mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
apiextension: complete validation of meta data defaults
This commit is contained in:
Dr. Stefan Schimanski
parent
90fed073c7
commit
135902b0f4
@ -16,21 +16,17 @@ go_library(
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/features:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
|
||||
"//vendor/github.com/go-openapi/strfmt:go_default_library",
|
||||
"//vendor/github.com/go-openapi/validate:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@ -21,14 +21,10 @@ import (
|
||||
"reflect"
|
||||
"strings"
|
||||
|
||||
"github.com/go-openapi/strfmt"
|
||||
govalidate "github.com/go-openapi/validate"
|
||||
schemaobjectmeta "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta"
|
||||
|
||||
"k8s.io/apiextensions-apiserver/pkg/apihelpers"
|
||||
structuraldefaulting "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting"
|
||||
apiequality "k8s.io/apimachinery/pkg/api/equality"
|
||||
genericvalidation "k8s.io/apimachinery/pkg/api/validation"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
utilvalidation "k8s.io/apimachinery/pkg/util/validation"
|
||||
@ -39,7 +35,6 @@ import (
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
|
||||
structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning"
|
||||
apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
|
||||
apiextensionsfeatures "k8s.io/apiextensions-apiserver/pkg/features"
|
||||
)
|
||||
@ -659,6 +654,7 @@ func validateCustomResourceDefinitionValidation(customResourceValidation *apiext
|
||||
allowDefaults: opts.allowDefaults,
|
||||
requireValidPropertyType: opts.requireValidPropertyType,
|
||||
}
|
||||
|
||||
allErrs = append(allErrs, ValidateCustomResourceDefinitionOpenAPISchema(schema, fldPath.Child("openAPIV3Schema"), openAPIV3Schema, true)...)
|
||||
|
||||
if opts.requireStructuralSchema {
|
||||
@ -667,8 +663,13 @@ func validateCustomResourceDefinitionValidation(customResourceValidation *apiext
|
||||
if len(allErrs) == 0 {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("openAPIV3Schema"), "", err.Error()))
|
||||
}
|
||||
} else if validationErrors := structuralschema.ValidateStructural(fldPath.Child("openAPIV3Schema"), ss); len(validationErrors) > 0 {
|
||||
allErrs = append(allErrs, validationErrors...)
|
||||
} else if validationErrors, err := structuraldefaulting.ValidateDefaults(fldPath.Child("openAPIV3Schema"), ss, true); err != nil {
|
||||
// this should never happen
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("openAPIV3Schema"), "", err.Error()))
|
||||
} else {
|
||||
allErrs = append(allErrs, structuralschema.ValidateStructural(ss, fldPath.Child("openAPIV3Schema"))...)
|
||||
allErrs = append(allErrs, validationErrors...)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -682,7 +683,7 @@ func validateCustomResourceDefinitionValidation(customResourceValidation *apiext
|
||||
return allErrs
|
||||
}
|
||||
|
||||
var metaFields = sets.NewString("metadata", "apiVersion", "kind")
|
||||
var metaFields = sets.NewString("metadata", "kind", "apiVersion")
|
||||
|
||||
// ValidateCustomResourceDefinitionOpenAPISchema statically validates
|
||||
func ValidateCustomResourceDefinitionOpenAPISchema(schema *apiextensions.JSONSchemaProps, fldPath *field.Path, ssv specStandardValidator, isRoot bool) field.ErrorList {
|
||||
@ -726,6 +727,7 @@ func ValidateCustomResourceDefinitionOpenAPISchema(schema *apiextensions.JSONSch
|
||||
if len(schema.Properties) != 0 {
|
||||
for property, jsonSchema := range schema.Properties {
|
||||
subSsv := ssv
|
||||
|
||||
if (isRoot || schema.XEmbeddedResource) && metaFields.Has(property) {
|
||||
// we recurse into the schema that applies to ObjectMeta.
