kubeconform
kubeconform copied to clipboard
yannh
Error in Job schema in version >= 1.25
Hi! When running kubeconform against a Job:
apiVersion: batch/v1
kind: Job
metadata:
name: name
spec:
ttlSecondsAfterFinished: 3
template:
spec:
containers:
- name: name2
image: nginx:latest
imagePullPolicy: Always
env:
- name: blah
value: blah
restartPolicy: Never
backoffLimit: 1
podFailurePolicy:
rules:
- action: FailJob
onExitCodes:
containerName: name2
operator: In
values: [1]
- action: Ignore
onPodConditions:
- type: DisruptionTarget
I get the following errors:
- spec.podFailurePolicy.rules.0: onPodConditions is required
- spec.podFailurePolicy.rules.1.onPodConditions.0: status is required
However, when applying the resource into the cluster no error is given and the k8s server accepts it. Perhaps there is an error in the schema, and these fields should not be required?
Getting similar error for SecurityContext used in Job:
helmfile template | kubeconform -strict -summary -cache /tmp/kubeconform -ignore-missing-schemas -kubernetes-version 1.27.3
Adding repo ingress-nginx https://kubernetes.github.io/ingress-nginx
"ingress-nginx" has been added to your repositories
Templating release=nginx-ingress, chart=ingress-nginx/ingress-nginx
stdin - Job nginx-ingress-ingress-nginx-admission-patch is invalid: problem validating schema. Check JSON formatting: jsonschema: '/spec/template/spec/securityContext' does not validate with https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.27.3-standalone-strict/job-batch-v1.json#/properties/spec/properties/template/properties/spec/properties/securityContext/additionalProperties: additionalProperties 'capabilities', 'privileged', 'allowPrivilegeEscalation' not allowed
stdin - Job nginx-ingress-ingress-nginx-admission-create is invalid: problem validating schema. Check JSON formatting: jsonschema: '/spec/template/spec/securityContext' does not validate with https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.27.3-standalone-strict/job-batch-v1.json#/properties/spec/properties/template/properties/spec/properties/securityContext/additionalProperties: additionalProperties 'privileged', 'allowPrivilegeEscalation', 'capabilities' not allowed
Summary: 19 resources found parsing stdin - Valid: 17, Invalid: 2, Errors: 0, Skipped: 0
@Constantin07 this is not the same issue. the error that you're getting is correct. try to apply your file to your cluster and you will see it's getting rejected.
@eyarz should I raise a separate issue ? I did try to apply and it works just fine - no rejection.
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-patch
spec:
template:
metadata:
name: ingress-nginx-admission-patch
spec:
containers:
- name: patch
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities: privileged
this is a simple Job manifest that I used to reproduce your error and when I try to apply it to the cluster it's getting rejected (and also failing validation by kubeconform):
➜ kubectl apply -f k8s-demo.yaml --dry-run=server
Error from server (BadRequest): error when creating "k8s-demo.yaml": Job in version "v1" cannot be handled as a Job: strict decoding error: unknown field "spec.template.spec.securityContext.allowPrivilegeEscalation", unknown field "spec.template.spec.securityContext.capabilities"