controller-tools icon indicating copy to clipboard operation
controller-tools copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

✨ Adds a tool for linting OpenAPI schemas on CRD resources

Open munnerz opened this issue 4 years ago • 11 comments

This PR adds a new CLI tool named crd-linter which will lint/run checks against CRD resources and their corresponding schema.

Initially this includes just 4 linters to check for:

  • SchemaProvided: ensures a schema is provided for all API versions
  • PreserveUnknownFields: ensures that provideUnknownFields and x-kubernetes-preserve-unknown-fields is not used
  • MaxLengthStrings: ensures string typed fields have a maxLength specified
  • MaxItemsArrays: ensures array typed fields have a maxItems specified

This is all in the effort to ensure a higher quality of CRDs, which helps protect apiservers against e.g. too much data being stored in a CRD, or ever-growing number of items in arrays that can cause scalability issues.

These linters aren't aimed at all being "best practice", but providing this tool allows teams to check for potential issues/better understand APIs they are installing and where issues may be found.

I'm not sure where this is best to live, nor am I wedded to any parts of the design of it, so welcome any and all feedback 😄

ref https://kubernetes.slack.com/archives/C0EG7JC6T/p1628592082067800

munnerz avatar Sep 30 '21 16:09 munnerz

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: munnerz To complete the pull request process, please assign vincepri after the PR has been reviewed. You can assign the PR to them by writing /assign @vincepri in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Sep 30 '21 16:09 k8s-ci-robot

Just one failure left, and I'm not sure if it makes sense to change the code here:

cmd/crd-linter/exceptions/exceptions.go:77:9: G306: Expect WriteFile permissions to be 0600 or less (gosec)
	return ioutil.WriteFile(path, []byte(l.String()), 0644)

munnerz avatar Oct 01 '21 08:10 munnerz

Just one failure left, and I'm not sure if it makes sense to change the code here:


cmd/crd-linter/exceptions/exceptions.go:77:9: G306: Expect WriteFile permissions to be 0600 or less (gosec)

	return ioutil.WriteFile(path, []byte(l.String()), 0644)

IMO this should be considered a false positive and suppressed with an annotation.

erikgb avatar Oct 02 '21 20:10 erikgb

Thanks for the review comments, I'll be updating the PR this week 😄

munnerz avatar Oct 25 '21 10:10 munnerz

I've addressed all the feedback - there's just the one open question on the serialisation format for the exceptions file left :)

munnerz avatar Nov 02 '21 11:11 munnerz

@munnerz: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-controller-tools-test-master 2f473e2464bf5f42ad847e9289460d4969c7fbf7 link true /test pull-controller-tools-test-master

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot avatar Nov 02 '21 11:11 k8s-ci-robot

@munnerz: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 11 '21 04:11 k8s-ci-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Apr 06 '22 12:04 k8s-triage-robot

/remove-lifecycle stale

I would like to use this tool! 😊

erikgb avatar Apr 06 '22 12:04 erikgb

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jul 05 '22 13:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Aug 04 '22 14:08 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Sep 03 '22 15:09 k8s-triage-robot

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Sep 03 '22 15:09 k8s-ci-robot