|
||||
subSsv = ssv.withInsideResourceMeta()
|
||||
@ -825,43 +827,12 @@ func (v *specStandardValidatorV3) validate(schema *apiextensions.JSONSchemaProps
|
||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("type"), schema.Type, openapiV3Types.List()))
|
||||
}
|
||||
|
||||
if schema.Default != nil {
|
||||
if v.allowDefaults {
|
||||
if s, err := structuralschema.NewStructural(schema); err == nil {
|
||||
// ignore errors here locally. They will show up for the root of the schema.
|
||||
|
||||
clone := runtime.DeepCopyJSONValue(interface{}(*schema.Default))
|
||||
if !v.isInsideResourceMeta {
|
||||
// If we are under metadata, there are implicitly specified fields like kind, apiVersion, metadata, labels.
|
||||
// We cannot prune as they are pruned as well. This allows more defaults than we would like to.
|
||||
// TODO: be precise about pruning under metadata
|
||||
pruning.Prune(clone, s, s.XEmbeddedResource)
|
||||
|
||||
// TODO: coerce correctly if we are not at the object root, but somewhere below.
|
||||
if err := schemaobjectmeta.Coerce(fldPath, clone, s, s.XEmbeddedResource, false); err != nil {
|
||||
allErrs = append(allErrs, err)
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(clone, interface{}(*schema.Default)) {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("default"), schema.Default, "must not have unknown fields"))
|
||||
} else if s.XEmbeddedResource {
|
||||
// validate an embedded resource
|
||||
schemaobjectmeta.Validate(fldPath, interface{}(*schema.Default), nil, true)
|
||||
}
|
||||
}
|
||||
|
||||
// validate the default value with user the provided schema.
|
||||
validator := govalidate.NewSchemaValidator(s.ToGoOpenAPI(), nil, "", strfmt.Default)
|
||||
|
||||
allErrs = append(allErrs, apiservervalidation.ValidateCustomResource(fldPath.Child("default"), interface{}(*schema.Default), validator)...)
|
||||
}
|
||||
} else {
|
||||
detail := "must not be set"
|
||||
if len(v.disallowDefaultsReason) > 0 {
|
||||
detail += " " + v.disallowDefaultsReason
|
||||
}
|
||||
allErrs = append(allErrs, field.Forbidden(fldPath.Child("default"), detail))
|
||||
if schema.Default != nil && !v.allowDefaults {
|
||||
detail := "must not be set"
|
||||
if len(v.disallowDefaultsReason) > 0 {
|
||||
detail += " " + v.disallowDefaultsReason
|
||||
}
|
||||
allErrs = append(allErrs, field.Forbidden(fldPath.Child("default"), detail))
|
||||
}
|
||||
|
||||
if schema.ID != "" {
|
||||
@ -1212,7 +1183,7 @@ func schemaIsNonStructural(schema *apiextensions.JSONSchemaProps) bool {
|
||||
if err != nil {
|
||||
return true
|
||||
}
|
||||
return len(structuralschema.ValidateStructural(ss, nil)) > 0
|
||||
return len(structuralschema.ValidateStructural(nil, ss)) > 0
|
||||
}
|
||||
|
||||
// requireValidPropertyType returns true if valid openapi v3 types should be required for the given API version
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -248,7 +248,7 @@ func newExtensions(s *apiextensions.JSONSchemaProps) (*Extensions, error) {
|
||||
|
||||
if s.XPreserveUnknownFields != nil {
|
||||
if !*s.XPreserveUnknownFields {
|
||||
return nil, fmt.Errorf("'x-kubernetes-preserve-unknown-fields' must be true or undefined")
|
||||
return nil, fmt.Errorf("internal error: 'x-kubernetes-preserve-unknown-fields' must be true or undefined")
|
||||
}
|
||||
ret.XPreserveUnknownFields = true
|
||||
}
|
||||
|
||||
@ -2,13 +2,24 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["algorithm.go"],
|
||||
srcs = [
|
||||
"algorithm.go",
|
||||
"surroundingobject.go",
|
||||
"validation.go",
|
||||
],
|
||||
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting",
|
||||
importpath = "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting",
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||
"//vendor/github.com/go-openapi/strfmt:go_default_library",
|
||||
"//vendor/github.com/go-openapi/validate:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@ -0,0 +1,147 @@
|
||||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package defaulting
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// AccessorFunc returns a node x in obj on a fixed (implicitly encoded) JSON path
|
||||
// if that path exists in obj (found==true). If it does not exist, found is false.
