diff --git a/docs/devel/api-conventions.md b/docs/devel/api-conventions.md index a6314f0b388..1fe165a6721 100644 --- a/docs/devel/api-conventions.md +++ b/docs/devel/api-conventions.md @@ -76,6 +76,7 @@ using resources with kubectl can be found in [Working with resources](../user-gu - [Naming conventions](#naming-conventions) - [Label, selector, and annotation conventions](#label-selector-and-annotation-conventions) - [WebSockets and SPDY](#websockets-and-spdy) + - [Validation](#validation) @@ -787,6 +788,35 @@ There are two primary protocols in use today: Clients should use the SPDY protocols if their clients have native support, or WebSockets as a fallback. Note that WebSockets is susceptible to Head-of-Line blocking and so clients must read and process each message sequentionally. In the future, an HTTP/2 implementation will be exposed that deprecates SPDY. +## Validation + +API objects are validated upon receipt by the apiserver. Validation errors are +flagged and returned to the caller in a `Failure` status with `reason` set to +`Invalid`. In order to facilitate consistent error messages, we ask that +validation logic adheres to the following guidelines whenever possible (though +exceptional cases will exist). + +* Be as precise as possible. +* Telling users what they CAN do is more useful than telling them what they + CANNOT do. +* When asserting a requirement in the positive, use "must". Examples: "must be + greater than 0", "must match regex '[a-z]+'". Words like "should" imply that + the assertion is optional, and must be avoided. +* When asserting a formatting requirement in the negative, use "must not". + Example: "must not contain '..'". Words like "should not" imply that the + assertion is optional, and must be avoided. +* When asserting a behavioral requirement in the negative, use "may not". + Examples: "may not be specified when otherField is empty", "only `name` may be + specified". +* When referencing a literal string value, indicate the literal in + single-quotes. Example: "must not contain '..'". +* When referencing another field name, indicate the name in back-quotes. + Example: "must be greater than `request`". +* When specifying inequalities, use words rather than symbols. Examples: "must + be less than 256", "must be greater than or equal to 0". Do not use words + like "larger than", "bigger than", "more than", "higher than", etc. +* When specifying numeric ranges, use inclusive ranges when possible. + [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/devel/api-conventions.md?pixel)]() diff --git a/hack/test-cmd.sh b/hack/test-cmd.sh index 1a6ba00d75b..8105492b99c 100755 --- a/hack/test-cmd.sh +++ b/hack/test-cmd.sh @@ -980,7 +980,7 @@ __EOF__ # Pre-condition: use --name flag output_message=$(! kubectl expose -f hack/testdata/pod-with-large-name.yaml --name=invalid-large-service-name --port=8081 2>&1 "${kube_flags[@]}") # Post-condition: should fail due to invalid name - kube::test::if_has_string "${output_message}" 'metadata.name: invalid value' + kube::test::if_has_string "${output_message}" 'metadata.name: Invalid value' # Pre-condition: default run without --name flag; should succeed by truncating the inherited name output_message=$(kubectl expose -f hack/testdata/pod-with-large-name.yaml --port=8081 2>&1 "${kube_flags[@]}") # Post-condition: inherited name from pod has been truncated diff --git a/pkg/api/errors/errors_test.go b/pkg/api/errors/errors_test.go index 633bd118db2..066bb25f274 100644 --- a/pkg/api/errors/errors_test.go +++ b/pkg/api/errors/errors_test.go @@ -137,7 +137,7 @@ func TestNewInvalid(t *testing.T) { }, }, { - field.Required(field.NewPath("field[0].name")), + field.Required(field.NewPath("field[0].name"), ""), &unversioned.StatusDetails{ Kind: "Kind", Name: "name", diff --git a/pkg/api/validation/validation.go b/pkg/api/validation/validation.go index e3882d3484d..2644a019b5c 100644 --- a/pkg/api/validation/validation.go +++ b/pkg/api/validation/validation.go @@ -42,7 +42,7 @@ import ( // fields by default. var RepairMalformedUpdates bool = true -const isNegativeErrorMsg string = `must be non-negative` +const isNegativeErrorMsg string = `must be greater than or equal to 0` const fieldImmutableErrorMsg string = `field is immutable` const cIdentifierErrorMsg string = `must be a C identifier (matching regex ` + validation.CIdentifierFmt + `): e.g. "my_name" or "MyName"` const isNotIntegerErrorMsg string = `must be an integer` @@ -259,26 +259,24 @@ func ValidateObjectMeta(meta *api.ObjectMeta, requiresNamespace bool, nameFn Val // report it here. This may confuse users, but indicates a programming bug and still must be validated. // If there are multiple fields out of which one is required then add a or as a separator if len(meta.Name) == 0 { - requiredErr := field.Required(fldPath.Child("name")) - requiredErr.Detail = "name or generateName is required" - allErrs = append(allErrs, requiredErr) + allErrs = append(allErrs, field.Required(fldPath.Child("name"), "name or generateName is required")) } else { if ok, qualifier := nameFn(meta.Name, false); !ok { allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), meta.Name, qualifier)) } } - allErrs = append(allErrs, ValidatePositiveField(meta.Generation, fldPath.Child("generation"))...) if requiresNamespace { if len(meta.Namespace) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("namespace"))) + allErrs = append(allErrs, field.Required(fldPath.Child("namespace"), "")) } else if ok, _ := ValidateNamespaceName(meta.Namespace, false); !ok { allErrs = append(allErrs, field.Invalid(fldPath.Child("namespace"), meta.Namespace, DNS1123LabelErrorMsg)) } } else { if len(meta.Namespace) != 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("namespace"), meta.Namespace, "not allowed on this type")) + allErrs = append(allErrs, field.Forbidden(fldPath, "not allowed on this type")) } } + allErrs = append(allErrs, ValidatePositiveField(meta.Generation, fldPath.Child("generation"))...) allErrs = append(allErrs, ValidateLabels(meta.Labels, fldPath.Child("labels"))...) allErrs = append(allErrs, ValidateAnnotations(meta.Annotations, fldPath.Child("annotations"))...) @@ -343,7 +341,7 @@ func validateVolumes(volumes []api.Volume, fldPath *field.Path) (sets.String, fi idxPath := fldPath.Index(i) el := validateVolumeSource(&vol.VolumeSource, idxPath) if len(vol.Name) == 0 { - el = append(el, field.Required(idxPath.Child("name"))) + el = append(el, field.Required(idxPath.Child("name"), "")) } else if !validation.IsDNS1123Label(vol.Name) { el = append(el, field.Invalid(idxPath.Child("name"), vol.Name, DNS1123LabelErrorMsg)) } else if allNames.Has(vol.Name) { @@ -426,8 +424,10 @@ func validateVolumeSource(source *api.VolumeSource, fldPath *field.Path) field.E numVolumes++ allErrs = append(allErrs, validateFCVolumeSource(source.FC, fldPath.Child("fc"))...) } - if numVolumes != 1 { - allErrs = append(allErrs, field.Invalid(fldPath, source, "exactly 1 volume type is required")) + if numVolumes == 0 { + allErrs = append(allErrs, field.Required(fldPath, "must specify a volume type")) + } else if numVolumes > 1 { + allErrs = append(allErrs, field.Invalid(fldPath, source, "may not specify more than 1 volume type")) } return allErrs @@ -436,7 +436,7 @@ func validateVolumeSource(source *api.VolumeSource, fldPath *field.Path) field.E func validateHostPathVolumeSource(hostPath *api.HostPathVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(hostPath.Path) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("path"))) + allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) } return allErrs } @@ -444,7 +444,7 @@ func validateHostPathVolumeSource(hostPath *api.HostPathVolumeSource, fldPath *f func validateGitRepoVolumeSource(gitRepo *api.GitRepoVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(gitRepo.Repository) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("repository"))) + allErrs = append(allErrs, field.Required(fldPath.Child("repository"), "")) } pathErrs := validateVolumeSourcePath(gitRepo.Directory, fldPath.Child("directory")) @@ -455,13 +455,13 @@ func validateGitRepoVolumeSource(gitRepo *api.GitRepoVolumeSource, fldPath *fiel func validateISCSIVolumeSource(iscsi *api.ISCSIVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(iscsi.TargetPortal) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("targetPortal"))) + allErrs = append(allErrs, field.Required(fldPath.Child("targetPortal"), "")) } if len(iscsi.IQN) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("iqn"))) + allErrs = append(allErrs, field.Required(fldPath.Child("iqn"), "")) } if len(iscsi.FSType) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("fsType"))) + allErrs = append(allErrs, field.Required(fldPath.Child("fsType"), "")) } if iscsi.Lun < 0 || iscsi.Lun > 255 { allErrs = append(allErrs, field.Invalid(fldPath.Child("lun"), iscsi.Lun, InclusiveRangeErrorMsg(0, 255))) @@ -472,15 +472,15 @@ func validateISCSIVolumeSource(iscsi *api.ISCSIVolumeSource, fldPath *field.Path func validateFCVolumeSource(fc *api.FCVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(fc.TargetWWNs) < 1 { - allErrs = append(allErrs, field.Required(fldPath.Child("targetWWNs"))) + allErrs = append(allErrs, field.Required(fldPath.Child("targetWWNs"), "")) } if len(fc.FSType) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("fsType"))) + allErrs = append(allErrs, field.Required(fldPath.Child("fsType"), "")) } if fc.Lun == nil { - allErrs = append(allErrs, field.Required(fldPath.Child("lun"))) + allErrs = append(allErrs, field.Required(fldPath.Child("lun"), "")) } else { if *fc.Lun < 0 || *fc.Lun > 255 { allErrs = append(allErrs, field.Invalid(fldPath.Child("lun"), fc.Lun, InclusiveRangeErrorMsg(0, 255))) @@ -492,10 +492,10 @@ func validateFCVolumeSource(fc *api.FCVolumeSource, fldPath *field.Path) field.E func validateGCEPersistentDiskVolumeSource(pd *api.GCEPersistentDiskVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(pd.PDName) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("pdName"))) + allErrs = append(allErrs, field.Required(fldPath.Child("pdName"), "")) } if len(pd.FSType) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("fsType"))) + allErrs = append(allErrs, field.Required(fldPath.Child("fsType"), "")) } if pd.Partition < 0 || pd.Partition > 255 { allErrs = append(allErrs, field.Invalid(fldPath.Child("partition"), pd.Partition, pdPartitionErrorMsg)) @@ -506,10 +506,10 @@ func validateGCEPersistentDiskVolumeSource(pd *api.GCEPersistentDiskVolumeSource func validateAWSElasticBlockStoreVolumeSource(PD *api.AWSElasticBlockStoreVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(PD.VolumeID) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("volumeID"))) + allErrs = append(allErrs, field.Required(fldPath.Child("volumeID"), "")) } if len(PD.FSType) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("fsType"))) + allErrs = append(allErrs, field.Required(fldPath.Child("fsType"), "")) } if PD.Partition < 0 || PD.Partition > 255 { allErrs = append(allErrs, field.Invalid(fldPath.Child("partition"), PD.Partition, pdPartitionErrorMsg)) @@ -520,7 +520,7 @@ func validateAWSElasticBlockStoreVolumeSource(PD *api.AWSElasticBlockStoreVolume func validateSecretVolumeSource(secretSource *api.SecretVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(secretSource.SecretName) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("secretName"))) + allErrs = append(allErrs, field.Required(fldPath.Child("secretName"), "")) } return allErrs } @@ -528,7 +528,7 @@ func validateSecretVolumeSource(secretSource *api.SecretVolumeSource, fldPath *f func validatePersistentClaimVolumeSource(claim *api.PersistentVolumeClaimVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(claim.ClaimName) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("claimName"))) + allErrs = append(allErrs, field.Required(fldPath.Child("claimName"), "")) } return allErrs } @@ -536,10 +536,10 @@ func validatePersistentClaimVolumeSource(claim *api.PersistentVolumeClaimVolumeS func validateNFSVolumeSource(nfs *api.NFSVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(nfs.Server) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("server"))) + allErrs = append(allErrs, field.Required(fldPath.Child("server"), "")) } if len(nfs.Path) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("path"))) + allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) } if !path.IsAbs(nfs.Path) { allErrs = append(allErrs, field.Invalid(fldPath.Child("path"), nfs.Path, "must be an absolute path")) @@ -550,10 +550,10 @@ func validateNFSVolumeSource(nfs *api.NFSVolumeSource, fldPath *field.Path) fiel func validateGlusterfs(glusterfs *api.GlusterfsVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(glusterfs.EndpointsName) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("endpoints"))) + allErrs = append(allErrs, field.Required(fldPath.Child("endpoints"), "")) } if len(glusterfs.Path) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("path"))) + allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) } return allErrs } @@ -561,7 +561,7 @@ func validateGlusterfs(glusterfs *api.GlusterfsVolumeSource, fldPath *field.Path func validateFlockerVolumeSource(flocker *api.FlockerVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(flocker.DatasetName) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("datasetName"))) + allErrs = append(allErrs, field.Required(fldPath.Child("datasetName"), "")) } if strings.Contains(flocker.DatasetName, "/") { allErrs = append(allErrs, field.Invalid(fldPath.Child("datasetName"), flocker.DatasetName, "must not contain '/'")) @@ -575,7 +575,7 @@ func validateDownwardAPIVolumeSource(downwardAPIVolume *api.DownwardAPIVolumeSou allErrs := field.ErrorList{} for _, downwardAPIVolumeFile := range downwardAPIVolume.Items { if len(downwardAPIVolumeFile.Path) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("path"))) + allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) } allErrs = append(allErrs, validateVolumeSourcePath(downwardAPIVolumeFile.Path, fldPath.Child("path"))...) allErrs = append(allErrs, validateObjectFieldSelector(&downwardAPIVolumeFile.FieldRef, &validDownwardAPIFieldPathExpressions, fldPath.Child("fieldRef"))...) @@ -590,7 +590,7 @@ func validateDownwardAPIVolumeSource(downwardAPIVolume *api.DownwardAPIVolumeSou func validateVolumeSourcePath(targetPath string, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if path.IsAbs(targetPath) { - allErrs = append(allErrs, field.Forbidden(fldPath, "must not be an absolute path")) + allErrs = append(allErrs, field.Invalid(fldPath, targetPath, "must be a relative path")) } // TODO assume OS of api server & nodes are the same for now items := strings.Split(targetPath, string(os.PathSeparator)) @@ -609,13 +609,13 @@ func validateVolumeSourcePath(targetPath string, fldPath *field.Path) field.Erro func validateRBDVolumeSource(rbd *api.RBDVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(rbd.CephMonitors) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("monitors"))) + allErrs = append(allErrs, field.Required(fldPath.Child("monitors"), "")) } if len(rbd.RBDImage) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("image"))) + allErrs = append(allErrs, field.Required(fldPath.Child("image"), "")) } if len(rbd.FSType) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("fsType"))) + allErrs = append(allErrs, field.Required(fldPath.Child("fsType"), "")) } return allErrs } @@ -623,10 +623,10 @@ func validateRBDVolumeSource(rbd *api.RBDVolumeSource, fldPath *field.Path) fiel func validateCinderVolumeSource(cd *api.CinderVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(cd.VolumeID) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("volumeID"))) + allErrs = append(allErrs, field.Required(fldPath.Child("volumeID"), "")) } if len(cd.FSType) == 0 || (cd.FSType != "ext3" && cd.FSType != "ext4") { - allErrs = append(allErrs, field.Required(fldPath.Child("fsType"))) + allErrs = append(allErrs, field.Required(fldPath.Child("fsType"), "")) } return allErrs } @@ -634,7 +634,7 @@ func validateCinderVolumeSource(cd *api.CinderVolumeSource, fldPath *field.Path) func validateCephFSVolumeSource(cephfs *api.CephFSVolumeSource, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(cephfs.Monitors) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("monitors"))) + allErrs = append(allErrs, field.Required(fldPath.Child("monitors"), "")) } return allErrs } @@ -650,7 +650,7 @@ func ValidatePersistentVolume(pv *api.PersistentVolume) field.ErrorList { specPath := field.NewPath("spec") if len(pv.Spec.AccessModes) == 0 { - allErrs = append(allErrs, field.Required(specPath.Child("accessModes"))) + allErrs = append(allErrs, field.Required(specPath.Child("accessModes"), "")) } for _, mode := range pv.Spec.AccessModes { if !supportedAccessModes.Has(string(mode)) { @@ -659,7 +659,7 @@ func ValidatePersistentVolume(pv *api.PersistentVolume) field.ErrorList { } if len(pv.Spec.Capacity) == 0 { - allErrs = append(allErrs, field.Required(specPath.Child("capacity"))) + allErrs = append(allErrs, field.Required(specPath.Child("capacity"), "")) } if _, ok := pv.Spec.Capacity[api.ResourceStorage]; !ok || len(pv.Spec.Capacity) > 1 { @@ -715,8 +715,10 @@ func ValidatePersistentVolume(pv *api.PersistentVolume) field.ErrorList { numVolumes++ allErrs = append(allErrs, validateFCVolumeSource(pv.Spec.FC, specPath.Child("fc"))...) } - if numVolumes != 1 { - allErrs = append(allErrs, field.Invalid(specPath, pv.Spec.PersistentVolumeSource, "exactly 1 volume type is required")) + if numVolumes == 0 { + allErrs = append(allErrs, field.Required(specPath, "must specify a volume type")) + } else if numVolumes > 1 { + allErrs = append(allErrs, field.Invalid(specPath, pv.Spec.PersistentVolumeSource, "may not specify more than 1 volume type")) } return allErrs } @@ -735,7 +737,7 @@ func ValidatePersistentVolumeUpdate(newPv, oldPv *api.PersistentVolume) field.Er func ValidatePersistentVolumeStatusUpdate(newPv, oldPv *api.PersistentVolume) field.ErrorList { allErrs := ValidateObjectMetaUpdate(&newPv.ObjectMeta, &oldPv.ObjectMeta, field.NewPath("metadata")) if len(newPv.ResourceVersion) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"))) + allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"), "")) } newPv.Spec = oldPv.Spec return allErrs @@ -745,7 +747,7 @@ func ValidatePersistentVolumeClaim(pvc *api.PersistentVolumeClaim) field.ErrorLi allErrs := ValidateObjectMeta(&pvc.ObjectMeta, true, ValidatePersistentVolumeName, field.NewPath("metadata")) specPath := field.NewPath("spec") if len(pvc.Spec.AccessModes) == 0 { - allErrs = append(allErrs, field.Invalid(specPath.Child("accessModes"), pvc.Spec.AccessModes, "at least 1 accessMode is required")) + allErrs = append(allErrs, field.Required(specPath.Child("accessModes"), "at least 1 accessMode is required")) } for _, mode := range pvc.Spec.AccessModes { if mode != api.ReadWriteOnce && mode != api.ReadOnlyMany && mode != api.ReadWriteMany { @@ -753,7 +755,7 @@ func ValidatePersistentVolumeClaim(pvc *api.PersistentVolumeClaim) field.ErrorLi } } if _, ok := pvc.Spec.Resources.Requests[api.ResourceStorage]; !ok { - allErrs = append(allErrs, field.Required(specPath.Child("resources").Key(string(api.ResourceStorage)))) + allErrs = append(allErrs, field.Required(specPath.Child("resources").Key(string(api.ResourceStorage)), "")) } return allErrs } @@ -768,10 +770,10 @@ func ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc *api.PersistentVolumeCla func ValidatePersistentVolumeClaimStatusUpdate(newPvc, oldPvc *api.PersistentVolumeClaim) field.ErrorList { allErrs := ValidateObjectMetaUpdate(&newPvc.ObjectMeta, &oldPvc.ObjectMeta, field.NewPath("metadata")) if len(newPvc.ResourceVersion) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"))) + allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"), "")) } if len(newPvc.Spec.AccessModes) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("Spec", "accessModes"))) + allErrs = append(allErrs, field.Required(field.NewPath("Spec", "accessModes"), "")) } capPath := field.NewPath("status", "capacity") for r, qty := range newPvc.Status.Capacity { @@ -807,7 +809,7 @@ func validateContainerPorts(ports []api.ContainerPort, fldPath *field.Path) fiel allErrs = append(allErrs, field.Invalid(idxPath.Child("hostPort"), port.HostPort, PortRangeErrorMsg)) } if len(port.Protocol) == 0 { - allErrs = append(allErrs, field.Required(idxPath.Child("protocol"))) + allErrs = append(allErrs, field.Required(idxPath.Child("protocol"), "")) } else if !supportedPortProtocols.Has(string(port.Protocol)) { allErrs = append(allErrs, field.NotSupported(idxPath.Child("protocol"), port.Protocol, supportedPortProtocols.List())) } @@ -821,7 +823,7 @@ func validateEnv(vars []api.EnvVar, fldPath *field.Path) field.ErrorList { for i, ev := range vars { idxPath := fldPath.Index(i) if len(ev.Name) == 0 { - allErrs = append(allErrs, field.Required(idxPath.Child("name"))) + allErrs = append(allErrs, field.Required(idxPath.Child("name"), "")) } else if !validation.IsCIdentifier(ev.Name) { allErrs = append(allErrs, field.Invalid(idxPath.Child("name"), ev.Name, cIdentifierErrorMsg)) } @@ -848,7 +850,7 @@ func validateEnvVarValueFrom(ev api.EnvVar, fldPath *field.Path) field.ErrorList } if len(ev.Value) != 0 && numSources != 0 { - allErrs = append(allErrs, field.Invalid(fldPath, "", "sources cannot be specified when value is not empty")) + allErrs = append(allErrs, field.Invalid(fldPath, "", "may not be specified when `value` is not empty")) } return allErrs @@ -858,9 +860,9 @@ func validateObjectFieldSelector(fs *api.ObjectFieldSelector, expressions *sets. allErrs := field.ErrorList{} if len(fs.APIVersion) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("apiVersion"))) + allErrs = append(allErrs, field.Required(fldPath.Child("apiVersion"), "")) } else if len(fs.FieldPath) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("fieldPath"))) + allErrs = append(allErrs, field.Required(fldPath.Child("fieldPath"), "")) } else { internalFieldPath, _, err := api.Scheme.ConvertFieldLabel(fs.APIVersion, "Pod", fs.FieldPath, "") if err != nil { @@ -879,12 +881,12 @@ func validateVolumeMounts(mounts []api.VolumeMount, volumes sets.String, fldPath for i, mnt := range mounts { idxPath := fldPath.Index(i) if len(mnt.Name) == 0 { - allErrs = append(allErrs, field.Required(idxPath.Child("name"))) + allErrs = append(allErrs, field.Required(idxPath.Child("name"), "")) } else if !volumes.Has(mnt.Name) { allErrs = append(allErrs, field.NotFound(idxPath.Child("name"), mnt.Name)) } if len(mnt.MountPath) == 0 { - allErrs = append(allErrs, field.Required(idxPath.Child("mountPath"))) + allErrs = append(allErrs, field.Required(idxPath.Child("mountPath"), "")) } } return allErrs @@ -941,7 +943,7 @@ func checkHostPortConflicts(containers []api.Container, fldPath *field.Path) fie func validateExecAction(exec *api.ExecAction, fldPath *field.Path) field.ErrorList { allErrors := field.ErrorList{} if len(exec.Command) == 0 { - allErrors = append(allErrors, field.Required(fldPath.Child("command"))) + allErrors = append(allErrors, field.Required(fldPath.Child("command"), "")) } return allErrors } @@ -949,7 +951,7 @@ func validateExecAction(exec *api.ExecAction, fldPath *field.Path) field.ErrorLi func validateHTTPGetAction(http *api.HTTPGetAction, fldPath *field.Path) field.ErrorList { allErrors := field.ErrorList{} if len(http.Path) == 0 { - allErrors = append(allErrors, field.Required(fldPath.Child("path"))) + allErrors = append(allErrors, field.Required(fldPath.Child("path"), "")) } if http.Port.Type == intstr.Int && !validation.IsValidPortNum(http.Port.IntValue()) { allErrors = append(allErrors, field.Invalid(fldPath.Child("port"), http.Port, PortRangeErrorMsg)) @@ -988,8 +990,10 @@ func validateHandler(handler *api.Handler, fldPath *field.Path) field.ErrorList numHandlers++ allErrors = append(allErrors, validateTCPSocketAction(handler.TCPSocket, fldPath.Child("tcpSocket"))...) } - if numHandlers != 1 { - allErrors = append(allErrors, field.Invalid(fldPath, handler, "exactly 1 handler type is required")) + if numHandlers == 0 { + allErrors = append(allErrors, field.Required(fldPath, "must specify a handler type")) + } else if numHandlers > 1 { + allErrors = append(allErrors, field.Invalid(fldPath, handler, "may not specify more than 1 handler type")) } return allErrors } @@ -1014,7 +1018,7 @@ func validatePullPolicy(policy api.PullPolicy, fldPath *field.Path) field.ErrorL case api.PullAlways, api.PullIfNotPresent, api.PullNever: break case "": - allErrors = append(allErrors, field.Required(fldPath)) + allErrors = append(allErrors, field.Required(fldPath, "")) default: allErrors = append(allErrors, field.NotSupported(fldPath, policy, supportedPullPolicies.List())) } @@ -1026,14 +1030,14 @@ func validateContainers(containers []api.Container, volumes sets.String, fldPath allErrs := field.ErrorList{} if len(containers) == 0 { - return append(allErrs, field.Required(fldPath)) + return append(allErrs, field.Required(fldPath, "")) } allNames := sets.String{} for i, ctr := range containers { idxPath := fldPath.Index(i) if len(ctr.Name) == 0 { - allErrs = append(allErrs, field.Required(idxPath.Child("name"))) + allErrs = append(allErrs, field.Required(idxPath.Child("name"), "")) } else if !validation.IsDNS1123Label(ctr.Name) { allErrs = append(allErrs, field.Invalid(idxPath.Child("name"), ctr.Name, DNS1123LabelErrorMsg)) } else if allNames.Has(ctr.Name) { @@ -1042,7 +1046,7 @@ func validateContainers(containers []api.Container, volumes sets.String, fldPath allNames.Insert(ctr.Name) } if len(ctr.Image) == 0 { - allErrs = append(allErrs, field.Required(idxPath.Child("image"))) + allErrs = append(allErrs, field.Required(idxPath.Child("image"), "")) } if ctr.Lifecycle != nil { allErrs = append(allErrs, validateLifecycle(ctr.Lifecycle, idxPath.Child("lifecycle"))...) @@ -1050,7 +1054,7 @@ func validateContainers(containers []api.Container, volumes sets.String, fldPath allErrs = append(allErrs, validateProbe(ctr.LivenessProbe, idxPath.Child("livenessProbe"))...) // Liveness-specific validation if ctr.LivenessProbe != nil && ctr.LivenessProbe.SuccessThreshold != 1 { - allErrs = append(allErrs, field.Forbidden(idxPath.Child("livenessProbe", "successThreshold"), "must be 1")) + allErrs = append(allErrs, field.Invalid(idxPath.Child("livenessProbe", "successThreshold"), ctr.LivenessProbe.SuccessThreshold, "must be 1")) } allErrs = append(allErrs, validateProbe(ctr.ReadinessProbe, idxPath.Child("readinessProbe"))...) @@ -1073,7 +1077,7 @@ func validateRestartPolicy(restartPolicy *api.RestartPolicy, fldPath *field.Path case api.RestartPolicyAlways, api.RestartPolicyOnFailure, api.RestartPolicyNever: break case "": - allErrors = append(allErrors, field.Required(fldPath)) + allErrors = append(allErrors, field.Required(fldPath, "")) default: validValues := []string{string(api.RestartPolicyAlways), string(api.RestartPolicyOnFailure), string(api.RestartPolicyNever)} allErrors = append(allErrors, field.NotSupported(fldPath, *restartPolicy, validValues)) @@ -1088,7 +1092,7 @@ func validateDNSPolicy(dnsPolicy *api.DNSPolicy, fldPath *field.Path) field.Erro case api.DNSClusterFirst, api.DNSDefault: break case "": - allErrors = append(allErrors, field.Required(fldPath)) + allErrors = append(allErrors, field.Required(fldPath, "")) default: validValues := []string{string(api.DNSClusterFirst), string(api.DNSDefault)} allErrors = append(allErrors, field.NotSupported(fldPath, dnsPolicy, validValues)) @@ -1104,7 +1108,7 @@ func validateHostNetwork(hostNetwork bool, containers []api.Container, fldPath * for i, port := range container.Ports { idxPath := portsPath.Index(i) if port.HostPort != port.ContainerPort { - allErrors = append(allErrors, field.Invalid(idxPath.Child("containerPort"), port.ContainerPort, "must match hostPort when hostNetwork is set to true")) + allErrors = append(allErrors, field.Invalid(idxPath.Child("containerPort"), port.ContainerPort, "must match `hostPort` when `hostNetwork` is true")) } } } @@ -1189,7 +1193,7 @@ func ValidatePodUpdate(newPod, oldPod *api.Pod) field.ErrorList { specPath := field.NewPath("spec") if len(newPod.Spec.Containers) != len(oldPod.Spec.Containers) { //TODO: Pinpoint the specific container that causes the invalid error after we have strategic merge diff - allErrs = append(allErrs, field.Invalid(specPath.Child("containers"), "contents not printed here, please refer to the \"details\"", "may not add or remove containers")) + allErrs = append(allErrs, field.Forbidden(specPath.Child("containers"), "pod updates may not add or remove containers")) return allErrs } pod := *newPod @@ -1202,7 +1206,7 @@ func ValidatePodUpdate(newPod, oldPod *api.Pod) field.ErrorList { pod.Spec.Containers = newContainers if !api.Semantic.DeepEqual(pod.Spec, oldPod.Spec) { //TODO: Pinpoint the specific field that causes the invalid error after we have strategic merge diff - allErrs = append(allErrs, field.Invalid(specPath, "contents not printed here, please refer to the \"details\"", "may not update fields other than container.image")) + allErrs = append(allErrs, field.Forbidden(specPath, "pod updates may not change fields other than `containers[*].image`")) } newPod.Status = oldPod.Status @@ -1216,7 +1220,7 @@ func ValidatePodStatusUpdate(newPod, oldPod *api.Pod) field.ErrorList { // TODO: allow change when bindings are properly decoupled from pods if newPod.Spec.NodeName != oldPod.Spec.NodeName { - allErrs = append(allErrs, field.Invalid(field.NewPath("status", "nodeName"), newPod.Spec.NodeName, "cannot be changed directly")) + allErrs = append(allErrs, field.Forbidden(field.NewPath("status", "nodeName"), "may not be changed directly")) } // For status update we ignore changes to pod spec. @@ -1235,7 +1239,7 @@ func ValidatePodBinding(binding *api.Binding) field.ErrorList { } if len(binding.Target.Name) == 0 { // TODO: When validation becomes versioned, this gets more complicated. - allErrs = append(allErrs, field.Required(field.NewPath("target", "name"))) + allErrs = append(allErrs, field.Required(field.NewPath("target", "name"), "")) } return allErrs @@ -1266,14 +1270,17 @@ func ValidateService(service *api.Service) field.ErrorList { specPath := field.NewPath("spec") if len(service.Spec.Ports) == 0 && service.Spec.ClusterIP != api.ClusterIPNone { - allErrs = append(allErrs, field.Required(specPath.Child("ports"))) + allErrs = append(allErrs, field.Required(specPath.Child("ports"), "")) } if service.Spec.Type == api.ServiceTypeLoadBalancer { for ix := range service.Spec.Ports { port := &service.Spec.Ports[ix] + // This is a workaround for broken cloud environments that + // over-open firewalls. Hopefully it can go away when more clouds + // understand containers better. if port.Port == 10250 { portPath := specPath.Child("ports").Index(ix) - allErrs = append(allErrs, field.Invalid(portPath, port.Port, "can not expose port 10250 externally since it is used by kubelet")) + allErrs = append(allErrs, field.Invalid(portPath, port.Port, "may not expose port 10250 externally since it is used by kubelet")) } } } @@ -1291,7 +1298,7 @@ func ValidateService(service *api.Service) field.ErrorList { } if len(service.Spec.SessionAffinity) == 0 { - allErrs = append(allErrs, field.Required(specPath.Child("sessionAffinity"))) + allErrs = append(allErrs, field.Required(specPath.Child("sessionAffinity"), "")) } else if !supportedSessionAffinityType.Has(string(service.Spec.SessionAffinity)) { allErrs = append(allErrs, field.NotSupported(specPath.Child("sessionAffinity"), service.Spec.SessionAffinity, supportedSessionAffinityType.List())) } @@ -1306,13 +1313,13 @@ func ValidateService(service *api.Service) field.ErrorList { for i, ip := range service.Spec.ExternalIPs { idxPath := ipPath.Index(i) if ip == "0.0.0.0" { - allErrs = append(allErrs, field.Invalid(idxPath, ip, "is not an IP address")) + allErrs = append(allErrs, field.Invalid(idxPath, ip, "must be a valid IP address")) } allErrs = append(allErrs, validateIpIsNotLinkLocalOrLoopback(ip, idxPath)...) } if len(service.Spec.Type) == 0 { - allErrs = append(allErrs, field.Required(specPath.Child("type"))) + allErrs = append(allErrs, field.Required(specPath.Child("type"), "")) } else if !supportedServiceType.Has(string(service.Spec.Type)) { allErrs = append(allErrs, field.NotSupported(specPath.Child("type"), service.Spec.Type, supportedServiceType.List())) } @@ -1322,7 +1329,7 @@ func ValidateService(service *api.Service) field.ErrorList { for i := range service.Spec.Ports { portPath := portsPath.Index(i) if service.Spec.Ports[i].Protocol != api.ProtocolTCP { - allErrs = append(allErrs, field.Invalid(portPath.Child("protocol"), service.Spec.Ports[i].Protocol, "cannot create an external load balancer with non-TCP ports")) + allErrs = append(allErrs, field.Invalid(portPath.Child("protocol"), service.Spec.Ports[i].Protocol, "may not use protocols other than 'TCP' when `type` is 'LoadBalancer'")) } } } @@ -1332,7 +1339,7 @@ func ValidateService(service *api.Service) field.ErrorList { for i := range service.Spec.Ports { portPath := portsPath.Index(i) if service.Spec.Ports[i].NodePort != 0 { - allErrs = append(allErrs, field.Invalid(portPath.Child("nodePort"), service.Spec.Ports[i].NodePort, "cannot specify a node port with services of type ClusterIP")) + allErrs = append(allErrs, field.Invalid(portPath.Child("nodePort"), service.Spec.Ports[i].NodePort, "may not be used when `type` is 'ClusterIP'")) } } } @@ -1351,7 +1358,7 @@ func ValidateService(service *api.Service) field.ErrorList { key.NodePort = port.NodePort _, found := nodePorts[key] if found { - allErrs = append(allErrs, field.Invalid(portPath.Child("nodePort"), port.NodePort, "duplicate nodePort specified")) + allErrs = append(allErrs, field.Duplicate(portPath.Child("nodePort"), port.NodePort)) } nodePorts[key] = true } @@ -1363,7 +1370,7 @@ func validateServicePort(sp *api.ServicePort, requireName, isHeadlessService boo allErrs := field.ErrorList{} if requireName && len(sp.Name) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("name"))) + allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) } else if len(sp.Name) != 0 { if !validation.IsDNS1123Label(sp.Name) { allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), sp.Name, DNS1123LabelErrorMsg)) @@ -1379,7 +1386,7 @@ func validateServicePort(sp *api.ServicePort, requireName, isHeadlessService boo } if len(sp.Protocol) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("protocol"))) + allErrs = append(allErrs, field.Required(fldPath.Child("protocol"), "")) } else if !supportedPortProtocols.Has(string(sp.Protocol)) { allErrs = append(allErrs, field.NotSupported(fldPath.Child("protocol"), sp.Protocol, supportedPortProtocols.List())) } @@ -1440,7 +1447,7 @@ func ValidateNonEmptySelector(selectorMap map[string]string, fldPath *field.Path allErrs := field.ErrorList{} selector := labels.Set(selectorMap).AsSelector() if selector.Empty() { - allErrs = append(allErrs, field.Required(fldPath)) + allErrs = append(allErrs, field.Required(fldPath, "")) } return allErrs } @@ -1449,14 +1456,14 @@ func ValidateNonEmptySelector(selectorMap map[string]string, fldPath *field.Path func ValidatePodTemplateSpecForRC(template *api.PodTemplateSpec, selectorMap map[string]string, replicas int, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if template == nil { - allErrs = append(allErrs, field.Required(fldPath)) + allErrs = append(allErrs, field.Required(fldPath, "")) } else { selector := labels.Set(selectorMap).AsSelector() if !selector.Empty() { // Verify that the RC selector matches the labels in template. labels := labels.Set(template.Labels) if !selector.Matches(labels) { - allErrs = append(allErrs, field.Invalid(fldPath.Child("metadata", "labels"), template.Labels, "selector does not match labels in "+fldPath.String())) + allErrs = append(allErrs, field.Invalid(fldPath.Child("metadata", "labels"), template.Labels, "`selector` does not match template `labels`")) } } allErrs = append(allErrs, ValidatePodTemplateSpec(template, fldPath)...) @@ -1496,7 +1503,7 @@ func ValidateReadOnlyPersistentDisks(volumes []api.Volume, fldPath *field.Path) idxPath := fldPath.Index(i) if vol.GCEPersistentDisk != nil { if vol.GCEPersistentDisk.ReadOnly == false { - allErrs = append(allErrs, field.Invalid(idxPath.Child("gcePersistentDisk", "readOnly"), false, "must be true for replicated pods > 1, as GCE PD can only be mounted on multiple machines if it is read-only.")) + allErrs = append(allErrs, field.Invalid(idxPath.Child("gcePersistentDisk", "readOnly"), false, "must be true for replicated pods > 1; GCE PD can only be mounted on multiple machines if it is read-only")) } } // TODO: What to do for AWS? It doesn't support replicas @@ -1512,7 +1519,7 @@ func ValidateNode(node *api.Node) field.ErrorList { // external ID is required. if len(node.Spec.ExternalID) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("spec", "externalID"))) + allErrs = append(allErrs, field.Required(field.NewPath("spec", "externalID"), "")) } // TODO(rjnagal): Ignore PodCIDR till its completely implemented. @@ -1553,7 +1560,7 @@ func ValidateNodeUpdate(node, oldNode *api.Node) field.ErrorList { // TODO: Add a 'real' error type for this error and provide print actual diffs. if !api.Semantic.DeepEqual(oldNode, node) { glog.V(4).Infof("Update failed validation %#v vs %#v", oldNode, node) - allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "update contains more than labels or capacity changes")) + allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "node updates may only change labels or capacity")) } return allErrs @@ -1564,12 +1571,12 @@ func ValidateNodeUpdate(node, oldNode *api.Node) field.ErrorList { func validateResourceName(value string, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if !validation.IsQualifiedName(value) { - return append(allErrs, field.Invalid(fldPath, value, "resource typename: "+qualifiedNameErrorMsg)) + return append(allErrs, field.Invalid(fldPath, value, qualifiedNameErrorMsg)) } if len(strings.Split(value, "/")) == 1 { if !api.IsStandardResourceName(value) { - return append(allErrs, field.Invalid(fldPath, value, "is neither a standard resource type nor is fully qualified")) + return append(allErrs, field.Invalid(fldPath, value, "must be a standard resource type or fully qualified")) } } @@ -1612,10 +1619,10 @@ func ValidateLimitRange(limitRange *api.LimitRange) field.ErrorList { if limit.Type == api.LimitTypePod { if len(limit.Default) > 0 { - allErrs = append(allErrs, field.Invalid(idxPath.Child("default"), limit.Default, "not supported when limit type is Pod")) + allErrs = append(allErrs, field.Forbidden(idxPath.Child("default"), "may not be specified when `type` is 'Pod'")) } if len(limit.DefaultRequest) > 0 { - allErrs = append(allErrs, field.Invalid(idxPath.Child("defaultRequest"), limit.DefaultRequest, "not supported when limit type is Pod")) + allErrs = append(allErrs, field.Forbidden(idxPath.Child("defaultRequest"), "may not be specified when `type` is 'Pod'")) } } else { for k, q := range limit.Default { @@ -1733,14 +1740,14 @@ func ValidateSecret(secret *api.Secret) field.ErrorList { // Only require Annotations[kubernetes.io/service-account.name] // Additional fields (like Annotations[kubernetes.io/service-account.uid] and Data[token]) might be contributed later by a controller loop if value := secret.Annotations[api.ServiceAccountNameKey]; len(value) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("metadata", "annotations").Key(api.ServiceAccountNameKey))) + allErrs = append(allErrs, field.Required(field.NewPath("metadata", "annotations").Key(api.ServiceAccountNameKey), "")) } case api.SecretTypeOpaque, "": // no-op case api.SecretTypeDockercfg: dockercfgBytes, exists := secret.Data[api.DockerConfigKey] if !exists { - allErrs = append(allErrs, field.Required(dataPath.Key(api.DockerConfigKey))) + allErrs = append(allErrs, field.Required(dataPath.Key(api.DockerConfigKey), "")) break } @@ -1800,7 +1807,7 @@ func ValidateResourceRequirements(requirements *api.ResourceRequirements, fldPat limitValue = quantity.MilliValue() } if limitValue < requestValue { - allErrs = append(allErrs, field.Invalid(fldPath, quantity.String(), "cannot be smaller than request")) + allErrs = append(allErrs, field.Invalid(fldPath, quantity.String(), "must be greater than or equal to request")) } } } @@ -1872,7 +1879,7 @@ func ValidateResourceQuotaUpdate(newResourceQuota, oldResourceQuota *api.Resourc func ValidateResourceQuotaStatusUpdate(newResourceQuota, oldResourceQuota *api.ResourceQuota) field.ErrorList { allErrs := ValidateObjectMetaUpdate(&newResourceQuota.ObjectMeta, &oldResourceQuota.ObjectMeta, field.NewPath("metadata")) if len(newResourceQuota.ResourceVersion) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"))) + allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"), "")) } fldPath := field.NewPath("status", "hard") for k, v := range newResourceQuota.Status.Hard { @@ -1931,11 +1938,11 @@ func ValidateNamespaceStatusUpdate(newNamespace, oldNamespace *api.Namespace) fi newNamespace.Spec = oldNamespace.Spec if newNamespace.DeletionTimestamp.IsZero() { if newNamespace.Status.Phase != api.NamespaceActive { - allErrs = append(allErrs, field.Invalid(field.NewPath("status", "Phase"), newNamespace.Status.Phase, "may only be in active status if it does not have a deletion timestamp.")) + allErrs = append(allErrs, field.Invalid(field.NewPath("status", "Phase"), newNamespace.Status.Phase, "may only be 'Active' if `deletionTimestamp` is empty")) } } else { if newNamespace.Status.Phase != api.NamespaceTerminating { - allErrs = append(allErrs, field.Invalid(field.NewPath("status", "Phase"), newNamespace.Status.Phase, "may only be in terminating status if it has a deletion timestamp.")) + allErrs = append(allErrs, field.Invalid(field.NewPath("status", "Phase"), newNamespace.Status.Phase, "may only be 'Terminating' if `deletionTimestamp` is not empty")) } } return allErrs @@ -1971,10 +1978,10 @@ func validateEndpointSubsets(subsets []api.EndpointSubset, fldPath *field.Path) if len(ss.Addresses) == 0 && len(ss.NotReadyAddresses) == 0 { //TODO: consider adding a RequiredOneOf() error for this and similar cases - allErrs = append(allErrs, field.Required(idxPath.Child("addresses or notReadyAddresses"))) + allErrs = append(allErrs, field.Required(idxPath, "must specify `addresses` or `notReadyAddresses`")) } if len(ss.Ports) == 0 { - allErrs = append(allErrs, field.Required(idxPath.Child("ports"))) + allErrs = append(allErrs, field.Required(idxPath.Child("ports"), "")) } for addr := range ss.Addresses { allErrs = append(allErrs, validateEndpointAddress(&ss.Addresses[addr], idxPath.Child("addresses").Index(addr))...) @@ -1990,7 +1997,7 @@ func validateEndpointSubsets(subsets []api.EndpointSubset, fldPath *field.Path) func validateEndpointAddress(address *api.EndpointAddress, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if !validation.IsValidIPv4(address.IP) { - allErrs = append(allErrs, field.Invalid(fldPath.Child("ip"), address.IP, "invalid IPv4 address")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("ip"), address.IP, "must be a valid IPv4 address")) return allErrs } return validateIpIsNotLinkLocalOrLoopback(address.IP, fldPath.Child("ip")) @@ -2002,7 +2009,7 @@ func validateIpIsNotLinkLocalOrLoopback(ipAddress string, fldPath *field.Path) f allErrs := field.ErrorList{} ip := net.ParseIP(ipAddress) if ip == nil { - allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "not a valid IP address")) + allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "must be a valid IP address")) return allErrs } if ip.IsLoopback() { @@ -2020,7 +2027,7 @@ func validateIpIsNotLinkLocalOrLoopback(ipAddress string, fldPath *field.Path) f func validateEndpointPort(port *api.EndpointPort, requireName bool, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if requireName && len(port.Name) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("name"))) + allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) } else if len(port.Name) != 0 { if !validation.IsDNS1123Label(port.Name) { allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), port.Name, DNS1123LabelErrorMsg)) @@ -2030,7 +2037,7 @@ func validateEndpointPort(port *api.EndpointPort, requireName bool, fldPath *fie allErrs = append(allErrs, field.Invalid(fldPath.Child("port"), port.Port, PortRangeErrorMsg)) } if len(port.Protocol) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("protocol"))) + allErrs = append(allErrs, field.Required(fldPath.Child("protocol"), "")) } else if !supportedPortProtocols.Has(string(port.Protocol)) { allErrs = append(allErrs, field.NotSupported(fldPath.Child("protocol"), port.Protocol, supportedPortProtocols.List())) } @@ -2054,13 +2061,13 @@ func ValidateSecurityContext(sc *api.SecurityContext, fldPath *field.Path) field if sc.Privileged != nil { if *sc.Privileged && !capabilities.Get().AllowPrivileged { - allErrs = append(allErrs, field.Forbidden(fldPath.Child("privileged"), sc.Privileged)) + allErrs = append(allErrs, field.Forbidden(fldPath.Child("privileged"), "disallowed by policy")) } } if sc.RunAsUser != nil { if *sc.RunAsUser < 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *sc.RunAsUser, "cannot be negative")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *sc.RunAsUser, isNegativeErrorMsg)) } } return allErrs @@ -2069,17 +2076,17 @@ func ValidateSecurityContext(sc *api.SecurityContext, fldPath *field.Path) field func ValidatePodLogOptions(opts *api.PodLogOptions) field.ErrorList { allErrs := field.ErrorList{} if opts.TailLines != nil && *opts.TailLines < 0 { - allErrs = append(allErrs, field.Invalid(field.NewPath("tailLines"), *opts.TailLines, "must be a non-negative integer or nil")) + allErrs = append(allErrs, field.Invalid(field.NewPath("tailLines"), *opts.TailLines, isNegativeErrorMsg)) } if opts.LimitBytes != nil && *opts.LimitBytes < 1 { - allErrs = append(allErrs, field.Invalid(field.NewPath("limitBytes"), *opts.LimitBytes, "must be a positive integer or nil")) + allErrs = append(allErrs, field.Invalid(field.NewPath("limitBytes"), *opts.LimitBytes, "must be greater than 0")) } switch { case opts.SinceSeconds != nil && opts.SinceTime != nil: - allErrs = append(allErrs, field.Invalid(field.NewPath(""), *opts.SinceSeconds, "only one of sinceTime or sinceSeconds can be provided")) + allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "at most one of `sinceTime` or `sinceSeconds` may be specified")) case opts.SinceSeconds != nil: if *opts.SinceSeconds < 1 { - allErrs = append(allErrs, field.Invalid(field.NewPath("sinceSeconds"), *opts.SinceSeconds, "must be a positive integer")) + allErrs = append(allErrs, field.Invalid(field.NewPath("sinceSeconds"), *opts.SinceSeconds, "must be greater than 0")) } } return allErrs @@ -2092,7 +2099,7 @@ func ValidateLoadBalancerStatus(status *api.LoadBalancerStatus, fldPath *field.P idxPath := fldPath.Child("ingress").Index(i) if len(ingress.IP) > 0 { if isIP := (net.ParseIP(ingress.IP) != nil); !isIP { - allErrs = append(allErrs, field.Invalid(idxPath.Child("ip"), ingress.IP, "must be an IP address")) + allErrs = append(allErrs, field.Invalid(idxPath.Child("ip"), ingress.IP, "must be a valid IP address")) } } if len(ingress.Hostname) > 0 { diff --git a/pkg/api/validation/validation_test.go b/pkg/api/validation/validation_test.go index 5235e9de8ef..c22b05478c4 100644 --- a/pkg/api/validation/validation_test.go +++ b/pkg/api/validation/validation_test.go @@ -65,7 +65,7 @@ func TestValidateObjectMetaCustomName(t *testing.T) { func TestValidateObjectMetaNamespaces(t *testing.T) { errs := ValidateObjectMeta( &api.ObjectMeta{Name: "test", Namespace: "foo.bar"}, - false, + true, func(s string, prefix bool) (bool, string) { return true, "" }, @@ -84,7 +84,7 @@ func TestValidateObjectMetaNamespaces(t *testing.T) { } errs = ValidateObjectMeta( &api.ObjectMeta{Name: "test", Namespace: string(b)}, - false, + true, func(s string, prefix bool) (bool, string) { return true, "" }, @@ -629,7 +629,7 @@ func TestValidateVolumes(t *testing.T) { }, "absolute path": { []api.Volume{{Name: "absolutepath", VolumeSource: absolutePathName}}, - field.ErrorTypeForbidden, + field.ErrorTypeInvalid, "downwardAPI.path", "", }, "dot dot path": { @@ -674,7 +674,7 @@ func TestValidateVolumes(t *testing.T) { }, "absolute target": { []api.Volume{{Name: "absolutetarget", VolumeSource: absPath}}, - field.ErrorTypeForbidden, + field.ErrorTypeInvalid, "gitRepo.directory", "", }, } @@ -843,7 +843,7 @@ func TestValidateEnv(t *testing.T) { }, }, }}, - expectedError: "[0].valueFrom: invalid value '', Details: sources cannot be specified when value is not empty", + expectedError: "[0].valueFrom: invalid value '', Details: may not be specified when `value` is not empty", }, { name: "missing FieldPath on ObjectFieldSelector", @@ -3314,7 +3314,7 @@ func TestValidateLimitRange(t *testing.T) { }, }, }}, - "not supported when limit type is Pod", + "may not be specified when `type` is 'Pod'", }, "default-request-limit-type-pod": { api.LimitRange{ObjectMeta: api.ObjectMeta{Name: "abc", Namespace: "foo"}, Spec: api.LimitRangeSpec{ @@ -3327,7 +3327,7 @@ func TestValidateLimitRange(t *testing.T) { }, }, }}, - "not supported when limit type is Pod", + "may not be specified when `type` is 'Pod'", }, "min value 100m is greater than max value 10m": { api.LimitRange{ObjectMeta: api.ObjectMeta{Name: "abc", Namespace: "foo"}, Spec: api.LimitRangeSpec{ @@ -4002,7 +4002,7 @@ func TestValidateEndpoints(t *testing.T) { }, }, errorType: "FieldValueInvalid", - errorDetail: "invalid IPv4 address", + errorDetail: "must be a valid IPv4 address", }, "Multiple ports, one without name": { endpoints: api.Endpoints{ @@ -4052,7 +4052,7 @@ func TestValidateEndpoints(t *testing.T) { }, }, errorType: "FieldValueInvalid", - errorDetail: "invalid IPv4 address", + errorDetail: "must be a valid IPv4 address", }, "Port missing number": { endpoints: api.Endpoints{ @@ -4122,7 +4122,7 @@ func TestValidateEndpoints(t *testing.T) { for k, v := range errorCases { if errs := ValidateEndpoints(&v.endpoints); len(errs) == 0 || errs[0].Type != v.errorType || !strings.Contains(errs[0].Detail, v.errorDetail) { - t.Errorf("Expected error type %s with detail %s for %s, got %v", v.errorType, v.errorDetail, k, errs) + t.Errorf("[%s] Expected error type %s with detail %q, got %v", k, v.errorType, v.errorDetail, errs) } } } @@ -4172,7 +4172,7 @@ func TestValidateSecurityContext(t *testing.T) { } for k, v := range successCases { if errs := ValidateSecurityContext(v.sc, field.NewPath("field")); len(errs) != 0 { - t.Errorf("[%s Expected success, got %v", k, errs) + t.Errorf("[%s] Expected success, got %v", k, errs) } } @@ -4192,12 +4192,12 @@ func TestValidateSecurityContext(t *testing.T) { "request privileged when capabilities forbids": { sc: privRequestWithGlobalDeny, errorType: "FieldValueForbidden", - errorDetail: "", + errorDetail: "disallowed by policy", }, "negative RunAsUser": { sc: negativeRunAsUser, errorType: "FieldValueInvalid", - errorDetail: "cannot be negative", + errorDetail: isNegativeErrorMsg, }, } for k, v := range errorCases { diff --git a/pkg/apis/extensions/validation/validation.go b/pkg/apis/extensions/validation/validation.go index 570cb856967..5d1064ae31b 100644 --- a/pkg/apis/extensions/validation/validation.go +++ b/pkg/apis/extensions/validation/validation.go @@ -43,16 +43,16 @@ func ValidateHorizontalPodAutoscalerName(name string, prefix bool) (bool, string func validateHorizontalPodAutoscalerSpec(autoscaler extensions.HorizontalPodAutoscalerSpec, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if autoscaler.MinReplicas != nil && *autoscaler.MinReplicas < 1 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("minReplicas"), autoscaler.MinReplicas, `must be greater than or equal to 1`)) + allErrs = append(allErrs, field.Invalid(fldPath.Child("minReplicas"), *autoscaler.MinReplicas, "must be greater than 0")) } if autoscaler.MaxReplicas < 1 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("maxReplicas"), autoscaler.MaxReplicas, `must be greater than or equal to 1`)) + allErrs = append(allErrs, field.Invalid(fldPath.Child("maxReplicas"), autoscaler.MaxReplicas, "must be greater than 0")) } if autoscaler.MinReplicas != nil && autoscaler.MaxReplicas < *autoscaler.MinReplicas { - allErrs = append(allErrs, field.Invalid(fldPath.Child("maxReplicas"), autoscaler.MaxReplicas, `must be greater than or equal to minReplicas`)) + allErrs = append(allErrs, field.Invalid(fldPath.Child("maxReplicas"), autoscaler.MaxReplicas, "must be greater than or equal to `minReplicas`")) } if autoscaler.CPUUtilization != nil && autoscaler.CPUUtilization.TargetPercentage < 1 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("cpuUtilization", "targetPercentage"), autoscaler.CPUUtilization.TargetPercentage, `must be greater than or equal to 1`)) + allErrs = append(allErrs, field.Invalid(fldPath.Child("cpuUtilization", "targetPercentage"), autoscaler.CPUUtilization.TargetPercentage, "must be greater than 0")) } if refErrs := ValidateSubresourceReference(autoscaler.ScaleRef, fldPath.Child("scaleRef")); len(refErrs) > 0 { allErrs = append(allErrs, refErrs...) @@ -65,19 +65,19 @@ func validateHorizontalPodAutoscalerSpec(autoscaler extensions.HorizontalPodAuto func ValidateSubresourceReference(ref extensions.SubresourceReference, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(ref.Kind) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("kind"))) + allErrs = append(allErrs, field.Required(fldPath.Child("kind"), "")) } else if ok, msg := apivalidation.IsValidPathSegmentName(ref.Kind); !ok { allErrs = append(allErrs, field.Invalid(fldPath.Child("kind"), ref.Kind, msg)) } if len(ref.Name) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("name"))) + allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) } else if ok, msg := apivalidation.IsValidPathSegmentName(ref.Name); !ok { allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), ref.Name, msg)) } if len(ref.Subresource) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("subresource"))) + allErrs = append(allErrs, field.Required(fldPath.Child("subresource"), "")) } else if ok, msg := apivalidation.IsValidPathSegmentName(ref.Subresource); !ok { allErrs = append(allErrs, field.Invalid(fldPath.Child("subresource"), ref.Subresource, msg)) } @@ -123,7 +123,7 @@ func ValidateThirdPartyResource(obj *extensions.ThirdPartyResource) field.ErrorL for ix := range obj.Versions { version := &obj.Versions[ix] if len(version.Name) == 0 { - allErrs = append(allErrs, field.Invalid(field.NewPath("versions").Index(ix).Child("name"), version, "can not be empty")) + allErrs = append(allErrs, field.Invalid(field.NewPath("versions").Index(ix).Child("name"), version, "must not be empty")) } if versions.Has(version.Name) { allErrs = append(allErrs, field.Duplicate(field.NewPath("versions").Index(ix).Child("name"), version)) @@ -174,7 +174,7 @@ func ValidateDaemonSetTemplateUpdate(podTemplate, oldPodTemplate *api.PodTemplat // In particular, we do not allow updates to container images at this point. if !api.Semantic.DeepEqual(oldPodTemplate.Spec, podSpec) { // TODO: Pinpoint the specific field that causes the invalid error after we have strategic merge diff - allErrs = append(allErrs, field.Invalid(fldPath.Child("spec"), "content of spec is not printed out, please refer to the \"details\"", "may not update fields other than spec.nodeSelector")) + allErrs = append(allErrs, field.Forbidden(fldPath.Child("spec"), "daemonSet updates may not change fields other than `nodeSelector`")) } return allErrs } @@ -186,13 +186,13 @@ func ValidateDaemonSetSpec(spec *extensions.DaemonSetSpec, fldPath *field.Path) allErrs = append(allErrs, ValidateLabelSelector(spec.Selector, fldPath.Child("selector"))...) if spec.Template == nil { - allErrs = append(allErrs, field.Required(fldPath.Child("template"))) + allErrs = append(allErrs, field.Required(fldPath.Child("template"), "")) return allErrs } selector, err := extensions.LabelSelectorAsSelector(spec.Selector) if err == nil && !selector.Matches(labels.Set(spec.Template.Labels)) { - allErrs = append(allErrs, field.Invalid(fldPath.Child("template", "metadata", "labels"), spec.Template.Labels, "selector does not match template")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("template", "metadata", "labels"), spec.Template.Labels, "`selector` does not match template `labels`")) } allErrs = append(allErrs, apivalidation.ValidatePodTemplateSpec(spec.Template, fldPath.Child("template"))...) @@ -222,7 +222,7 @@ func ValidatePositiveIntOrPercent(intOrPercent intstr.IntOrString, fldPath *fiel allErrs := field.ErrorList{} if intOrPercent.Type == intstr.String { if !validation.IsValidPercent(intOrPercent.StrVal) { - allErrs = append(allErrs, field.Invalid(fldPath, intOrPercent, "should be int(5) or percentage(5%)")) + allErrs = append(allErrs, field.Invalid(fldPath, intOrPercent, "must be an integer or percentage (e.g '5%')")) } } else if intOrPercent.Type == intstr.Int { allErrs = append(allErrs, apivalidation.ValidatePositiveField(int64(intOrPercent.IntValue()), fldPath)...) @@ -252,7 +252,7 @@ func IsNotMoreThan100Percent(intOrStringValue intstr.IntOrString, fldPath *field if !isPercent || value <= 100 { return nil } - allErrs = append(allErrs, field.Invalid(fldPath, intOrStringValue, "should not be more than 100%")) + allErrs = append(allErrs, field.Invalid(fldPath, intOrStringValue, "must not be greater than 100%")) return allErrs } @@ -262,7 +262,7 @@ func ValidateRollingUpdateDeployment(rollingUpdate *extensions.RollingUpdateDepl allErrs = append(allErrs, ValidatePositiveIntOrPercent(rollingUpdate.MaxSurge, fldPath.Child("maxSurge"))...) if getIntOrPercentValue(rollingUpdate.MaxUnavailable) == 0 && getIntOrPercentValue(rollingUpdate.MaxSurge) == 0 { // Both MaxSurge and MaxUnavailable cannot be zero. - allErrs = append(allErrs, field.Invalid(fldPath.Child("maxUnavailable"), rollingUpdate.MaxUnavailable, "cannot be 0 when maxSurge is 0 as well")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("maxUnavailable"), rollingUpdate.MaxUnavailable, "may not be 0 when `maxSurge` is 0")) } // Validate that MaxUnavailable is not more than 100%. allErrs = append(allErrs, IsNotMoreThan100Percent(rollingUpdate.MaxUnavailable, fldPath.Child("maxUnavailable"))...) @@ -277,7 +277,7 @@ func ValidateDeploymentStrategy(strategy *extensions.DeploymentStrategy, fldPath } switch strategy.Type { case extensions.RecreateDeploymentStrategyType: - allErrs = append(allErrs, field.Forbidden(fldPath.Child("rollingUpdate"), "should be nil when strategy type is "+extensions.RecreateDeploymentStrategyType)) + allErrs = append(allErrs, field.Forbidden(fldPath.Child("rollingUpdate"), "may not be specified when strategy `type` is '"+string(extensions.RecreateDeploymentStrategyType+"'"))) case extensions.RollingUpdateDeploymentStrategyType: allErrs = append(allErrs, ValidateRollingUpdateDeployment(strategy.RollingUpdate, fldPath.Child("rollingUpdate"))...) } @@ -317,7 +317,7 @@ func ValidateThirdPartyResourceDataUpdate(update, old *extensions.ThirdPartyReso func ValidateThirdPartyResourceData(obj *extensions.ThirdPartyResourceData) field.ErrorList { allErrs := field.ErrorList{} if len(obj.Name) == 0 { - allErrs = append(allErrs, field.Invalid(field.NewPath("name"), obj.Name, "must be non-empty")) + allErrs = append(allErrs, field.Required(field.NewPath("name"), "")) } return allErrs } @@ -342,7 +342,7 @@ func ValidateJobSpec(spec *extensions.JobSpec, fldPath *field.Path) field.ErrorL allErrs = append(allErrs, apivalidation.ValidatePositiveField(int64(*spec.ActiveDeadlineSeconds), fldPath.Child("activeDeadlineSeconds"))...) } if spec.Selector == nil { - allErrs = append(allErrs, field.Required(fldPath.Child("selector"))) + allErrs = append(allErrs, field.Required(fldPath.Child("selector"), "")) } else { allErrs = append(allErrs, ValidateLabelSelector(spec.Selector, fldPath.Child("selector"))...) } @@ -350,7 +350,7 @@ func ValidateJobSpec(spec *extensions.JobSpec, fldPath *field.Path) field.ErrorL if selector, err := extensions.LabelSelectorAsSelector(spec.Selector); err == nil { labels := labels.Set(spec.Template.Labels) if !selector.Matches(labels) { - allErrs = append(allErrs, field.Invalid(fldPath.Child("template", "metadata", "labels"), spec.Template.Labels, "selector does not match template")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("template", "metadata", "labels"), spec.Template.Labels, "`selector` does not match template `labels`")) } } @@ -417,7 +417,7 @@ func ValidateIngressSpec(spec *extensions.IngressSpec, fldPath *field.Path) fiel if spec.Backend != nil { allErrs = append(allErrs, validateIngressBackend(spec.Backend, fldPath.Child("backend"))...) } else if len(spec.Rules) == 0 { - allErrs = append(allErrs, field.Invalid(fldPath, spec.Rules, "either a default backend or a set of host rules are required for ingress.")) + allErrs = append(allErrs, field.Invalid(fldPath, spec.Rules, "either `backend` or `rules` must be specified")) } if len(spec.Rules) > 0 { allErrs = append(allErrs, validateIngressRules(spec.Rules, fldPath.Child("rules"))...) @@ -442,7 +442,7 @@ func ValidateIngressStatusUpdate(ingress, oldIngress *extensions.Ingress) field. func validateIngressRules(IngressRules []extensions.IngressRule, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(IngressRules) == 0 { - return append(allErrs, field.Required(fldPath)) + return append(allErrs, field.Required(fldPath, "")) } for i, ih := range IngressRules { if len(ih.Host) > 0 { @@ -471,12 +471,12 @@ func validateIngressRuleValue(ingressRule *extensions.IngressRuleValue, fldPath func validateHTTPIngressRuleValue(httpIngressRuleValue *extensions.HTTPIngressRuleValue, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if len(httpIngressRuleValue.Paths) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("paths"))) + allErrs = append(allErrs, field.Required(fldPath.Child("paths"), "")) } for i, rule := range httpIngressRuleValue.Paths { if len(rule.Path) > 0 { if !strings.HasPrefix(rule.Path, "/") { - allErrs = append(allErrs, field.Invalid(fldPath.Child("paths").Index(i).Child("path"), rule.Path, "must begin with '/'")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("paths").Index(i).Child("path"), rule.Path, "must be an absolute path")) } // TODO: More draconian path regex validation. // Path must be a valid regex. This is the basic requirement. @@ -503,7 +503,7 @@ func validateIngressBackend(backend *extensions.IngressBackend, fldPath *field.P // All backends must reference a single local service by name, and a single service port by name or number. if len(backend.ServiceName) == 0 { - return append(allErrs, field.Required(fldPath.Child("serviceName"))) + return append(allErrs, field.Required(fldPath.Child("serviceName"), "")) } else if ok, errMsg := apivalidation.ValidateServiceName(backend.ServiceName, false); !ok { allErrs = append(allErrs, field.Invalid(fldPath.Child("serviceName"), backend.ServiceName, errMsg)) } @@ -523,23 +523,23 @@ func validateIngressBackend(backend *extensions.IngressBackend, fldPath *field.P func validateClusterAutoscalerSpec(spec extensions.ClusterAutoscalerSpec, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if spec.MinNodes < 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("minNodes"), spec.MinNodes, `must be non-negative`)) + allErrs = append(allErrs, field.Invalid(fldPath.Child("minNodes"), spec.MinNodes, "must be greater than or equal to 0")) } if spec.MaxNodes < spec.MinNodes { - allErrs = append(allErrs, field.Invalid(fldPath.Child("maxNodes"), spec.MaxNodes, `must be greater than or equal to minNodes`)) + allErrs = append(allErrs, field.Invalid(fldPath.Child("maxNodes"), spec.MaxNodes, "must be greater than or equal to `minNodes`")) } if len(spec.TargetUtilization) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("targetUtilization"))) + allErrs = append(allErrs, field.Required(fldPath.Child("targetUtilization"), "")) } for _, target := range spec.TargetUtilization { if len(target.Resource) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("targetUtilization", "resource"))) + allErrs = append(allErrs, field.Required(fldPath.Child("targetUtilization", "resource"), "")) } if target.Value <= 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("targetUtilization", "value"), target.Value, "must be greater than 0")) } if target.Value > 1 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("targetUtilization", "value"), target.Value, "must be less or equal 1")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("targetUtilization", "value"), target.Value, "must be less than or equal to 1")) } } return allErrs @@ -548,10 +548,10 @@ func validateClusterAutoscalerSpec(spec extensions.ClusterAutoscalerSpec, fldPat func ValidateClusterAutoscaler(autoscaler *extensions.ClusterAutoscaler) field.ErrorList { allErrs := field.ErrorList{} if autoscaler.Name != "ClusterAutoscaler" { - allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "name"), autoscaler.Name, `must be ClusterAutoscaler`)) + allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "name"), autoscaler.Name, "must be 'ClusterAutoscaler'")) } if autoscaler.Namespace != api.NamespaceDefault { - allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "namespace"), autoscaler.Namespace, `must be default`)) + allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "namespace"), autoscaler.Namespace, "must be 'default'")) } allErrs = append(allErrs, validateClusterAutoscalerSpec(autoscaler.Spec, field.NewPath("spec"))...) return allErrs @@ -574,14 +574,14 @@ func ValidateLabelSelectorRequirement(sr extensions.LabelSelectorRequirement, fl switch sr.Operator { case extensions.LabelSelectorOpIn, extensions.LabelSelectorOpNotIn: if len(sr.Values) == 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("values"), sr.Values, "must be non-empty when operator is In or NotIn")) + allErrs = append(allErrs, field.Required(fldPath.Child("values"), "must be specified when `operator` is 'In' or 'NotIn'")) } case extensions.LabelSelectorOpExists, extensions.LabelSelectorOpDoesNotExist: if len(sr.Values) > 0 { - allErrs = append(allErrs, field.Invalid(fldPath.Child("values"), sr.Values, "must be empty when operator is Exists or DoesNotExist")) + allErrs = append(allErrs, field.Forbidden(fldPath.Child("values"), "may not be specified when `operator` is 'Exists' or 'DoesNotExist'")) } default: - allErrs = append(allErrs, field.Invalid(fldPath.Child("operator"), sr.Operator, "not a valid pod selector operator")) + allErrs = append(allErrs, field.Invalid(fldPath.Child("operator"), sr.Operator, "not a valid selector operator")) } allErrs = append(allErrs, apivalidation.ValidateLabelName(sr.Key, fldPath.Child("key"))...) return allErrs @@ -592,7 +592,7 @@ func ValidateScale(scale *extensions.Scale) field.ErrorList { allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&scale.ObjectMeta, true, apivalidation.NameIsDNSSubdomain, field.NewPath("metadata"))...) if scale.Spec.Replicas < 0 { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "replicas"), scale.Spec.Replicas, "must be non-negative")) + allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "replicas"), scale.Spec.Replicas, "must be greater than or equal to 0")) } return allErrs diff --git a/pkg/apis/extensions/validation/validation_test.go b/pkg/apis/extensions/validation/validation_test.go index 768fb31e43c..d29e54486b0 100644 --- a/pkg/apis/extensions/validation/validation_test.go +++ b/pkg/apis/extensions/validation/validation_test.go @@ -168,7 +168,7 @@ func TestValidateHorizontalPodAutoscaler(t *testing.T) { MaxReplicas: 5, }, }, - msg: "must be greater than or equal to 1", + msg: "must be greater than 0", }, { horizontalPodAutoscaler: extensions.HorizontalPodAutoscaler{ @@ -184,7 +184,7 @@ func TestValidateHorizontalPodAutoscaler(t *testing.T) { MaxReplicas: 5, }, }, - msg: "must be greater than or equal to minReplicas", + msg: "must be greater than or equal to `minReplicas`", }, { horizontalPodAutoscaler: extensions.HorizontalPodAutoscaler{ @@ -201,7 +201,7 @@ func TestValidateHorizontalPodAutoscaler(t *testing.T) { CPUUtilization: &extensions.CPUTargetUtilization{TargetPercentage: -70}, }, }, - msg: "must be greater than or equal to 1", + msg: "must be greater than 0", }, } @@ -746,7 +746,7 @@ func TestValidateDeployment(t *testing.T) { invalidSelectorDeployment.Spec.Selector = map[string]string{ "name": "def", } - errorCases["selector does not match labels"] = invalidSelectorDeployment + errorCases["`selector` does not match template `labels`"] = invalidSelectorDeployment // RestartPolicy should be always. invalidRestartPolicyDeployment := validDeployment() @@ -764,7 +764,7 @@ func TestValidateDeployment(t *testing.T) { Type: extensions.RecreateDeploymentStrategyType, RollingUpdate: &extensions.RollingUpdateDeployment{}, } - errorCases["should be nil when strategy type is Recreate"] = invalidRecreateDeployment + errorCases["may not be specified when strategy `type` is 'Recreate'"] = invalidRecreateDeployment // MaxSurge should be in the form of 20%. invalidMaxSurgeDeployment := validDeployment() @@ -774,7 +774,7 @@ func TestValidateDeployment(t *testing.T) { MaxSurge: intstr.FromString("20Percent"), }, } - errorCases["should be int(5) or percentage(5%)"] = invalidMaxSurgeDeployment + errorCases["must be an integer or percentage"] = invalidMaxSurgeDeployment // MaxSurge and MaxUnavailable cannot both be zero. invalidRollingUpdateDeployment := validDeployment() @@ -785,7 +785,7 @@ func TestValidateDeployment(t *testing.T) { MaxUnavailable: intstr.FromInt(0), }, } - errorCases["cannot be 0 when maxSurge is 0 as well"] = invalidRollingUpdateDeployment + errorCases["may not be 0 when `maxSurge` is 0"] = invalidRollingUpdateDeployment // MaxUnavailable should not be more than 100%. invalidMaxUnavailableDeployment := validDeployment() @@ -795,14 +795,14 @@ func TestValidateDeployment(t *testing.T) { MaxUnavailable: intstr.FromString("110%"), }, } - errorCases["should not be more than 100%"] = invalidMaxUnavailableDeployment + errorCases["must not be greater than 100%"] = invalidMaxUnavailableDeployment for k, v := range errorCases { errs := ValidateDeployment(v) if len(errs) == 0 { - t.Errorf("expected failure for %s", k) + t.Errorf("[%s] expected failure", k) } else if !strings.Contains(errs[0].Error(), k) { - t.Errorf("unexpected error: %v, expected: %s", errs[0], k) + t.Errorf("unexpected error: %v, expected: %q", errs[0], k) } } } @@ -841,7 +841,7 @@ func TestValidateJob(t *testing.T) { negative := -1 negative64 := int64(-1) errorCases := map[string]extensions.Job{ - "spec.parallelism:must be non-negative": { + "spec.parallelism:must be greater than or equal to 0": { ObjectMeta: api.ObjectMeta{ Name: "myjob", Namespace: api.NamespaceDefault, @@ -852,7 +852,7 @@ func TestValidateJob(t *testing.T) { Template: validPodTemplateSpec, }, }, - "spec.completions:must be non-negative": { + "spec.completions:must be greater than or equal to 0": { ObjectMeta: api.ObjectMeta{ Name: "myjob", Namespace: api.NamespaceDefault, @@ -863,7 +863,7 @@ func TestValidateJob(t *testing.T) { Template: validPodTemplateSpec, }, }, - "spec.activeDeadlineSeconds:must be non-negative": { + "spec.activeDeadlineSeconds:must be greater than or equal to 0": { ObjectMeta: api.ObjectMeta{ Name: "myjob", Namespace: api.NamespaceDefault, @@ -883,7 +883,7 @@ func TestValidateJob(t *testing.T) { Template: validPodTemplateSpec, }, }, - "spec.template.metadata.labels: invalid value 'map[y:z]', Details: selector does not match template": { + "spec.template.metadata.labels: invalid value 'map[y:z]', Details: selector does not match template `labels`": { ObjectMeta: api.ObjectMeta{ Name: "myjob", Namespace: api.NamespaceDefault, @@ -1155,7 +1155,7 @@ func TestValidateClusterAutoscaler(t *testing.T) { } errorCases := map[string]extensions.ClusterAutoscaler{ - "must be ClusterAutoscaler": { + "must be 'ClusterAutoscaler'": { ObjectMeta: api.ObjectMeta{ Name: "TestClusterAutoscaler", Namespace: api.NamespaceDefault, @@ -1171,7 +1171,7 @@ func TestValidateClusterAutoscaler(t *testing.T) { }, }, }, - "must be default": { + "must be 'default'": { ObjectMeta: api.ObjectMeta{ Name: "ClusterAutoscaler", Namespace: "test", @@ -1188,7 +1188,7 @@ func TestValidateClusterAutoscaler(t *testing.T) { }, }, - `must be non-negative`: { + `must be greater than or equal to 0`: { ObjectMeta: api.ObjectMeta{ Name: "ClusterAutoscaler", Namespace: api.NamespaceDefault, @@ -1204,7 +1204,7 @@ func TestValidateClusterAutoscaler(t *testing.T) { }, }, }, - `must be greater than or equal to minNodes`: { + "must be greater than or equal to `minNodes`": { ObjectMeta: api.ObjectMeta{ Name: "ClusterAutoscaler", Namespace: api.NamespaceDefault, @@ -1236,9 +1236,9 @@ func TestValidateClusterAutoscaler(t *testing.T) { for k, v := range errorCases { errs := ValidateClusterAutoscaler(&v) if len(errs) == 0 { - t.Errorf("expected failure for %s", k) + t.Errorf("[%s] expected failure", k) } else if !strings.Contains(errs[0].Error(), k) { - t.Errorf("unexpected error: %v, expected: %s", errs[0], k) + t.Errorf("unexpected error: %v, expected: %q", errs[0], k) } } } @@ -1294,7 +1294,7 @@ func TestValidateScale(t *testing.T) { Replicas: -1, }, }, - msg: "must be non-negative", + msg: "must be greater than or equal to 0", }, } diff --git a/pkg/kubectl/cmd/logs_test.go b/pkg/kubectl/cmd/logs_test.go index bb9e043bac7..46a29c19dcc 100644 --- a/pkg/kubectl/cmd/logs_test.go +++ b/pkg/kubectl/cmd/logs_test.go @@ -105,17 +105,17 @@ func TestValidateLogFlags(t *testing.T) { { name: "since & since-time", flags: map[string]string{"since": "1h", "since-time": "2006-01-02T15:04:05Z"}, - expected: "only one of sinceTime or sinceSeconds can be provided", + expected: "at most one of `sinceTime` or `sinceSeconds` may be specified", }, { name: "negative limit-bytes", flags: map[string]string{"limit-bytes": "-100"}, - expected: "limitBytes must be a positive integer or nil", + expected: "must be greater than 0", }, { name: "negative tail", flags: map[string]string{"tail": "-100"}, - expected: "tailLines must be a non-negative integer or nil", + expected: "must be greater than or equal to 0", }, } for _, test := range tests { diff --git a/pkg/util/validation/field/errors.go b/pkg/util/validation/field/errors.go index 862cbc3f976..4d0cc4aa036 100644 --- a/pkg/util/validation/field/errors.go +++ b/pkg/util/validation/field/errors.go @@ -47,7 +47,7 @@ func (v *Error) ErrorBody() string { var s string switch v.Type { case ErrorTypeRequired, ErrorTypeTooLong, ErrorTypeInternal: - s = spew.Sprintf("%s", v.Type) + s = fmt.Sprintf("%s", v.Type) default: s = spew.Sprintf("%s '%+v'", v.Type, v.BadValue) } @@ -65,11 +65,11 @@ type ErrorType string // TODO: These values are duplicated in api/types.go, but there's a circular dep. Fix it. const ( // ErrorTypeNotFound is used to report failure to find a requested value - // (e.g. looking up an ID). See NewNotFoundError. + // (e.g. looking up an ID). See NotFound(). ErrorTypeNotFound ErrorType = "FieldValueNotFound" // ErrorTypeRequired is used to report required values that are not // provided (e.g. empty strings, null values, or empty arrays). See - // NewRequiredError. + // Required(). ErrorTypeRequired ErrorType = "FieldValueRequired" // ErrorTypeDuplicate is used to report collisions of values that must be // unique (e.g. unique IDs). See Duplicate(). @@ -90,7 +90,7 @@ const ( // too-long value. See TooLong(). ErrorTypeTooLong ErrorType = "FieldValueTooLong" // ErrorTypeInternal is used to report other errors that are not related - // to user input. + // to user input. See InternalError(). ErrorTypeInternal ErrorType = "InternalError" ) @@ -119,32 +119,32 @@ func (t ErrorType) String() string { } } -// NewNotFoundError returns a *Error indicating "value not found". This is +// NotFound returns a *Error indicating "value not found". This is // used to report failure to find a requested value (e.g. looking up an ID). func NotFound(field *Path, value interface{}) *Error { return &Error{ErrorTypeNotFound, field.String(), value, ""} } -// NewRequiredError returns a *Error indicating "value required". This is used +// Required returns a *Error indicating "value required". This is used // to report required values that are not provided (e.g. empty strings, null // values, or empty arrays). -func Required(field *Path) *Error { - return &Error{ErrorTypeRequired, field.String(), "", ""} +func Required(field *Path, detail string) *Error { + return &Error{ErrorTypeRequired, field.String(), "", detail} } -// NewDuplicateError returns a *Error indicating "duplicate value". This is +// Duplicate returns a *Error indicating "duplicate value". This is // used to report collisions of values that must be unique (e.g. names or IDs). func Duplicate(field *Path, value interface{}) *Error { return &Error{ErrorTypeDuplicate, field.String(), value, ""} } -// NewInvalidError returns a *Error indicating "invalid value". This is used +// Invalid returns a *Error indicating "invalid value". This is used // to report malformed values (e.g. failed regex match, too long, out of bounds). func Invalid(field *Path, value interface{}, detail string) *Error { return &Error{ErrorTypeInvalid, field.String(), value, detail} } -// NewNotSupportedError returns a *Error indicating "unsupported value". +// NotSupported returns a *Error indicating "unsupported value". // This is used to report unknown values for enumerated fields (e.g. a list of // valid values). func NotSupported(field *Path, value interface{}, validValues []string) *Error { @@ -155,23 +155,23 @@ func NotSupported(field *Path, value interface{}, validValues []string) *Error { return &Error{ErrorTypeNotSupported, field.String(), value, detail} } -// NewForbiddenError returns a *Error indicating "forbidden". This is used to +// Forbidden returns a *Error indicating "forbidden". This is used to // report valid (as per formatting rules) values which would be accepted under // some conditions, but which are not permitted by current conditions (e.g. // security policy). -func Forbidden(field *Path, value interface{}) *Error { - return &Error{ErrorTypeForbidden, field.String(), value, ""} +func Forbidden(field *Path, detail string) *Error { + return &Error{ErrorTypeForbidden, field.String(), "", detail} } -// NewTooLongError returns a *Error indicating "too long". This is used to +// TooLong returns a *Error indicating "too long". This is used to // report that the given value is too long. This is similar to -// NewInvalidError, but the returned error will not include the too-long +// Invalid, but the returned error will not include the too-long // value. func TooLong(field *Path, value interface{}, maxLength int) *Error { return &Error{ErrorTypeTooLong, field.String(), value, fmt.Sprintf("must have at most %d characters", maxLength)} } -// NewInternalError returns a *Error indicating "internal error". This is used +// InternalError returns a *Error indicating "internal error". This is used // to signal that an error was found that was not directly related to user // input. The err argument must be non-nil. func InternalError(field *Path, err error) *Error { diff --git a/pkg/util/validation/field/errors_test.go b/pkg/util/validation/field/errors_test.go index 50ad653f960..49c7638014a 100644 --- a/pkg/util/validation/field/errors_test.go +++ b/pkg/util/validation/field/errors_test.go @@ -44,7 +44,7 @@ func TestMakeFuncs(t *testing.T) { ErrorTypeNotFound, }, { - func() *Error { return Required(NewPath("f")) }, + func() *Error { return Required(NewPath("f"), "d") }, ErrorTypeRequired, }, {