search

yannh / kubeconform

A FAST Kubernetes manifests validator, with support for Custom Resources!
Apache License 2.0
2.2k stars 121 forks source link

Kubeconform does not detect invalid CronJobs #277

Closed mavendonovanhubbard closed 2 months ago

mavendonovanhubbard commented 3 months ago

Kubeconform does not detect invalid CronJobs when the restart policy is at the wrong indentation level. Here is an example invalid manifest.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: foo
  namespace: default
spec:
  schedule: "* * * * *"
  jobTemplate:
    metadata:
      name: foo
    spec:
      template:
        spec:
          containers:
          - image: hello-world:latest
            name: hello-world
            restartPolicy: OnFailure
cat manifest.yaml | kubeconform -summary -verbose
stdin - CronJob foo is valid
Summary: 1 resource found parsing stdin - Valid: 1, Invalid: 0, Errors: 0, Skipped: 0

kubectl apply -f manifest.yaml
The CronJob "foo" is invalid:
* spec.jobTemplate.spec.template.spec.containers[0].restartPolicy: Forbidden: may not be set for non-init containers
* spec.jobTemplate.spec.template.spec.restartPolicy: Required value: valid values: "OnFailure", "Never"

I'm using the 0.6.6 brew version of kubeconform

mavendonovanhubbard commented 2 months ago

After looking at this further I've found that the schema used by kubeconform is generated by the kubernetes project itself from the source code. https://github.com/kubernetes/kubernetes/blob/master/api/openapi-spec/swagger.json

Unfortunately, the above yaml file does pass the schema provided by the kubernetes project. To quote the README of this project.

The Kubernetes controllers still perform additional server-side validations that are not part of the OpenAPI specifications.

I'm closing this issue.