|
||||
// If on the path the type of a field is wrong, an error is returned.
|
||||
type AccessorFunc func(obj map[string]interface{}) (x interface{}, found bool, err error)
|
||||
|
||||
// SurroundingObjectFunc is a surrounding object builder with a given x at a leaf.
|
||||
// Which leave is determined by the series of Index() and Child(k) calls.
|
||||
// It also returns the inverse of the builder, namely the accessor that extracts x
|
||||
// from the test object.
|
||||
//
|
||||
// With obj, acc, _ := someSurroundingObjectFunc(x) we get:
|
||||
//
|
||||
// acc(obj) == x
|
||||
// reflect.DeepEqual(acc(DeepCopy(obj), x) == x
|
||||
//
|
||||
// where x is the original instance for slices and maps.
|
||||
//
|
||||
// If after computation of acc the node holding x in obj is mutated (e.g. pruned),
|
||||
// the accessor will return that mutated node value (e.g. the pruned x).
|
||||
//
|
||||
// Example (ignoring the last two return values):
|
||||
//
|
||||
// NewRootObjectFunc()(x) == x
|
||||
// NewRootObjectFunc().Index()(x) == [x]
|
||||
// NewRootObjectFunc().Index().Child("foo") == [{"foo": x}]
|
||||
// NewRootObjectFunc().Index().Child("foo").Child("bar") == [{"foo": {"bar":x}}]
|
||||
// NewRootObjectFunc().Index().Child("foo").Child("bar").Index() == [{"foo": {"bar":[x]}}]
|
||||
//
|
||||
// and:
|
||||
//
|
||||
// NewRootObjectFunc(), then acc(x) == x
|
||||
// NewRootObjectFunc().Index(), then acc([x]) == x
|
||||
// NewRootObjectFunc().Index().Child("foo"), then acc([{"foo": x}]) == x
|
||||
// NewRootObjectFunc().Index().Child("foo").Child("bar"), then acc([{"foo": {"bar":x}}]) == x
|
||||
// NewRootObjectFunc().Index().Child("foo").Child("bar").Index(), then acc([{"foo": {"bar":[x]}}]) == x
|
||||
type SurroundingObjectFunc func(focus interface{}) (map[string]interface{}, AccessorFunc, error)
|
||||
|
||||
// NewRootObjectFunc returns the identity function. The passed focus value
|
||||
// must be an object.
|
||||
func NewRootObjectFunc() SurroundingObjectFunc {
|
||||
return func(x interface{}) (map[string]interface{}, AccessorFunc, error) {
|
||||
obj, ok := x.(map[string]interface{})
|
||||
if !ok {
|
||||
return nil, nil, fmt.Errorf("object root default value must be of object type")
|
||||
}
|
||||
return obj, func(root map[string]interface{}) (interface{}, bool, error) {
|
||||
return root, true, nil
|
||||
}, nil
|
||||
}
|
||||
}
|
||||
|
||||
// WithTypeMeta returns a closure with the TypeMeta fields set if they are defined.
|
||||
// This mutates f(x).
