-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Validate manifests using kubeval #775
Conversation
Signed-off-by: Kemal Akkoyun <[email protected]>
Neat! How does this work with CRDs? |
Sadly it doesn't. There is an open issue in kubeval project to support non-native objects: instrumenta/kubeval#47. This means having kubeval is a good step for fast feedback regarding native objects, but we will still need to load all objects into apiserver and check it this way. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Idea LGTM
Hi there 👋 I've been working on kubeconform ( https://github.com/yannh/kubeconform/ ) - which is very similar to kubeval, and adds support for CRDs. Maybe I can help? |
@yannh That would be awesome. Project needs a good validation strategy since we are moving away from ksonnet. I'll be checking the |
Mhhh one thing I'm missing is a stable interface to use kubeconform as a library. I'll try to work on that soon. |
The approach of Kubeval/Kubeconform to do validation is to use Json Schemas, generated from the OpenAPI Spec files. For Kubeconform to be able to validate Custom Resources, the Json Schemas need to be accessible either via HTTP or the local filesystem. What would be the best approach here - commit the JSON Schemas to this repo? Note that the only tool I have at the moment to convert from OpenAPI to Json Schema is in Python. |
Alright, started some work here #785, this is still WIP.
|
This is not right as those properties are allowed by Prometheus CRD: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#prometheusspec I checked a few others and it seems like either Kubeconform has some false positives in its output or prometheus-operator has invalid schemas. 🤔 PS. @yannh awesome project! |
Kubeconform is (I think) rather solid, but my script to convert OpenAPI to JSON schema is a bit brittle :) I will investigate these in details soon. |
My command line was wrong, I forgot I hard hardcoded the path to alertmanager_{{ .ResourceAPIVersion }}.json while debugging.
|
Signed-off-by: Kemal Akkoyun [email protected]
Add kubeval as a validation method for generated manifests.
Work in progress
: Still entertaining the idea. However, I'd like to hear what maintainers think.