Merge pull request #78829 from sttts/sttts-crd-embedded-resource-metadata-defaulting

apiextensions: complete default-under-metadata validation and storage pruning
2025-07-30 15:05:27 +00:00 · 2019-08-23 17:58:24 -07:00 · 2019-08-23 17:58:24 -07:00 · f9afe46d23
commit f9afe46d23
parent d2e2337744 4fd200c148
19 changed files with 2283 additions and 121 deletions
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/BUILD
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/BUILD
@ -16,21 +16,17 @@ go_library(
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema:go_default_library",
-        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta:go_default_library",
-        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning:go_default_library",
+        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/features:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
-        "//vendor/github.com/go-openapi/strfmt:go_default_library",
-        "//vendor/github.com/go-openapi/validate:go_default_library",
    ],
 )

--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
@ -21,14 +21,10 @@ import (
 	"reflect"
 	"strings"

-	"github.com/go-openapi/strfmt"
-	govalidate "github.com/go-openapi/validate"
-	schemaobjectmeta "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta"
-
 	"k8s.io/apiextensions-apiserver/pkg/apihelpers"
+	structuraldefaulting "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	genericvalidation "k8s.io/apimachinery/pkg/api/validation"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
@ -39,7 +35,6 @@ import (
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
-	"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning"
 	apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
 	apiextensionsfeatures "k8s.io/apiextensions-apiserver/pkg/features"
 )
@ -659,6 +654,7 @@ func validateCustomResourceDefinitionValidation(customResourceValidation *apiext
 			allowDefaults:            opts.allowDefaults,
 			requireValidPropertyType: opts.requireValidPropertyType,
 		}
+
 		allErrs = append(allErrs, ValidateCustomResourceDefinitionOpenAPISchema(schema, fldPath.Child("openAPIV3Schema"), openAPIV3Schema, true)...)

 		if opts.requireStructuralSchema {
@ -667,8 +663,13 @@ func validateCustomResourceDefinitionValidation(customResourceValidation *apiext
 				if len(allErrs) == 0 {
 					allErrs = append(allErrs, field.Invalid(fldPath.Child("openAPIV3Schema"), "", err.Error()))
 				}
+			} else if validationErrors := structuralschema.ValidateStructural(fldPath.Child("openAPIV3Schema"), ss); len(validationErrors) > 0 {
+				allErrs = append(allErrs, validationErrors...)
+			} else if validationErrors, err := structuraldefaulting.ValidateDefaults(fldPath.Child("openAPIV3Schema"), ss, true); err != nil {
+				// this should never happen
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("openAPIV3Schema"), "", err.Error()))
 			} else {
-				allErrs = append(allErrs, structuralschema.ValidateStructural(ss, fldPath.Child("openAPIV3Schema"))...)
+				allErrs = append(allErrs, validationErrors...)
 			}
 		}
 	}
@ -682,7 +683,7 @@ func validateCustomResourceDefinitionValidation(customResourceValidation *apiext
 	return allErrs
 }

-var metaFields = sets.NewString("metadata", "apiVersion", "kind")
+var metaFields = sets.NewString("metadata", "kind", "apiVersion")

 // ValidateCustomResourceDefinitionOpenAPISchema statically validates
 func ValidateCustomResourceDefinitionOpenAPISchema(schema *apiextensions.JSONSchemaProps, fldPath *field.Path, ssv specStandardValidator, isRoot bool) field.ErrorList {
@ -726,6 +727,7 @@ func ValidateCustomResourceDefinitionOpenAPISchema(schema *apiextensions.JSONSch
 	if len(schema.Properties) != 0 {
 		for property, jsonSchema := range schema.Properties {
 			subSsv := ssv
+
 			if (isRoot || schema.XEmbeddedResource) && metaFields.Has(property) {
 				// we recurse into the schema that applies to ObjectMeta.
 				subSsv = ssv.withInsideResourceMeta()
@ -825,43 +827,12 @@ func (v *specStandardValidatorV3) validate(schema *apiextensions.JSONSchemaProps
 		allErrs = append(allErrs, field.NotSupported(fldPath.Child("type"), schema.Type, openapiV3Types.List()))
 	}

-	if schema.Default != nil {
-		if v.allowDefaults {
-			if s, err := structuralschema.NewStructural(schema); err == nil {
-				// ignore errors here locally. They will show up for the root of the schema.
-
-				clone := runtime.DeepCopyJSONValue(interface{}(*schema.Default))
-				if !v.isInsideResourceMeta {
-					// If we are under metadata, there are implicitly specified fields like kind, apiVersion, metadata, labels.
-					// We cannot prune as they are pruned as well. This allows more defaults than we would like to.
-					// TODO: be precise about pruning under metadata
-					pruning.Prune(clone, s, s.XEmbeddedResource)
-
-					// TODO: coerce correctly if we are not at the object root, but somewhere below.
-					if err := schemaobjectmeta.Coerce(fldPath, clone, s, s.XEmbeddedResource, false); err != nil {
-						allErrs = append(allErrs, err)
-					}
-
-					if !reflect.DeepEqual(clone, interface{}(*schema.Default)) {
-						allErrs = append(allErrs, field.Invalid(fldPath.Child("default"), schema.Default, "must not have unknown fields"))
-					} else if s.XEmbeddedResource {
-						// validate an embedded resource
-						schemaobjectmeta.Validate(fldPath, interface{}(*schema.Default), nil, true)
-					}
-				}
-
-				// validate the default value with user the provided schema.
-				validator := govalidate.NewSchemaValidator(s.ToGoOpenAPI(), nil, "", strfmt.Default)
-
-				allErrs = append(allErrs, apiservervalidation.ValidateCustomResource(fldPath.Child("default"), interface{}(*schema.Default), validator)...)
-			}
-		} else {
-			detail := "must not be set"
-			if len(v.disallowDefaultsReason) > 0 {
-				detail += " " + v.disallowDefaultsReason
-			}
-			allErrs = append(allErrs, field.Forbidden(fldPath.Child("default"), detail))
+	if schema.Default != nil && !v.allowDefaults {
+		detail := "must not be set"
+		if len(v.disallowDefaultsReason) > 0 {
+			detail += " " + v.disallowDefaultsReason
 		}
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("default"), detail))
 	}

