeyRef.name: Invalid value: "aws_sdk": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

The yml fragment:

            - name: aws_sdk_secret_access_key
              valueFrom:
                secretKeyRef:
                  name: aws_sdk
                  key: secret_access_key

I used underscores in a lot of other places that I should not have, so possibly worthwhile.

[garethr]

Trying this out with the latest version of Kubeval this fails with the following:

The document bob.yaml contains an invalid Deployment
---> spec.template.spec: Invalid type. Expected: object, given: null

I'll close this issue now but feel free to reopen if you still have an issue and can provide more details.