|
||||
func (f SurroundingObjectFunc) WithTypeMeta(meta metav1.TypeMeta) SurroundingObjectFunc {
|
||||
return func(x interface{}) (map[string]interface{}, AccessorFunc, error) {
|
||||
obj, acc, err := f(x)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
if obj == nil {
|
||||
obj = map[string]interface{}{}
|
||||
}
|
||||
if _, found := obj["kind"]; !found {
|
||||
obj["kind"] = meta.Kind
|
||||
}
|
||||
if _, found := obj["apiVersion"]; !found {
|
||||
obj["apiVersion"] = meta.APIVersion
|
||||
}
|
||||
return obj, acc, err
|
||||
}
|
||||
}
|
||||
|
||||
// Child returns a function x => f({k: x}) and the corresponding accessor.
|
||||
func (f SurroundingObjectFunc) Child(k string) SurroundingObjectFunc {
|
||||
return func(x interface{}) (map[string]interface{}, AccessorFunc, error) {
|
||||
obj, acc, err := f(map[string]interface{}{k: x})
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
return obj, func(obj map[string]interface{}) (interface{}, bool, error) {
|
||||
x, found, err := acc(obj)
|
||||
if err != nil {
|
||||
return nil, false, fmt.Errorf(".%s%v", k, err)
|
||||
}
|
||||
if !found {
|
||||
return nil, false, nil
|
||||
}
|
||||
if x, ok := x.(map[string]interface{}); !ok {
|
||||
return nil, false, fmt.Errorf(".%s must be of object type", k)
|
||||
} else if v, found := x[k]; !found {
|
||||
return nil, false, nil
|
||||
} else {
|
||||
return v, true, nil
|
||||
}
|
||||
}, err
|
||||
}
|
||||
}
|
||||
|
||||
// Index returns a function x => f([x]) and the corresponding accessor.
|
||||
func (f SurroundingObjectFunc) Index() SurroundingObjectFunc {
|
||||
return func(focus interface{}) (map[string]interface{}, AccessorFunc, error) {
|
||||
obj, acc, err := f([]interface{}{focus})
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
return obj, func(obj map[string]interface{}) (interface{}, bool, error) {
|
||||
x, found, err := acc(obj)
|
||||
if err != nil {
|
||||
return nil, false, fmt.Errorf("[]%v", err)
|
||||
}
|
||||
if !found {
|
||||
return nil, false, nil
|
||||
}
|
||||
if x, ok := x.([]interface{}); !ok {
|
||||
return nil, false, fmt.Errorf("[] must be of array type")
|
||||
} else if len(x) == 0 {
|
||||
return nil, false, nil
|
||||
} else {
|
||||
return x[0], true, nil
|
||||
}
|
||||
}, err
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,131 @@
|
||||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package defaulting
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"reflect"
|
||||
|
||||
"github.com/go-openapi/strfmt"
|
||||
goopenapivalidate "github.com/go-openapi/validate"
|
||||
|
||||
structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
|
||||
schemaobjectmeta "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning"
|
||||
apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
)
|
||||
|
||||
// ValidateDefaults checks that default values validate and are properly pruned.
|
||||
func ValidateDefaults(pth *field.Path, s *structuralschema.Structural, isResourceRoot bool) (field.ErrorList, error) {
|
||||
f := NewRootObjectFunc().WithTypeMeta(metav1.TypeMeta{APIVersion: "validation/v1", Kind: "Validation"})
|
||||
|
||||
if isResourceRoot {
|
||||
if s == nil {
|
||||
s = &structuralschema.Structural{}
|
||||
}
|
||||
if !s.XEmbeddedResource {
|
||||
clone := *s
|
||||
clone.XEmbeddedResource = true
|
||||
s = &clone
|
||||
}
|
||||
}
|
||||
|
||||
return validate(pth, s, s, f, false)
|
||||
}
|
||||
|
||||
// validate is the recursive step func for the validation. insideMeta is true if s specifies
|
||||
// TypeMeta or ObjectMeta. The SurroundingObjectFunc f is used to validate defaults of
|
||||
// TypeMeta or ObjectMeta fields.