 	if schema.ID != "" {
@ -1212,7 +1183,7 @@ func schemaIsNonStructural(schema *apiextensions.JSONSchemaProps) bool {
 	if err != nil {
 		return true
 	}
-	return len(structuralschema.ValidateStructural(ss, nil)) > 0
+	return len(structuralschema.ValidateStructural(nil, ss)) > 0
 }

 // requireValidPropertyType returns true if valid openapi v3 types should be required for the given API version
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
@ -614,11 +614,24 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 		if val == nil {
 			continue
 		}
-		structuralSchemas[v.Name], err = structuralschema.NewStructural(val.OpenAPIV3Schema)
+		s, err := structuralschema.NewStructural(val.OpenAPIV3Schema)
 		if *crd.Spec.PreserveUnknownFields == false && err != nil {
-			utilruntime.HandleError(err)
+			// This should never happen. If it does, it is a programming error.
+			utilruntime.HandleError(fmt.Errorf("failed to convert schema to structural: %v", err))
 			return nil, fmt.Errorf("the server could not properly serve the CR schema") // validation should avoid this
 		}
+
+		if *crd.Spec.PreserveUnknownFields == false {
+			// we don't own s completely, e.g. defaults are not deep-copied. So better make a copy here.
+			s = s.DeepCopy()
+
+			if err := structuraldefaulting.PruneDefaults(s); err != nil {
+				// This should never happen. If it does, it is a programming error.
+				utilruntime.HandleError(fmt.Errorf("failed to prune defaults: %v", err))
+				return nil, fmt.Errorf("the server could not properly serve the CR schema") // validation should avoid this
+			}
+		}
+		structuralSchemas[v.Name] = s
 	}

 	for _, v := range crd.Spec.Versions {
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/convert.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/convert.go
@ -114,7 +114,7 @@ func newGenerics(s *apiextensions.JSONSchemaProps) (*Generic, error) {
 			if err != nil {
 				return nil, err
 			}
-			g.AdditionalProperties = &StructuralOrBool{Structural: ss}
+			g.AdditionalProperties = &StructuralOrBool{Structural: ss, Bool: true}
 		} else {
 			g.AdditionalProperties = &StructuralOrBool{Bool: s.AdditionalProperties.Allows}
 		}
@ -248,7 +248,7 @@ func newExtensions(s *apiextensions.JSONSchemaProps) (*Extensions, error) {

 	if s.XPreserveUnknownFields != nil {
 		if !*s.XPreserveUnknownFields {
-			return nil, fmt.Errorf("'x-kubernetes-preserve-unknown-fields' must be true or undefined")
+			return nil, fmt.Errorf("internal error: 'x-kubernetes-preserve-unknown-fields' must be true or undefined")
 		}
 		ret.XPreserveUnknownFields = true
 	}
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/BUILD
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/BUILD
@ -2,13 +2,25 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")

 go_library(
    name = "go_default_library",
-    srcs = ["algorithm.go"],
+    srcs = [
+        "algorithm.go",
+        "prune.go",
+        "surroundingobject.go",
+        "validation.go",
+    ],
    importmap = "k8s.io/kubernetes/vendor/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting",
    importpath = "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting",
    visibility = ["//visibility:public"],
    deps = [
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema:go_default_library",
+        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta:go_default_library",
+        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning:go_default_library",
+        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
+        "//vendor/github.com/go-openapi/strfmt:go_default_library",
+        "//vendor/github.com/go-openapi/validate:go_default_library",
    ],
 )

