Open jpbetz opened 3 days ago
@liggitt Do you see any problems with supporting this? Can you think of any reasons why it might be better to (a) require an additional flag (b) use an annotation (c) do something else I haven't thought of?
/triage accepted
I think most of our components just default to strict mode when reading config files...
git grep .EnableStrict
pkg/kubeapiserver/options/authentication.go: codecs = serializer.NewCodecFactory(cfgScheme, serializer.EnableStrict)
pkg/kubelet/kubeletconfig/configfiles/configfiles.go: _, kubeletCodecs, err := kubeletscheme.NewSchemeAndCodecs(serializer.EnableStrict)
pkg/proxy/apis/config/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
pkg/scheduler/apis/config/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go:// EnableStrict enables configuring all serializers in strict mode
staging/src/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go:func EnableStrict(options *CodecFactoryOptions) {
staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load.go: codecs = serializer.NewCodecFactory(scheme, serializer.EnableStrict)
staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go: strictDecoder := serializer.NewCodecFactory(audit.Scheme, serializer.EnableStrict).UniversalDecoder()
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go: codecs = serializer.NewCodecFactory(configScheme, serializer.EnableStrict)
staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
those that don't could just start doing so with a release note
those that don't could just start doing so with a release note
Even better. Thanks! We'll follow up.
/assign
The following component configs appear to be missing EnableStrict
:
kubelet:
/pkg/kubelet/apis/config/scheme/scheme.go: codecs := serializer.NewCodecFactory(scheme, mutators...)
admission plugin - pod toleration:
./plugin/pkg/admission/podtolerationrestriction/config.go: codecs = serializer.NewCodecFactory(scheme)
admission plugin - event rate limiting:
./plugin/pkg/admission/eventratelimit/config.go: codecs = serializer.NewCodecFactory(scheme)
controller:
./pkg/controller/apis/config/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme)
kube-apiserver - tracing:
./staging/src/k8s.io/apiserver/pkg/server/options/tracing.go: codecs = serializer.NewCodecFactory(cfgScheme)
admission plugin - resource quota:
./staging/src/k8s.io/apiserver/pkg/admission/plugin/resourcequota/config.go: codecs = serializer.NewCodecFactory(scheme)
admission plugin - webhook (?? Should this be strict validation ??):
./staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go: codecs = serializer.NewCodecFactory(scheme)
admission:
./staging/src/k8s.io/apiserver/pkg/admission/config.go: codecs := serializer.NewCodecFactory(configScheme)
cloud-provider:
./staging/src/k8s.io/cloud-provider/config/install/install.go: Codecs = serializer.NewCodecFactory(Scheme)
controller-manager - leader migration:
./staging/src/k8s.io/controller-manager/pkg/leadermigration/config/config.go: config, gvk, err := serializer.NewCodecFactory(cfgScheme).UniversalDecoder().Decode(data, nil, nil)
Components configs that already appear to have EnableStrict
set:
scheduler:
./pkg/scheduler/apis/config/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
proxy:
./pkg/proxy/apis/config/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
kube-apiserver
./staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load.go: codecs = serializer.NewCodecFactory(scheme, serializer.EnableStrict)
kube-apiserver - authentication:
./pkg/kubeapiserver/options/authentication.go: codecs = serializer.NewCodecFactory(cfgScheme, serializer.EnableStrict)
kube-apiserver - encryption:
./staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go: codecs = serializer.NewCodecFactory(configScheme, serializer.EnableStrict)
kube-apiserver - audit policy:
./staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go: strictDecoder := serializer.NewCodecFactory(audit.Scheme, serializer.EnableStrict).UniversalDecoder()
pod-security-admission:
./staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go: Codecs = serializer.NewCodecFactory(Scheme, serializer.EnableStrict)
kubelet:
pkg/kubelet/kubeletconfig/configfiles/configfiles.go: _, kubeletCodecs, err := kubeletscheme.NewSchemeAndCodecs(serializer.EnableStrict)
Thanks @seans3! Sounds like we can just add the strict check for each, add a validation test to show it works?
The Kubernetes API supports strict validation.
kubectl ... --validate='strict'
is also available.~But there is no way to use this feature with component config files. Should there be? How would it be enabled? Could we define an annotation to enable it?~
EDIT: Turns out that many config files have strict validation enabled, but not all.
/sig api-machinery