search

yannh / kubeconform

A FAST Kubernetes manifests validator, with support for Custom Resources!
Apache License 2.0
2.19k stars 121 forks source link

fail to detect invalid annotations #275

Open fredleger opened 3 months ago

fredleger commented 3 months ago

kubeconform fails to detect invalid annotations :

ex:

# mying.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
  annotations:
   # NOTE THE EXTRA " AFTER ISSUER
    cert-manager.io/cluster-issuer": letsencrypt
spec:
  tls:
    - hosts:
        - app.example.com
      secretName: aicms-fastapi-tls
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: myapp
                port:
                  number: 8000
kubeconform --summary ./mying.yaml                                   
Summary: 1 resource found in 1 file - Valid: 1, Invalid: 0, Errors: 0, Skipped: 0

But good to notice kubectl is also not valiating correctly

k apply -f mying.yaml --dry-run=client --validate
ingress.networking.k8s.io/myapp created (dry run)

But the admission controller does not let it pass

k apply -f mying.yaml --dry-run=server --validate
The Ingress "myapp" is invalid: metadata.annotations: Invalid value: "cert-manager.io/cluster-issuer\"": name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
fredleger commented 3 months ago

Since the regex validation is given by the server maybe it could be used to validate annotations ?