--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/prune.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/prune.go
@ -0,0 +1,91 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package defaulting
+
+import (
+	"fmt"
+	"reflect"
+
+	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+	structuralobjectmeta "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta"
+	"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// PruneDefaults prunes default values according to the schema and according to
+// the ObjectMeta definition of the running server. It mutates the passed schema.
+func PruneDefaults(s *structuralschema.Structural) error {
+	p := pruner{s}
+	_, err := p.pruneDefaults(s, NewRootObjectFunc())
+	return err
+}
+
+type pruner struct {
+	rootSchema *structuralschema.Structural
+}
+
+func (p *pruner) pruneDefaults(s *structuralschema.Structural, f SurroundingObjectFunc) (changed bool, err error) {
+	if s == nil {
+		return false, nil
+	}
+
+	if s.Default.Object != nil {
+		orig := runtime.DeepCopyJSONValue(s.Default.Object)
+
+		obj, acc, err := f(s.Default.Object)
+		if err != nil {
+			return false, fmt.Errorf("failed to prune default value: %v", err)
+		}
+		if err := structuralobjectmeta.Coerce(nil, obj, p.rootSchema, true, true); err != nil {
+			return false, fmt.Errorf("failed to prune default value: %v", err)
+		}
+		pruning.Prune(obj, p.rootSchema, true)
+		s.Default.Object, _, err = acc(obj)
+		if err != nil {
+			return false, fmt.Errorf("failed to prune default value: %v", err)
+		}
+
+		changed = changed || !reflect.DeepEqual(orig, s.Default.Object)
+	}
+
+	if s.AdditionalProperties != nil && s.AdditionalProperties.Structural != nil {
+		c, err := p.pruneDefaults(s.AdditionalProperties.Structural, f.Child("*"))
+		if err != nil {
+			return false, err
+		}
+		changed = changed || c
+	}
+	if s.Items != nil {
+		c, err := p.pruneDefaults(s.Items, f.Index())
+		if err != nil {
+			return false, err
+		}
+		changed = changed || c
+	}
+	for k, subSchema := range s.Properties {
+		c, err := p.pruneDefaults(&subSchema, f.Child(k))
+		if err != nil {
+			return false, err
+		}
+		if c {
+			s.Properties[k] = subSchema
+			changed = true
+		}
+	}
+
+	return changed, nil
+}
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/surroundingobject.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/surroundingobject.go
@ -0,0 +1,147 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package defaulting
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// AccessorFunc returns a node x in obj on a fixed (implicitly encoded) JSON path
+// if that path exists in obj (found==true). If it does not exist, found is false.
+// If on the path the type of a field is wrong, an error is returned.
+type AccessorFunc func(obj map[string]interface{}) (x interface{}, found bool, err error)
+
+// SurroundingObjectFunc is a surrounding object builder with a given x at a leaf.
+// Which leave is determined by the series of Index() and Child(k) calls.
+// It also returns the inverse of the builder, namely the accessor that extracts x
+// from the test object.
+//
+// With obj, acc, _ := someSurroundingObjectFunc(x) we get:
+//
+//   acc(obj) == x
+//   reflect.DeepEqual(acc(DeepCopy(obj), x) == x
+//
+// where x is the original instance for slices and maps.
+//
+// If after computation of acc the node holding x in obj is mutated (e.g. pruned),
+// the accessor will return that mutated node value (e.g. the pruned x).
+//
+// Example (ignoring the last two return values):
+//
+//   NewRootObjectFunc()(x) == x
+//   NewRootObjectFunc().Index()(x) == [x]
+//   NewRootObjectFunc().Index().Child("foo") == [{"foo": x}]
+//   NewRootObjectFunc().Index().Child("foo").Child("bar") == [{"foo": {"bar":x}}]
+//   NewRootObjectFunc().Index().Child("foo").Child("bar").Index() == [{"foo": {"bar":[x]}}]
+//
+// and:
+//
+//   NewRootObjectFunc(), then acc(x) == x
+//   NewRootObjectFunc().Index(), then acc([x]) == x
+//   NewRootObjectFunc().Index().Child("foo"), then acc([{"foo": x}]) == x
+//   NewRootObjectFunc().Index().Child("foo").Child("bar"), then acc([{"foo": {"bar":x}}]) == x
+//   NewRootObjectFunc().Index().Child("foo").Child("bar").Index(), then acc([{"foo": {"bar":[x]}}]) == x
+type SurroundingObjectFunc func(focus interface{}) (map[string]interface{}, AccessorFunc, error)
+
+// NewRootObjectFunc returns the identity function. The passed focus value
+// must be an object.
+func NewRootObjectFunc() SurroundingObjectFunc {
+	return func(x interface{}) (map[string]interface{}, AccessorFunc, error) {
+		obj, ok := x.(map[string]interface{})
+		if !ok {
+			return nil, nil, fmt.Errorf("object root default value must be of object type")
+		}
+		return obj, func(root map[string]interface{}) (interface{}, bool, error) {
+			return root, true, nil
+		}, nil
+	}
+}
+
+// WithTypeMeta returns a closure with the TypeMeta fields set if they are defined.
+// This mutates f(x).
+func (f SurroundingObjectFunc) WithTypeMeta(meta metav1.TypeMeta) SurroundingObjectFunc {
+	return func(x interface{}) (map[string]interface{}, AccessorFunc, error) {
+		obj, acc, err := f(x)
+		if err != nil {
+			return nil, nil, err
+		}
+		if obj == nil {
+			obj = map[string]interface{}{}
+		}
+		if _, found := obj["kind"]; !found {
+			obj["kind"] = meta.Kind
+		}
+		if _, found := obj["apiVersion"]; !found {
+			obj["apiVersion"] = meta.APIVersion
+		}
+		return obj, acc, err
+	}
+}
+
+// Child returns a function x => f({k: x}) and the corresponding accessor.
+func (f SurroundingObjectFunc) Child(k string) SurroundingObjectFunc {
+	return func(x interface{}) (map[string]interface{}, AccessorFunc, error) {
+		obj, acc, err := f(map[string]interface{}{k: x})
+		if err != nil {
+			return nil, nil, err
+		}
+		return obj, func(obj map[string]interface{}) (interface{}, bool, error) {
