kubeval
kubeval copied to clipboard
Invalid deployment gives warning --> returns code 1
kubeval version: 1.15
Using --ignore-missing-schemas for another file provides a "WARN", but gives return code 0
In our pipeline we recently got return code 1 with no "ERR" visible, making me confused. The return code stems from this file:
Not sure if this is expected or not? Seems odd to me, and should rather cast an Error instead of warning.
➜ sdp-flux git:(dev) ✗ /mnt/c/appl/kubeval dev/gitlabstats/deployment-patch.yaml
WARN - dev/gitlabstats/deployment-patch.yaml contains an invalid Deployment (monitoring.gitlabstats) - selector: selector is required
WARN - dev/gitlabstats/deployment-patch.yaml contains an invalid Deployment (monitoring.gitlabstats) - template: template is required
➜ sdp-flux git:(dev) ✗ printf '%d\n' $?
1
It was hard to spot for me atleast as our pipeline renders many files, and if none provide an error I would presume return code 0, and pipeline is green.
What we are doing is using Kustomize, so the main deployment.yaml file contains labels and selectors, but not the patch
Base:
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: gitlabstats
name: gitlabstats
namespace: monitoring
annotations:
flux.weave.works/automated: 'true'
spec:
replicas: 1
selector:
matchLabels:
app: gitlabstats
template:
metadata:
labels:
app: gitlabstats
spec:
containers:
- name: gitlabstats
image: sdpequinor/gitlabstats
imagePullPolicy: Always
ports:
- containerPort: 5000
name: http
env:
- name: GRAFANA_FREQ
value: "3600"
- name: GIT_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
name: gitlabstats-git-key
key: GIT_PRIVATE_TOKEN
resources:
requests:
cpu: 100m
memory: "100Mi"
limits:
cpu: 500m
memory: "200Mi"
Dev patch:
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: gitlabstats
name: gitlabstats
namespace: monitoring
annotations:
flux.weave.works/automated: 'true'
spec:
replicas: 0
Just learned that you can pipe kustomize and kubeval togehter
kubectl kustomize ./dev | kubeval --strict --ignore-missing-schemas
but still, I believe this is an issue which can occur in other cases.
I actually just ran into this as well. Some WARN
results return 0, while some return 1.
For example, when using --strict
--ignore-missing-schemas
, any resources that aren't properly validated return a WARN
and error code 1, but the missing schemas return 0. So it can be a little confusing to see at a glance if anything actually failed.
It might be a better experience to turn failed schema validations into ERR in the command line, thoughts?
Agreed 👍 perhaps we should take a stab at a PR for this?
Bumping this issue because we recently found this on our pipeline too.