|
||||
func validate(pth *field.Path, s *structuralschema.Structural, rootSchema *structuralschema.Structural, f SurroundingObjectFunc, insideMeta bool) (field.ErrorList, error) {
|
||||
if s == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
if s.XEmbeddedResource {
|
||||
insideMeta = false
|
||||
f = NewRootObjectFunc().WithTypeMeta(metav1.TypeMeta{APIVersion: "validation/v1", Kind: "Validation"})
|
||||
rootSchema = s
|
||||
}
|
||||
|
||||
allErrs := field.ErrorList{}
|
||||
|
||||
if s.Default.Object != nil {
|
||||
validator := goopenapivalidate.NewSchemaValidator(s.ToGoOpenAPI(), nil, "", strfmt.Default)
|
||||
|
||||
if insideMeta {
|
||||
obj, _, err := f(runtime.DeepCopyJSONValue(s.Default.Object))
|
||||
if err != nil {
|
||||
// this should never happen. f(s.Default.Object) only gives an error if f is the
|
||||
// root object func, but the default value is not a map. But then we wouldn't be
|
||||
// in this case.
|
||||
return nil, fmt.Errorf("failed to validate default value inside metadata: %v", err)
|
||||
}
|
||||
|
||||
// check ObjectMeta/TypeMeta and everything else
|
||||
if err := schemaobjectmeta.Coerce(nil, obj, rootSchema, true, false); err != nil {
|
||||
allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, fmt.Sprintf("must result in valid metadata: %v", err)))
|
||||
} else if errs := schemaobjectmeta.Validate(nil, obj, rootSchema, true); len(errs) > 0 {
|
||||
allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, fmt.Sprintf("must result in valid metadata: %v", errs.ToAggregate())))
|
||||
} else if errs := apiservervalidation.ValidateCustomResource(pth.Child("default"), s.Default.Object, validator); len(errs) > 0 {
|
||||
allErrs = append(allErrs, errs...)
|
||||
}
|
||||
} else {
|
||||
// check whether default is pruned
|
||||
pruned := runtime.DeepCopyJSONValue(s.Default.Object)
|
||||
pruning.Prune(pruned, s, s.XEmbeddedResource)
|
||||
if !reflect.DeepEqual(pruned, s.Default.Object) {
|
||||
allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, "must not have unknown fields"))
|
||||
}
|
||||
|
||||
// check ObjectMeta/TypeMeta and everything else
|
||||
if err := schemaobjectmeta.Coerce(pth.Child("default"), s.Default.Object, s, s.XEmbeddedResource, false); err != nil {
|
||||
allErrs = append(allErrs, err)
|
||||
} else if errs := schemaobjectmeta.Validate(pth.Child("default"), s.Default.Object, s, s.XEmbeddedResource); len(errs) > 0 {
|
||||
allErrs = append(allErrs, errs...)
|
||||
} else if errs := apiservervalidation.ValidateCustomResource(pth.Child("default"), s.Default.Object, validator); len(errs) > 0 {
|
||||
allErrs = append(allErrs, errs...)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// do not follow additionalProperties because defaults are forbidden there
|
||||
|
||||
if s.Items != nil {
|
||||
errs, err := validate(pth.Child("items"), s.Items, rootSchema, f.Index(), insideMeta)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
allErrs = append(allErrs, errs...)
|
||||
}
|
||||
|
||||
for k, subSchema := range s.Properties {
|
||||
subInsideMeta := insideMeta
|
||||
if s.XEmbeddedResource && (k == "metadata" || k == "apiVersion" || k == "kind") {
|
||||
subInsideMeta = true
|
||||
}
|
||||
errs, err := validate(pth.Child("properties").Key(k), &subSchema, rootSchema, f.Child(k), subInsideMeta)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
allErrs = append(allErrs, errs...)
|
||||
}
|
||||
|
||||
return allErrs, nil
|
||||
}
|
||||
@ -21,7 +21,8 @@ import (
|
||||
)
|
||||
|
||||
// Prune removes object fields in obj which are not specified in s. It skips TypeMeta and ObjectMeta fields
|
||||
// if XEmbeddedResource is set to true, or for the root if isResourceRoot=true.