+			x, found, err := acc(obj)
+			if err != nil {
+				return nil, false, fmt.Errorf(".%s%v", k, err)
+			}
+			if !found {
+				return nil, false, nil
+			}
+			if x, ok := x.(map[string]interface{}); !ok {
+				return nil, false, fmt.Errorf(".%s must be of object type", k)
+			} else if v, found := x[k]; !found {
+				return nil, false, nil
+			} else {
+				return v, true, nil
+			}
+		}, err
+	}
+}
+
+// Index returns a function x => f([x]) and the corresponding accessor.
+func (f SurroundingObjectFunc) Index() SurroundingObjectFunc {
+	return func(focus interface{}) (map[string]interface{}, AccessorFunc, error) {
+		obj, acc, err := f([]interface{}{focus})
+		if err != nil {
+			return nil, nil, err
+		}
+		return obj, func(obj map[string]interface{}) (interface{}, bool, error) {
+			x, found, err := acc(obj)
+			if err != nil {
+				return nil, false, fmt.Errorf("[]%v", err)
+			}
+			if !found {
+				return nil, false, nil
+			}
+			if x, ok := x.([]interface{}); !ok {
+				return nil, false, fmt.Errorf("[] must be of array type")
+			} else if len(x) == 0 {
+				return nil, false, nil
+			} else {
+				return x[0], true, nil
+			}
+		}, err
+	}
+}
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting/validation.go
@ -0,0 +1,131 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package defaulting
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/go-openapi/strfmt"
+	goopenapivalidate "github.com/go-openapi/validate"
+
+	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+	schemaobjectmeta "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta"
+	"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning"
+	apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// ValidateDefaults checks that default values validate and are properly pruned.
+func ValidateDefaults(pth *field.Path, s *structuralschema.Structural, isResourceRoot bool) (field.ErrorList, error) {
+	f := NewRootObjectFunc().WithTypeMeta(metav1.TypeMeta{APIVersion: "validation/v1", Kind: "Validation"})
+
+	if isResourceRoot {
+		if s == nil {
+			s = &structuralschema.Structural{}
+		}
+		if !s.XEmbeddedResource {
+			clone := *s
+			clone.XEmbeddedResource = true
+			s = &clone
+		}
+	}
+
+	return validate(pth, s, s, f, false)
+}
+
+// validate is the recursive step func for the validation. insideMeta is true if s specifies
+// TypeMeta or ObjectMeta. The SurroundingObjectFunc f is used to validate defaults of
+// TypeMeta or ObjectMeta fields.
+func validate(pth *field.Path, s *structuralschema.Structural, rootSchema *structuralschema.Structural, f SurroundingObjectFunc, insideMeta bool) (field.ErrorList, error) {
+	if s == nil {
+		return nil, nil
+	}
+
+	if s.XEmbeddedResource {
+		insideMeta = false
+		f = NewRootObjectFunc().WithTypeMeta(metav1.TypeMeta{APIVersion: "validation/v1", Kind: "Validation"})
+		rootSchema = s
+	}
+
+	allErrs := field.ErrorList{}
+
+	if s.Default.Object != nil {
+		validator := goopenapivalidate.NewSchemaValidator(s.ToGoOpenAPI(), nil, "", strfmt.Default)
+
+		if insideMeta {
+			obj, _, err := f(runtime.DeepCopyJSONValue(s.Default.Object))
+			if err != nil {
+				// this should never happen. f(s.Default.Object) only gives an error if f is the
+				// root object func, but the default value is not a map. But then we wouldn't be
+				// in this case.
+				return nil, fmt.Errorf("failed to validate default value inside metadata: %v", err)
+			}
+
+			// check ObjectMeta/TypeMeta and everything else
+			if err := schemaobjectmeta.Coerce(nil, obj, rootSchema, true, false); err != nil {
+				allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, fmt.Sprintf("must result in valid metadata: %v", err)))
+			} else if errs := schemaobjectmeta.Validate(nil, obj, rootSchema, true); len(errs) > 0 {
+				allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, fmt.Sprintf("must result in valid metadata: %v", errs.ToAggregate())))
+			} else if errs := apiservervalidation.ValidateCustomResource(pth.Child("default"), s.Default.Object, validator); len(errs) > 0 {
+				allErrs = append(allErrs, errs...)
+			}
+		} else {
+			// check whether default is pruned
+			pruned := runtime.DeepCopyJSONValue(s.Default.Object)
+			pruning.Prune(pruned, s, s.XEmbeddedResource)
+			if !reflect.DeepEqual(pruned, s.Default.Object) {
+				allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, "must not have unknown fields"))
+			}
+
+			// check ObjectMeta/TypeMeta and everything else
+			if err := schemaobjectmeta.Coerce(pth.Child("default"), s.Default.Object, s, s.XEmbeddedResource, false); err != nil {
+				allErrs = append(allErrs, err)
+			} else if errs := schemaobjectmeta.Validate(pth.Child("default"), s.Default.Object, s, s.XEmbeddedResource); len(errs) > 0 {
+				allErrs = append(allErrs, errs...)
+			} else if errs := apiservervalidation.ValidateCustomResource(pth.Child("default"), s.Default.Object, validator); len(errs) > 0 {
+				allErrs = append(allErrs, errs...)
+			}
+		}
+	}
+
+	// do not follow additionalProperties because defaults are forbidden there
+
+	if s.Items != nil {
+		errs, err := validate(pth.Child("items"), s.Items, rootSchema, f.Index(), insideMeta)
+		if err != nil {
+			return nil, err
+		}
+		allErrs = append(allErrs, errs...)
+	}
+
+	for k, subSchema := range s.Properties {
+		subInsideMeta := insideMeta
+		if s.XEmbeddedResource && (k == "metadata" || k == "apiVersion" || k == "kind") {
+			subInsideMeta = true
+		}
+		errs, err := validate(pth.Child("properties").Key(k), &subSchema, rootSchema, f.Child(k), subInsideMeta)
+		if err != nil {
+			return nil, err
+		}
+		allErrs = append(allErrs, errs...)
+	}
+
+	return allErrs, nil
+}
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning/algorithm.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning/algorithm.go
@ -21,7 +21,8 @@ import (
 )

