search

kptdev / kpt

Automate Kubernetes Configuration Editing
https://kpt.dev
Apache License 2.0
1.7k stars 228 forks source link

Go function SDK ResourceList.results does not match Typescript SDK #1048

Open fsommar opened 4 years ago

fsommar commented 4 years ago

Hi 👋

The Go function SDK, i.e. kyaml framework, is outputting function errors and warnings in a different format from the Typescript SDK, which in turn is also different from the Kpt function documentation.

Actual

Here's an example output from the Go function SDK (sigs.k8s.io/kustomize/kyaml@v0.8.0):

apiVersion: v1
kind: ResourceList
items:
- apiVersion: bigtable.cnrm.cloud.google.com/v1beta1
  kind: BigtableInstance
  metadata:
    name: bigtableinstance-sample
    annotations:
      config.kubernetes.io/index: '1'
      config.kubernetes.io/path: k8s.yaml
  spec:
    displayName: BigtableSample
    instanceType: PRODUCTION
    cluster:
    - clusterId: bigtableinstance-dep1
      zone: us-central1-a
      numNodes: '1'
    - clusterId: bigtableinstance-dep2
      zone: eu-west1-a
      numNodes: true
results:
  items:
  - message: 'Invalid type. Expected: integer, given: string'
    severity: error
    resourceRef:
      apiVersion: bigtable.cnrm.cloud.google.com/v1beta1
      kind: BigtableInstance
      metadata:
        name: bigtableinstance-sample
    field:
      path: spec.cluster.0.numNodes
    file:
      path: k8s.yaml
      index: 1
  - message: 'Invalid type. Expected: integer, given: boolean'
    severity: error
    resourceRef:
      apiVersion: bigtable.cnrm.cloud.google.com/v1beta1
      kind: BigtableInstance
      metadata:
        name: bigtableinstance-sample
    field:
      path: spec.cluster.1.numNodes
    file:
      path: k8s.yaml
      index: 1

Here's an example output from the Typescript SDK (gcr.io/kpt-functions/suggest-psp@sha256:e7b66ce31f6386811c7f874384886b4cffde75501f09dfa864d9de0a1b752dfd):

apiVersion: v1
kind: ResourceList
metadata:
  name: output
items:
- apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
    name: psp
    annotations:
      config.kubernetes.io/index: '0'
      config.kubernetes.io/path: psp.yaml
  spec:
    volumes:
    - '*'
    fsGroup:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
results:
- message: Suggest explicitly disabling privilege escalation
  severity: warn
  tags:
    category: security
  resourceRef:
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    namespace: ''
    name: psp
  file:
    path: psp.yaml
    index: 0
  field:
    path: spec.allowPrivilegeEscalation
    suggestedValue: false

These were generated by running kpt fn source kubernetes/ | docker run -i image-name. I was unable to find a CRD/spec for ResourceList other than what's mentioned in the kustomize repo.

There is a third type of results object in the documentation:

kind: ResourceList
functionConfig:
  apiVersion: example.com/v1alpha1
  kind: Foo
  spec:
    foo: bar
    ...
results:
- name: "kubeval"
  items:
  - severity: error # one of ["error", "warn", "info"] -- error code should be non-0 if there are 1 or more errors
    tags: # arbitrary metadata about the result
      error-type: "field"
    message: "Value exceeds the namespace quota, reduce the value to make the pod schedulable"
    resourceRef: # key to lookup the resource
      apiVersion: apps/v1
      kind: Deployment
      name: foo
      namespace: bar
    file:
      # optional if present as annotation
      path: deploy.yaml # read from annotation if present
      # optional if present as annotation
      index: 0 # read from annotation if present
    field:
      path: "spec.template.spec.containers[3].resources.limits.cpu"
      currentValue: "200" # number | string | boolean
      suggestedValue: "2" # number | string | boolean
  - severity: warn
    ...
- name: "something else"
  items:
  - severity: info
     ...

Expected

I expected the results output to be aligned between the documentation and the Go and Typescript SDKs, and possibly for the function spec to include a section on the results object.

For now, we'll cover this scenario by trying to parse both result formats before calling it a fail.

fsommar commented 3 years ago

Another difference I noticed just now is that the Typescript SDK result flattens the resource reference; putting name and namespace on the same level as kind and apiVersion. The Go SDK result, OTOH, follows the same syntax as declaring a resource, nesting name and namespace underneath metadata.

fsommar commented 3 years ago

The severities in kyaml are error, info, warning as opposed to the other two alternative's error, info, warn.