|
||||
// if XEmbeddedResource is set to true, or for the root if isResourceRoot=true, i.e. it does not
|
||||
// prune unknown metadata fields.
|
||||
func Prune(obj interface{}, s *structuralschema.Structural, isResourceRoot bool) {
|
||||
if isResourceRoot {
|
||||
if s == nil {
|
||||
|
||||
@ -60,7 +60,7 @@ const (
|
||||
// * every specified field or array in s is also specified outside of value validation.
|
||||
// * metadata at the root can only restrict the name and generateName, and not be specified at all in nested contexts.
|
||||
// * additionalProperties at the root is not allowed.
|
||||
func ValidateStructural(s *Structural, fldPath *field.Path) field.ErrorList {
|
||||
func ValidateStructural(fldPath *field.Path, s *Structural) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
|
||||
allErrs = append(allErrs, validateStructuralInvariants(s, rootLevel, fldPath)...)
|
||||
|
||||
@ -97,7 +97,7 @@ func calculateCondition(in *apiextensions.CustomResourceDefinition) *apiextensio
|
||||
|
||||
pth := field.NewPath("spec", "validation", "openAPIV3Schema")
|
||||
|
||||
allErrs = append(allErrs, schema.ValidateStructural(s, pth)...)
|
||||
allErrs = append(allErrs, schema.ValidateStructural(pth, s)...)
|
||||
}
|
||||
|
||||
for _, v := range in.Spec.Versions {
|
||||
@ -114,7 +114,7 @@ func calculateCondition(in *apiextensions.CustomResourceDefinition) *apiextensio
|
||||
|
||||
pth := field.NewPath("spec", "version").Key(v.Name).Child("schema", "openAPIV3Schema")
|
||||
|
||||
allErrs = append(allErrs, schema.ValidateStructural(s, pth)...)
|
||||
allErrs = append(allErrs, schema.ValidateStructural(pth, s)...)
|
||||
}
|
||||
|
||||
if len(allErrs) == 0 {
|
||||
|
||||
@ -362,7 +362,7 @@ func TestNewBuilder(t *testing.T) {
|
||||
if err != nil {
|
||||
t.Fatalf("structural schema error: %v", err)
|
||||
}
|
||||
if errs := structuralschema.ValidateStructural(schema, nil); len(errs) > 0 {
|
||||
if errs := structuralschema.ValidateStructural(nil, schema); len(errs) > 0 {
|
||||
t.Fatalf("structural schema validation error: %v", errs.ToAggregate())
|
||||
}
|
||||
schema = schema.Unfold()
|
||||
|
||||
@ -308,20 +308,6 @@ properties:
|
||||
kind: Pod
|
||||
labels:
|
||||
foo: bar
|
||||
invalidDefaults:
|
||||
type: object
|
||||
properties:
|
||||
embedded:
|
||||
type: object
|
||||
x-kubernetes-embedded-resource: true
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
default:
|
||||
apiVersion: "foo/v1"
|
||||
kind: "%"
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
abc: "x y"
|
||||
`
|
||||
|
||||
embeddedResourceInstance = `
|
||||
@ -501,8 +487,6 @@ func TestEmbeddedResources(t *testing.T) {
|
||||
` embeddedNested.metadata.name: Invalid value: ".."`,
|
||||
` embeddedNested.embedded.kind: Invalid value: "%"`,
|
||||
` embeddedNested.embedded.metadata.name: Invalid value: ".."`,
|
||||
` invalidDefaults.embedded.kind: Invalid value: "%"`,
|
||||
` invalidDefaults.embedded.metadata.labels: Invalid value: "x y"`,
|
||||
}
|
||||
for _, s := range invalidErrors {
|
||||
if !strings.Contains(err.Error(), s) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user