 // Prune removes object fields in obj which are not specified in s. It skips TypeMeta and ObjectMeta fields
-// if XEmbeddedResource is set to true, or for the root if isResourceRoot=true.
+// if XEmbeddedResource is set to true, or for the root if isResourceRoot=true, i.e. it does not
+// prune unknown metadata fields.
 func Prune(obj interface{}, s *structuralschema.Structural, isResourceRoot bool) {
 	if isResourceRoot {
 		if s == nil {
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/validation.go
@ -60,7 +60,7 @@ const (
 // * every specified field or array in s is also specified outside of value validation.
 // * metadata at the root can only restrict the name and generateName, and not be specified at all in nested contexts.
 // * additionalProperties at the root is not allowed.
-func ValidateStructural(s *Structural, fldPath *field.Path) field.ErrorList {
+func ValidateStructural(fldPath *field.Path, s *Structural) field.ErrorList {
 	allErrs := field.ErrorList{}

 	allErrs = append(allErrs, validateStructuralInvariants(s, rootLevel, fldPath)...)
@ -170,7 +170,7 @@ func validateStructuralInvariants(s *Structural, lvl level, fldPath *field.Path)
 		}
 	}

-	if s.XEmbeddedResource && !s.XPreserveUnknownFields && s.Properties == nil {
+	if s.XEmbeddedResource && !s.XPreserveUnknownFields && len(s.Properties) == 0 {
 		allErrs = append(allErrs, field.Required(fldPath.Child("properties"), "must not be empty if x-kubernetes-embedded-resource is true without x-kubernetes-preserve-unknown-fields"))
 	}

--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation/validation.go
@ -58,10 +58,14 @@ func ValidateCustomResource(fldPath *field.Path, customResource interface{}, val
 		switch err := err.(type) {

 		case *openapierrors.Validation:
-			switch err.Code() {
+			errPath := fldPath
+			if len(err.Name) > 0 && err.Name != "." {
+				errPath = errPath.Child(strings.TrimPrefix(err.Name, "."))
+			}

+			switch err.Code() {
 			case openapierrors.RequiredFailCode:
-				allErrs = append(allErrs, field.Required(fldPath.Child(strings.TrimPrefix(err.Name, ".")), ""))
+				allErrs = append(allErrs, field.Required(errPath, ""))

 			case openapierrors.EnumFailCode:
 				values := []string{}
@ -73,14 +77,14 @@ func ValidateCustomResource(fldPath *field.Path, customResource interface{}, val
 						values = append(values, string(allowedJSON))
 					}
 				}
-				allErrs = append(allErrs, field.NotSupported(fldPath.Child(strings.TrimPrefix(err.Name, ".")), err.Value, values))
+				allErrs = append(allErrs, field.NotSupported(errPath, err.Value, values))

 			default:
 				value := interface{}("")
 				if err.Value != nil {
 					value = err.Value
 				}
-				allErrs = append(allErrs, field.Invalid(fldPath.Child(strings.TrimPrefix(err.Name, ".")), value, err.Error()))
+				allErrs = append(allErrs, field.Invalid(errPath, value, err.Error()))
 			}

 		default:
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/nonstructuralschema/nonstructuralschema_controller.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/nonstructuralschema/nonstructuralschema_controller.go
@ -97,7 +97,7 @@ func calculateCondition(in *apiextensions.CustomResourceDefinition) *apiextensio

 		pth := field.NewPath("spec", "validation", "openAPIV3Schema")

-		allErrs = append(allErrs, schema.ValidateStructural(s, pth)...)
+		allErrs = append(allErrs, schema.ValidateStructural(pth, s)...)
 	}

 	for _, v := range in.Spec.Versions {
@ -114,7 +114,7 @@ func calculateCondition(in *apiextensions.CustomResourceDefinition) *apiextensio

 		pth := field.NewPath("spec", "version").Key(v.Name).Child("schema", "openAPIV3Schema")

-		allErrs = append(allErrs, schema.ValidateStructural(s, pth)...)
+		allErrs = append(allErrs, schema.ValidateStructural(pth, s)...)
 	}

 	if len(allErrs) == 0 {
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder_test.go
@ -362,7 +362,7 @@ func TestNewBuilder(t *testing.T) {
 				if err != nil {
 					t.Fatalf("structural schema error: %v", err)
 				}
-				if errs := structuralschema.ValidateStructural(schema, nil); len(errs) > 0 {
+				if errs := structuralschema.ValidateStructural(nil, schema); len(errs) > 0 {
 					t.Fatalf("structural schema validation error: %v", errs.ToAggregate())
 				}
 				schema = schema.Unfold()
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/v2/conversion_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/v2/conversion_test.go
@ -492,7 +492,7 @@ func Test_ConvertJSONSchemaPropsToOpenAPIv2SchemaByType(t *testing.T) {
 			expected: &spec.Schema{
 				SchemaProps: spec.SchemaProps{
 					AdditionalProperties: &spec.SchemaOrBool{
-						Allows: false,
+						Allows: true,
 						Schema: spec.BooleanProperty(),
 					},
 				},
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/BUILD
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/BUILD
@ -36,6 +36,7 @@ go_test(
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/options:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/features:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/test/integration/fixtures:go_default_library",
+        "//staging/src/k8s.io/apiextensions-apiserver/test/integration/storage:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/api/meta:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/defaulting_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/defaulting_test.go
@ -18,6 +18,7 @@ package integration

 import (
 	"fmt"
+	"reflect"
 	"strings"
 	"testing"
 	"time"
@ -32,11 +33,15 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/dynamic"
 	utilfeaturetesting "k8s.io/component-base/featuregate/testing"

 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	serveroptions "k8s.io/apiextensions-apiserver/pkg/cmd/server/options"
 	"k8s.io/apiextensions-apiserver/pkg/features"
 	"k8s.io/apiextensions-apiserver/test/integration/fixtures"
+	"k8s.io/apiextensions-apiserver/test/integration/storage"
 )

 var defaultingFixture = &apiextensionsv1.CustomResourceDefinition{
@ -146,6 +151,13 @@ properties:
        default: "v1beta2"
 `

+const defaultingFooInstance = `
+kind: Foo
+apiVersion: tests.example.com/v1beta1
+metadata:
+  name: foo
+`
+
 func TestCustomResourceDefaultingWithWatchCache(t *testing.T) {
 	testDefaulting(t, true)
 }
@ -252,7 +264,7 @@ func testDefaulting(t *testing.T, watchCache bool) {
 	t.Logf("Creating CR and expecting defaulted fields in spec, but status does not exist at all")
 	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Versions[0].Name, crd.Spec.Names.Plural})
 	foo := &unstructured.Unstructured{}
-	if err := yaml.Unmarshal([]byte(fooInstance), &foo.Object); err != nil {
+	if err := yaml.Unmarshal([]byte(defaultingFooInstance), &foo.Object); err != nil {
 		t.Fatal(err)
 	}
 	unstructured.SetNestedField(foo.Object, "a", "spec", "a")
@ -400,6 +412,275 @@ func testDefaulting(t *testing.T, watchCache bool) {
 	mustNotExist(foo.Object, [][]string{{"spec", "c"}})
 }

+var metaDefaultingFixture = &apiextensionsv1.CustomResourceDefinition{
+	ObjectMeta: metav1.ObjectMeta{Name: "foos.tests.example.com"},
+	Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+		Group: "tests.example.com",
+		Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+			{
+				Name:    "v1beta1",
+				Storage: true,
+				Served:  true,
+				Subresources: &apiextensionsv1.CustomResourceSubresources{
+					Status: &apiextensionsv1.CustomResourceSubresourceStatus{},
+				},
+			},
+		},
+		Names: apiextensionsv1.CustomResourceDefinitionNames{
+			Plural:   "foos",
+			Singular: "foo",
+			Kind:     "Foo",
+			ListKind: "FooList",
+		},
+		Scope:                 apiextensionsv1.ClusterScoped,
+		PreserveUnknownFields: false,
+	},
+}
+
+const metaDefaultingFooV1beta1Schema = `
+type: object
+properties:
+  fields:
+    type: object
+    x-kubernetes-embedded-resource: true
+    properties:
+      apiVersion:
+        type: string
+        default: foos/v1
+      kind:
+        type: string
+        default: Foo
+      metadata:
+        type: object
+        properties:
+          name:
+            type: string
+            default: Bar
+          unknown:
+            type: string
+            default: unknown
+  fullMetadata:
+    type: object
+    x-kubernetes-embedded-resource: true
+    properties:
+      apiVersion:
+        type: string
+        default: foos/v1
+      kind:
+        type: string
+        default: Foo
+      metadata:
+        type: object
+        default:
+          name: Bar
+          unknown: unknown
+  fullObject:
+    type: object
+    x-kubernetes-embedded-resource: true
+    properties:
+      foo:
+        type: string
+    default:
+      apiVersion: foos/v1
+      kind: Foo
+      metadata:
+        name: Bar
+        unknown: unknown
+  spanning:
+    type: object
+    properties:
+      embedded:
+        type: object
+        properties:
+          foo:
+            type: string
+        x-kubernetes-embedded-resource: true
+    default:
+      embedded:
+        apiVersion: foos/v1
+        kind: Foo
+        metadata:
+          name: Bar
+          unknown: unknown
+  preserve-fields:
+    type: object
+    x-kubernetes-embedded-resource: true
+    x-kubernetes-preserve-unknown-fields: true
+    properties:
+      apiVersion:
+        type: string
+        default: foos/v1
+      kind:
+        type: string
+        default: Foo
+      metadata:
+        type: object
+        properties:
+          name:
+            type: string
+            default: Bar
+          unknown:
+            type: string
+            default: unknown
+  preserve-fullMetadata:
+    type: object
+    x-kubernetes-embedded-resource: true
+    x-kubernetes-preserve-unknown-fields: true
+    properties:
+      apiVersion:
+        type: string
+        default: foos/v1
+      kind:
+        type: string
+        default: Foo
+      metadata:
+        type: object
+        default:
+          name: Bar
+          unknown: unknown
+  preserve-fullObject:
+    type: object
+    x-kubernetes-embedded-resource: true
+    x-kubernetes-preserve-unknown-fields: true
+    default:
+      apiVersion: foos/v1
+      kind: Foo
+      metadata:
+        name: Bar
+        unknown: unknown
+  preserve-spanning:
+    type: object
+    properties:
+      embedded:
+        type: object
+        x-kubernetes-embedded-resource: true
+        x-kubernetes-preserve-unknown-fields: true
+    default:
+      embedded:
+        apiVersion: foos/v1
+        kind: Foo
+        metadata:
+          name: Bar
+          unknown: unknown
+`
+
+const metaDefaultingFooInstance = `
+kind: Foo
+apiVersion: tests.example.com/v1beta1
+metadata:
+  name: foo
+`
+
+func TestCustomResourceDefaultingOfMetaFields(t *testing.T) {
+	defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CustomResourceDefaulting, true)()
+
+	tearDown, config, options, err := fixtures.StartDefaultServer(t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	apiExtensionClient, err := clientset.NewForConfig(config)
+	if err != nil {
+		tearDown()
+		t.Fatal(err)
+	}
+
+	dynamicClient, err := dynamic.NewForConfig(config)
+	if err != nil {
+		tearDown()
+		t.Fatal(err)
+	}
+	defer tearDown()
+
+	crd := metaDefaultingFixture.DeepCopy()
+	crd.Spec.Versions[0].Schema = &apiextensionsv1.CustomResourceValidation{}
+	if err := yaml.Unmarshal([]byte(metaDefaultingFooV1beta1Schema), &crd.Spec.Versions[0].Schema.OpenAPIV3Schema); err != nil {
+		t.Fatal(err)
+	}
+	crd, err = fixtures.CreateNewV1CustomResourceDefinition(crd, apiExtensionClient, dynamicClient)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("Creating CR and expecting defaulted, embedded objects, with the unknown ObjectMeta fields pruned")
+	fooClient := dynamicClient.Resource(schema.GroupVersionResource{Group: crd.Spec.Group, Version: crd.Spec.Versions[0].Name, Resource: crd.Spec.Names.Plural})
+
+	tests := []struct {
+		path  []string
+		value interface{}
+	}{
+		{[]string{"fields"}, map[string]interface{}{"metadata": map[string]interface{}{}}},
+		{[]string{"fullMetadata"}, map[string]interface{}{}},
+		{[]string{"fullObject"}, nil},
+		{[]string{"spanning", "embedded"}, nil},
+		{[]string{"preserve-fields"}, map[string]interface{}{"metadata": map[string]interface{}{}}},
+		{[]string{"preserve-fullMetadata"}, map[string]interface{}{}},
+		{[]string{"preserve-fullObject"}, nil},
+		{[]string{"preserve-spanning", "embedded"}, nil},
+	}
+
+	returnedFoo := &unstructured.Unstructured{}
+	if err := yaml.Unmarshal([]byte(metaDefaultingFooInstance), &returnedFoo.Object); err != nil {
+		t.Fatal(err)
+	}
+	for _, tst := range tests {
+		if tst.value != nil {
+			if err := unstructured.SetNestedField(returnedFoo.Object, tst.value, tst.path...); err != nil {
+				t.Fatal(err)
+			}
+		}
+	}
+	returnedFoo, err = fooClient.Create(returnedFoo, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Unable to create CR: %v", err)
+	}
+	t.Logf("CR created: %#v", returnedFoo.UnstructuredContent())
+
+	// get persisted object
+	RESTOptionsGetter := serveroptions.NewCRDRESTOptionsGetter(*options.RecommendedOptions.Etcd)
+	restOptions, err := RESTOptionsGetter.GetRESTOptions(schema.GroupResource{Group: crd.Spec.Group, Resource: crd.Spec.Names.Plural})
+	if err != nil {
+		t.Fatal(err)
+	}
+	etcdClient, _, err := storage.GetEtcdClients(restOptions.StorageConfig.Transport)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer etcdClient.Close()
+	etcdObjectReader := storage.NewEtcdObjectReader(etcdClient, &restOptions, crd)
+
+	persistedFoo, err := etcdObjectReader.GetStoredCustomResource("", returnedFoo.GetName())
+	if err != nil {
+		t.Fatalf("Unable read CR from stored: %v", err)
+	}
+
+	// check that the returned and persisted object is pruned
+	for _, tst := range tests {
+		for _, foo := range []*unstructured.Unstructured{returnedFoo, persistedFoo} {
+			source := "request"
+			if foo == persistedFoo {
+				source = "persisted"
+			}
+			t.Run(fmt.Sprintf("%s of %s object", strings.Join(tst.path, "."), source), func(t *testing.T) {
+				obj, found, err := unstructured.NestedMap(foo.Object, tst.path...)
+				if err != nil {
+					t.Fatal(err)
+				}
+				if !found {
+					t.Errorf("expected defaulted objected, didn't find any")
+				} else if expected := map[string]interface{}{
+					"apiVersion": "foos/v1",
+					"kind":       "Foo",
+					"metadata": map[string]interface{}{
+						"name": "Bar",
+					},
+				}; !reflect.DeepEqual(obj, expected) {
+					t.Errorf("unexpected defaulted object\n  expected: %v\n  got: %v", expected, obj)
+				}
+			})
+		}
+	}
+}
+
 func jsonPtr(x interface{}) *apiextensionsv1.JSON {
 	bs, err := json.Marshal(x)
 	if err != nil {
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/objectmeta_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/objectmeta_test.go
@ -308,20 +308,6 @@ properties:
      kind: Pod
      labels:
        foo: bar
-  invalidDefaults:
-    type: object
-    properties:
-      embedded:
-        type: object
-        x-kubernetes-embedded-resource: true
-        x-kubernetes-preserve-unknown-fields: true
-        default:
-          apiVersion: "foo/v1"
-          kind: "%"
-          metadata:
-            labels:
-              foo: bar
-              abc: "x y"
 `

 	embeddedResourceInstance = `
@ -501,8 +487,6 @@ func TestEmbeddedResources(t *testing.T) {
 		` embeddedNested.metadata.name: Invalid value: ".."`,
 		` embeddedNested.embedded.kind: Invalid value: "%"`,
 		` embeddedNested.embedded.metadata.name: Invalid value: ".."`,
-		` invalidDefaults.embedded.kind: Invalid value: "%"`,
-		` invalidDefaults.embedded.metadata.labels: Invalid value: "x y"`,
 	}
 	for _, s := range invalidErrors {
 		if !strings.Contains(err.Error(), s) {
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go
@ -137,7 +137,7 @@ properties:
            type: string
 `

-	fooSchemaEmbeddedResourceInstance = fooInstance + `
+	fooSchemaEmbeddedResourceInstance = pruningFooInstance + `
 embeddedPruning:
  apiVersion: foo/v1
  kind: Foo
@ -170,7 +170,7 @@ embeddedNested:
    specified: bar
 `

-	fooInstance = `
+	pruningFooInstance = `
 kind: Foo
 apiVersion: tests.example.com/v1beta1
 metadata:
@ -199,7 +199,7 @@ func TestPruningCreate(t *testing.T) {
 	t.Logf("Creating CR and expect 'unspecified' fields to be pruned")
 	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Version, crd.Spec.Names.Plural})
 	foo := &unstructured.Unstructured{}
-	if err := yaml.Unmarshal([]byte(fooInstance), &foo.Object); err != nil {
+	if err := yaml.Unmarshal([]byte(pruningFooInstance), &foo.Object); err != nil {
 		t.Fatal(err)
 	}
 	unstructured.SetNestedField(foo.Object, "bar", "unspecified")
@ -251,7 +251,7 @@ func TestPruningStatus(t *testing.T) {
 	t.Logf("Creating CR and expect 'unspecified' fields to be pruned")
 	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Version, crd.Spec.Names.Plural})
 	foo := &unstructured.Unstructured{}
-	if err := yaml.Unmarshal([]byte(fooInstance), &foo.Object); err != nil {
+	if err := yaml.Unmarshal([]byte(pruningFooInstance), &foo.Object); err != nil {
 		t.Fatal(err)
 	}
 	foo, err = fooClient.Create(foo, metav1.CreateOptions{})
@ -342,7 +342,7 @@ func TestPruningFromStorage(t *testing.T) {
 	t.Logf("Creating object with unknown field manually in etcd")

 	original := &unstructured.Unstructured{}
-	if err := yaml.Unmarshal([]byte(fooInstance), &original.Object); err != nil {
+	if err := yaml.Unmarshal([]byte(pruningFooInstance), &original.Object); err != nil {
 		t.Fatal(err)
 	}
 	unstructured.SetNestedField(original.Object, "bar", "unspecified")
@ -404,7 +404,7 @@ func TestPruningPatch(t *testing.T) {

 	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Version, crd.Spec.Names.Plural})
 	foo := &unstructured.Unstructured{}
-	if err := yaml.Unmarshal([]byte(fooInstance), &foo.Object); err != nil {
+	if err := yaml.Unmarshal([]byte(pruningFooInstance), &foo.Object); err != nil {
 		t.Fatal(err)
 	}
 	foo, err = fooClient.Create(foo, metav1.CreateOptions{})
@ -457,7 +457,7 @@ func TestPruningCreatePreservingUnknownFields(t *testing.T) {
 	t.Logf("Creating CR and expect 'unspecified' field to be pruned")
 	fooClient := dynamicClient.Resource(schema.GroupVersionResource{crd.Spec.Group, crd.Spec.Version, crd.Spec.Names.Plural})
 	foo := &unstructured.Unstructured{}
-	if err := yaml.Unmarshal([]byte(fooInstance), &foo.Object); err != nil {
+	if err := yaml.Unmarshal([]byte(pruningFooInstance), &foo.Object); err != nil {
 		t.Fatal(err)
 	}
 	unstructured.SetNestedField(foo.Object, "bar", "unspecified")