apiextensions: check embedded resources in default values

staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/go-openapi/strfmt"
 	govalidate "github.com/go-openapi/validate"
+	schemaobjectmeta "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta"
 
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	genericvalidation "k8s.io/apimachinery/pkg/api/validation"
@@ -747,8 +748,11 @@ func (v *specStandardValidatorV3) validate(schema *apiextensions.JSONSchemaProps
 		if v.allowDefaults {
 			if s, err := structuralschema.NewStructural(schema); err == nil {
 				// ignore errors here locally. They will show up for the root of the schema.
-				pruned := runtime.DeepCopyJSONValue(*schema.Default)
-				pruning.Prune(pruned, s)
+				pruned := runtime.DeepCopyJSONValue(interface{}(*schema.Default))
+				pruning.Prune(pruned, s, false)
+				if err := schemaobjectmeta.Coerce(fldPath, pruned, s, false, false); err != nil {
+					allErrs = append(allErrs, err)
+				}
 				if !reflect.DeepEqual(pruned, *schema.Default) {
 					allErrs = append(allErrs, field.Invalid(fldPath.Child("default"), schema.Default, "must not have unspecified fields"))
 				}

staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go

@@ -1679,6 +1679,63 @@ func TestValidateCustomResourceDefinition(t *testing.T) {
 									},
 									XPreserveUnknownFields: pointer.BoolPtr(true),
 								},
+								// x-kubernetes-embedded-resource: true
+								"embedded-fine": {
+									Type:              "object",
+									XEmbeddedResource: true,
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"foo": {
+											Type: "string",
+										},
+									},
+									Default: jsonPtr(map[string]interface{}{
+										"foo":        "abc",
+										"apiVersion": "foo/v1",
+										"kind":       "v1",
+										"metadata": map[string]interface{}{
+											"name": "foo",
+										},
+									}),
+								},
+								"embedded-preserve": {
+									Type:                   "object",
+									XEmbeddedResource:      true,
+									XPreserveUnknownFields: pointer.BoolPtr(true),
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"foo": {
+											Type: "string",
+										},
+									},
+									Default: jsonPtr(map[string]interface{}{
+										"foo":        "abc",
+										"apiVersion": "foo/v1",
+										"kind":       "v1",
+										"metadata": map[string]interface{}{
+											"name": "foo",
+										},
+										"bar": int64(42),
+									}),
+								},
+								"embedded-preserve-unpruned-objectmeta": {
+									Type:                   "object",
+									XEmbeddedResource:      true,
+									XPreserveUnknownFields: pointer.BoolPtr(true),
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"foo": {
+											Type: "string",
+										},
+									},
+									Default: jsonPtr(map[string]interface{}{
+										"foo":        "abc",
+										"apiVersion": "foo/v1",
+										"kind":       "v1",
+										"metadata": map[string]interface{}{
+											"name":        "foo",
+											"unspecified": "bar",
+										},
+										"bar": int64(42),
+									}),
+								},
 							},
 						},
 					},
@@ -1697,6 +1754,7 @@ func TestValidateCustomResourceDefinition(t *testing.T) {
 				// strict here, but want to encourage proper specifications by forbidding other defaults.
 				invalid("spec", "validation", "openAPIV3Schema", "properties[e]", "properties[preserveUnknownFields]", "default"),
 				invalid("spec", "validation", "openAPIV3Schema", "properties[e]", "properties[nestedProperties]", "default"),
+				invalid("spec", "validation", "openAPIV3Schema", "properties[embedded-preserve-unpruned-objectmeta]", "default"),
 			},
 
 			enabledFeatures: []featuregate.Feature{features.CustomResourceDefaulting},