Merge pull request #133832 from cbandy/cel-validation-errors-132528

Omit value type from validation rule failures
2026-02-22 07:03:28 +00:00 · 2025-09-03 14:55:21 -07:00
parent 954ac21c6c a67468717c
commit 9e0bc19fdf
3 changed files with 11 additions and 13 deletions
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
@@ -494,10 +494,8 @@ func (s *Validator) validateExpressions(ctx context.Context, fldPath *field.Path
 		}

 		value := obj
-		if ok {
+		if sts.Type == "object" || sts.Type == "array" {
 			value = field.OmitValueType{}
-		} else if sts.Type == "object" || sts.Type == "array" {
-			value = sts.Type
 		}

 		addErr(fieldErrorForReason(currentFldPath, value, detail, rule.Reason))
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
@@ -2363,7 +2363,7 @@ func TestValidationExpressionsAtSchemaLevels(t *testing.T) {
 			schema: objectTypePtr(map[string]schema.Structural{
 				"f/2": withRule(objectType(map[string]schema.Structural{"m": integerType}), "self.m == 2"),
 			}),
-			errors: []string{"Invalid value: \"object\": failed rule: self.m == 2"},
+			errors: []string{"Invalid value: failed rule: self.m == 2"},
 		},
 		// unescapable field names that are not accessed by the CEL rule are allowed and should not impact CEL rule validation
 		{name: "invalid rule under unescapable field name",
@@ -2397,7 +2397,7 @@ func TestValidationExpressionsAtSchemaLevels(t *testing.T) {
 			schema: objectTypePtr(map[string]schema.Structural{
 				"a@b": withRule(objectType(map[string]schema.Structural{"m": integerType}), "self.m == 2"),
 			}),
-			errors: []string{"Invalid value: \"object\": failed rule: self.m == 2"},
+			errors: []string{"Invalid value: failed rule: self.m == 2"},
 		},
 		{name: "matchExpressions - 'values' must be specified when 'operator' is 'In' or 'NotIn'",
 			obj: map[string]interface{}{
@@ -4295,7 +4295,7 @@ func TestRatcheting(t *testing.T) {
 				bar: invalid
 			`),
 			errors: []string{
-				`root.foo: Invalid value: "object": gotta be baz`,
+				`root.foo: Invalid value: gotta be baz`,
 			},
 		},
 		{
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/test/example/apiexports_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/test/example/apiexports_test.go
@@ -35,7 +35,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 			name:    "nothing is set",
 			current: map[string]interface{}{},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -67,7 +67,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				},
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -76,7 +76,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": nil,
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -85,7 +85,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": []interface{}{},
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -103,7 +103,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": nil,
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -113,7 +113,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": []interface{}{},
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -166,7 +166,7 @@ func TestResourceSelectorCELValidation(t *testing.T) {
 				"namespace": nil,
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.resourceSelector.items: Invalid value: \"object\": at least one field must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.resourceSelector.items: Invalid value: at least one field must be set",
 			},
 		},
 		{