search

kubernetes / kubectl

Issue tracker and mirror of kubectl code
Apache License 2.0
2.83k stars 915 forks source link

Support validate=strict for all component configs #1663

Open jpbetz opened 3 days ago

jpbetz commented 3 days ago

The Kubernetes API supports strict validation. kubectl ... --validate='strict' is also available.

~But there is no way to use this feature with component config files. Should there be? How would it be enabled? Could we define an annotation to enable it?~

EDIT: Turns out that many config files have strict validation enabled, but not all.

/sig api-machinery

jpbetz commented 3 days ago

@liggitt Do you see any problems with supporting this? Can you think of any reasons why it might be better to (a) require an additional flag (b) use an annotation (c) do something else I haven't thought of?

jpbetz commented 3 days ago

/triage accepted

liggitt commented 3 days ago

I think most of our components just default to strict mode when reading config files... 

git grep .EnableStrict
pkg/kubeapiserver/options/authentication.go:    codecs    = serializer.NewCodecFactory(cfgScheme, serializer.EnableStrict)
pkg/kubelet/kubeletconfig/configfiles/configfiles.go:   _, kubeletCodecs, err := kubeletscheme.NewSchemeAndCodecs(serializer.EnableStrict)
pkg/proxy/apis/config/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
pkg/scheduler/apis/config/scheme/scheme.go:     Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go:// EnableStrict enables configuring all serializers in strict mode
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go:func EnableStrict(options *CodecFactoryOptions) {
staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load.go:   codecs = serializer.NewCodecFactory(scheme, serializer.EnableStrict)
staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go:        strictDecoder := serializer.NewCodecFactory(audit.Scheme, serializer.EnableStrict).UniversalDecoder()
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go:     codecs = serializer.NewCodecFactory(configScheme, serializer.EnableStrict)
staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go:       Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)

those that don't could just start doing so with a release note

jpbetz commented 3 days ago

those that don't could just start doing so with a release note

Even better. Thanks! We'll follow up.

seans3 commented 2 days ago

/assign

seans3 commented 2 days ago

The following component configs appear to be missing EnableStrict:

kubelet:
/pkg/kubelet/apis/config/scheme/scheme.go:     codecs := serializer.NewCodecFactory(scheme, mutators...)

admission plugin - pod toleration:
./plugin/pkg/admission/podtolerationrestriction/config.go:      codecs = serializer.NewCodecFactory(scheme)

admission plugin - event rate limiting:
./plugin/pkg/admission/eventratelimit/config.go:        codecs = serializer.NewCodecFactory(scheme)

controller:
./pkg/controller/apis/config/scheme/scheme.go:  Codecs = serializer.NewCodecFactory(Scheme)

kube-apiserver - tracing:
./staging/src/k8s.io/apiserver/pkg/server/options/tracing.go:   codecs    = serializer.NewCodecFactory(cfgScheme)

admission plugin - resource quota:
./staging/src/k8s.io/apiserver/pkg/admission/plugin/resourcequota/config.go:    codecs = serializer.NewCodecFactory(scheme)

admission plugin - webhook (?? Should this be strict validation ??):
./staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go:       codecs = serializer.NewCodecFactory(scheme)

admission:
./staging/src/k8s.io/apiserver/pkg/admission/config.go: codecs := serializer.NewCodecFactory(configScheme)

cloud-provider:
./staging/src/k8s.io/cloud-provider/config/install/install.go:  Codecs = serializer.NewCodecFactory(Scheme)

controller-manager - leader migration:
./staging/src/k8s.io/controller-manager/pkg/leadermigration/config/config.go:   config, gvk, err := serializer.NewCodecFactory(cfgScheme).UniversalDecoder().Decode(data, nil, nil)

Components configs that already appear to have EnableStrict set:

scheduler: 
./pkg/scheduler/apis/config/scheme/scheme.go:   Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)

proxy:
./pkg/proxy/apis/config/scheme/scheme.go:       Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)

kube-apiserver
./staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load.go: codecs = serializer.NewCodecFactory(scheme, serializer.EnableStrict)

kube-apiserver - authentication:
./pkg/kubeapiserver/options/authentication.go:  codecs    = serializer.NewCodecFactory(cfgScheme, serializer.EnableStrict)

kube-apiserver - encryption:
./staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go:   codecs = serializer.NewCodecFactory(configScheme, serializer.EnableStrict)

kube-apiserver - audit policy:
./staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go:      strictDecoder := serializer.NewCodecFactory(audit.Scheme, serializer.EnableStrict).UniversalDecoder()

pod-security-admission:
./staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go:     Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)

kubelet:
pkg/kubelet/kubeletconfig/configfiles/configfiles.go:   _, kubeletCodecs, err := kubeletscheme.NewSchemeAndCodecs(serializer.EnableStrict)
jpbetz commented 2 days ago

Thanks @seans3! Sounds like we can just add the strict check for each, add a validation test to show it works?