search

yannh / kubeconform

A FAST Kubernetes manifests validator, with support for Custom Resources!
Apache License 2.0
2.25k stars 123 forks source link

Error in Job schema in version >= 1.25 #218

Open hadar-co opened 1 year ago

hadar-co commented 1 year ago

Hi! When running kubeconform against a Job:

apiVersion: batch/v1
kind: Job
metadata:
  name: name
spec:
  ttlSecondsAfterFinished: 3
  template:
    spec:
      containers:
      - name: name2
        image: nginx:latest
        imagePullPolicy: Always
        env:
        - name: blah
          value: blah
      restartPolicy: Never
  backoffLimit: 1
  podFailurePolicy:
    rules:
      - action: FailJob
        onExitCodes:
          containerName: name2
          operator: In
          values: [1]
      - action: Ignore
        onPodConditions:
        - type: DisruptionTarget

I get the following errors:

However, when applying the resource into the cluster no error is given and the k8s server accepts it. Perhaps there is an error in the schema, and these fields should not be required?

Constantin07 commented 1 year ago

Getting similar error for SecurityContext used in Job:

helmfile template | kubeconform -strict -summary -cache /tmp/kubeconform -ignore-missing-schemas -kubernetes-version 1.27.3
Adding repo ingress-nginx https://kubernetes.github.io/ingress-nginx
"ingress-nginx" has been added to your repositories

Templating release=nginx-ingress, chart=ingress-nginx/ingress-nginx
stdin - Job nginx-ingress-ingress-nginx-admission-patch is invalid: problem validating schema. Check JSON formatting: jsonschema: '/spec/template/spec/securityContext' does not validate with https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.27.3-standalone-strict/job-batch-v1.json#/properties/spec/properties/template/properties/spec/properties/securityContext/additionalProperties: additionalProperties 'capabilities', 'privileged', 'allowPrivilegeEscalation' not allowed
stdin - Job nginx-ingress-ingress-nginx-admission-create is invalid: problem validating schema. Check JSON formatting: jsonschema: '/spec/template/spec/securityContext' does not validate with https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.27.3-standalone-strict/job-batch-v1.json#/properties/spec/properties/template/properties/spec/properties/securityContext/additionalProperties: additionalProperties 'privileged', 'allowPrivilegeEscalation', 'capabilities' not allowed
Summary: 19 resources found parsing stdin - Valid: 17, Invalid: 2, Errors: 0, Skipped: 0
eyarz commented 1 year ago

@Constantin07 this is not the same issue. the error that you're getting is correct. try to apply your file to your cluster and you will see it's getting rejected.

Constantin07 commented 1 year ago

@eyarz should I raise a separate issue ? I did try to apply and it works just fine - no rejection.

eyarz commented 1 year ago 
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-patch
spec:
  template:
    metadata:
      name: ingress-nginx-admission-patch
    spec:
      containers:
        - name: patch
          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
      securityContext:
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities: privileged

this is a simple Job manifest that I used to reproduce your error and when I try to apply it to the cluster it's getting rejected (and also failing validation by kubeconform):

➜  kubectl apply -f k8s-demo.yaml --dry-run=server
Error from server (BadRequest): error when creating "k8s-demo.yaml": Job in version "v1" cannot be handled as a Job: strict decoding error: unknown field "spec.template.spec.securityContext.allowPrivilegeEscalation", unknown field "spec.template.spec.securityContext.capabilities"