Kubectl validate should validate non-schema assumptions about resources

kubernetes / kubectl

Issue tracker and mirror of kubectl code

Apache License 2.0

2.75k stars 894 forks source link

Kubectl validate should validate non-schema assumptions about resources #1305

Open Blackclaws opened 1 year ago

Blackclaws commented 1 year ago

What would you like to be added:

There are certain resource types such as deployment that make assumptions about how their fields interact with each other. For example deployment expects that matchLabels matches the labels in the pod template.

Why is this needed:

Currently the only way to validate even inbuilt kubernetes resources is to dry-run them against a server. It would be nice to be able to validate such invalid manifests before having to run them against an actual kubernetes server.

eddiezane commented 1 year ago

This is a valid ask but we've been working to make the clients as dumb as possible and offload as much as possible to the server.

I would hope one of the existing linters out there could catch something like this.

/assign @seans3

To take a look at what open API can do.

Blackclaws commented 1 year ago

@eddiezane I get the idea behind that. And its also kind of valid to say you want to keep the client dumb. The question is whether at least adding validation for this type of builtin stable resources would be advantageous. I've not found a linter so far that doesn't accept it even if it will be rejected by the server. I get that admission hooks and custom resources are totally out of scope here as well.

From my knowledge of open api and json schemas in general there isn't an easy way to validate these sort of constraints, if any at all. That's why all validators accept it as well, the schema is correct even if the constraints don't work.

eddiezane commented 1 year ago

/triage accepted /priority backlog

eddiezane commented 1 year ago

We may not end up doing anything here but it's where we're trying to head with OpenAPI.

Blackclaws commented 1 year ago

I just thought of a case where it wouldn't even be possible to validate this client side. If you have mutating admission hooks those could actually bring the object into a valid state if I understand correctly how they work.

There could only be a client side: "validate for default kubernetes" which isn't saying much...

k8s-triage-robot commented 4 months ago

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

Confirm that this issue is still relevant with /triage accepted (org members only)
Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 3 weeks ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle rotten
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten