-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cannot validate CustomResourceDefinitions #47
Comments
Ah, yes. At present |
We're hitting this same issue, unfortunately. I even tried doing |
In the short term, while this isn't implemented currently, could we exit with a specific exit code if the only errors are schema misses? This would enable people to "ignore" those errors in CI situations |
Had a quick look, wonder if an approach like:
If above a suitable approach (or per other suggestions/required changes) I'm happy to submit PR (or someone else can). |
for now my workaround has been |
@garethr can you post some ideas how to add CRD validation ? Maybe it would be possible that someone else could work on this ? |
For the short term, I have a fork that sorta, kinda implements a bad fix to this: https://github.com/jaredallard/kubeval Some might find it useful in the short term. I don't think I will have the bandwith to do this properly anytime soon though. |
+1 also looking at add kubeval to our CI and CRDs are the currently blocking step. |
Same for us. We decided to introduce additional CRD in manifests and this one is blocking. |
i have introduced this pr: #127 |
Same thing here while piping |
This would be a really helpful feature for us as well. Although hiding CRD errors would be a good start, we would actually even like to be able to add to a list of crds for commonly used things like SealedSecrets. We also plan to move all our deployments to HelmReleases, which means that kubeval would no longer be able to validate any of our workloads. @garethr - Would love to understand at least when PR #127 will be reviewed/merged. |
Agree with @dwightbiddle-ef. While the ability to skip validation of CustomResourceDefinitions is desirable, the ultimate goal should be to support their validation according to the schema. Modern CRDs have the OpenAPI schema embedded in their manifest, so in theory it's a matter of collecting these schemas:
To give a concrete example, the Prometheus Operator has a If I can somehow pass this CRD manifest (in Jsonnet, JSON or YAML form) to |
We have actually implemented a way to skip CRDs for now by using a simple naming convention and filtering out files with the name "secret" or "helm" in the filename, since that is the bulk of our CRD usage. For those that are curious, we're using the following command:
Just want to reiterate that the more valuable feature to spend time investigating/implementing is the ability to reference the open api schemas for CRDs at runtime as @bgagnon is saying above. |
I have a working prototype for a potential solution to this approach.
So far I have collected schemas for:
At this point I am wondering if I should simply move to another JSON Schema command line validator such as ajv-cli which might be easier to work with. But for now, I'll keep toying around with kubeval. Some lessons learned:
Any thoughts on that general idea? |
The schema generation bug that @garethr mentioned is likely due to the circular reference contained in the Kubernetes OpenAPI/Swagger schemas. It is not possible to "resolve" (de-reference and inline) all $ swagger-cli bundle -r swagger.json
Circular $ref pointer found at swagger.json#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps/properties To fix this, the "standalone" mode would need to make an exception for this circular reference and allow a top-level object to be referenced by |
0.11.0 now has the |
Notice, it's |
@bgagnon could you elaborate how to extract OpenAPI from json ? Or preferably describe your actions on Prometheus Operator CRD as an example. |
kubectl doesn't support it yet, see instrumenta/kubeval#47
Not having support for easily importing CRDs is a bummer. The ability to validate CRs related to foundational projects like Istio, Cert-Manager, and the Prometheus Operator would be great. I am considering implementing roughly the same flow that @bgagnon described but it sounds like a lot to maintain. Just a thought: As a first step, how feasible would it be to support the OpenAPI spec directly to avoid the conversion step? |
I was looking into this for validating my manifests and resorted to create my own custom schemas here (using |
@ams0 I was having issues with your JSON schemas, similar to what @leosunmo had experienced.
I forked your repository to https://github.com/joshuaspence/kubernetes-json-schema and added some additional processing of the JSON schemas and it seems to work as I would expect now.
|
Welp the documentation for kubeval at https://www.kubeval.com/ has not been updated to include --additional-schema-locations :( I wrote kubeconform ( https://github.com/yannh/kubeconform ) partly to solve this. I've included a python script derived from our @garethr openapi2jsonschema > https://github.com/yannh/kubeconform/blob/master/cmd/openapi2jsonschema/main.py to generate the jsonschemas - I think it does a couple of things your rq magic ( https://github.com/joshuaspence/kubernetes-json-schema/blob/master/build.sh ) does not, such as support for the "strict" mode. Maybe that could generate better schemas for https://github.com/joshuaspence/kubernetes-json-schema/ ? In Kubeconform I also added support for "configurable" json schemas paths, since I don't think the kubernetes version needs to be part of the path for JSON schema registries for custom resources... This ticket can probably be closed though. |
Thanks for the pointers @yannh. Your script didn't work on all of the CRDs I have but it made me find a bug in my own script, will try to get around to fixing it. |
any updates for this subject ? |
One of the features of doc.crds.dev is to output the underlying CRD yaml for crds from a given repo. I wonder if wouldn't be possible to take those, download and massage them via kubevel, and then output them to a cache dir that can be using by kubevela |
FWIW we've added some to this additional repository: kubeval --additional-schema-locations https://jenkins-x.github.io/jenkins-x-schemas |
If I try to supply I can currently work around this by setting I think it might be nice to be able to specify something like |
any news on this ? |
I switched to kubeconform and now my workflow is like this I have a repo with all my schemas https://github.com/tarioch/k8s-schemas Whenever I add any new CRDs to my cluster I update the schemas on a machine that has access to the cluster, see https://github.com/tarioch/k8s-schemas/blob/master/update.sh for special cases (e.g. in my case jaeger-operator) I get the CRDs not from the cluster but from another place This then get's checked in. Whenever I want to validate (e.g. on CI or in a pre-commit hook), I can just point it to that repository and validate |
@tarioch Thanks, which command do you use to point kubeconform to your schema repository ?
None of them worked and since I have no real way to debug what is the path really queried I am kind of blind here |
|
Just because you can doesn't mean you should?
|
@rdelpret i would really like to know it is documented that https://www.kubeval.com/#crds it does not validate CRD's but it seems it can. What's the catch here? |
@AtzeDeVries you can pass it a json schema, so I converted a remote yaml schema to json, trick the tool into thinking that the schema is in the file path format the tool expects then profit. Basically showing they could implement this easily. |
The main problem with CRs is that they are spread across GitHub, unlike the K8s native objects schema. We have also created a helpful utility - a CRD Extractor to pull CRDs from the cluster and convert them locally to JSON Schema as an output. |
Apologies if this should be created against https://github.com/garethr/kubernetes-json-schema instead.
Attempting to validate a
apiextensions.k8s.io/v1beta1 CustomResourceDefinition
resource fails as the schema file in$VERSION-standalone
is empty:Is this intentional? It seems impossible in the current form to lint any
CustomResourceDefinition
s. Thekubernetes-json-schema
repo does have non-0 byte versions of the schema in the non-standalone directories (i.e. in/v1.8.0/
) butkubeval
is hardcoded to load the-standalone
flavor of each schema.The text was updated successfully, but these errors were encountered: