-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip schemas that don't have CEL rules in NewValidator #111483
Skip schemas that don't have CEL rules in NewValidator #111483
Conversation
Found the issue in kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go Line 69 in a4a22a2
Opened a pr against your branch: jpbetz#3 |
Notes: kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/validation.go Lines 121 to 122 in a4a22a2
And root level type must be object : kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/validation.go Lines 133 to 135 in a4a22a2
The failing test is to test "type: array" without any items at all is completely valid: kubernetes/test/integration/apiserver/apply/apply_crd_test.go Lines 489 to 492 in a4a22a2
So how about instead of adding type missing test case which ideally will not be reached, we could directly fix the currently integration test. The proposed PR: #111504 |
staging/src/k8s.io/apiextensions-apiserver/third_party/forked/celopenapi/model/schemas.go
Outdated
Show resolved
Hide resolved
The problem here is that the root schema has properties but no type, it it had a type it would look like:
|
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
Show resolved
Hide resolved
Thanks for addressing it. I agree we should add handle when type is empty(ideally it should not be hit though). Our existing validation process do validating if items value is missing when type=array or type missing which are bypassed by this integration test since it's calling etcdclient.Put directly(That is why it's been hit).
|
Good eye. Okay, I feel slightly better about this not being a general class of problems now. Thanks for digging in! |
That is simulating CRDs created via v1beta1, which allowed missing type fields. Those CRDs can be updated via v1, so it's still a scenario that can be encountered. |
Oh right. Okay, so our options are:
(1) would need to be handled both for validation rule registration and default checking. (2) requires test coverage for all the valid v1beta1 schema differences I'm inclined to work toward (1). Any thoughts? |
the scenario is:
am I reading correctly that there are things that pass structural validation that CEL still chokes on? |
27c7f60
to
7acb288
Compare
No, CEL is only choking on things that fail structural validation. I've rewritten this fix to do another structural validation check whenever constructing a |
I've manually verified that |
If both 1 and 2 are true, I'm not sure we need the additional structural validation check |
For 1, yes. Though we do all the validation(structural + cel validation) and save all possible errs back at once. Later we could possible improve it by skipping cel check if other validation err already identified(especially type err).
|
(2) is false, currently at least. It would be most optimal for for CRDs with no CEL rules to have a dedicated routine that checks for validation rules. |
7acb288
to
2c4f514
Compare
Switched this to use a "does the structural schema contain cel validation rules?" check. |
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
Show resolved
Hide resolved
Co-authored-by: Cici Huang <cicih@google.com>
2c4f514
to
735b5a6
Compare
I've also opened #111519 to guard the validation codepath. I started looking at it more closely because of this PR. I had been planning to do a change in that code to hide CEL errors if there are schema errors anyway.. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jpbetz, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/test pull-kubernetes-e2e-gce-ubuntu-containerd |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #111158 (comment)
Structural schemas are considered valid even if the root object does not explicitly set
Type: "Object"
. This wasn't noticed until the feature gate was enabled by default for CEL andk8s.io/kubernetes/test/integration/apiserver/apply: TestApplyCRDUnhandledSchema
started failing consistently because it tests this specific case.Special notes for your reviewer:
Does this PR introduce a user-facing change?