kubeval
kubeval copied to clipboard
'kubeval --strict' fails to report duplicate cidr field
From https://github.com/kubernetes/kubernetes/issues/100213
Policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Egress
- Ingress
egress:
- to:
- ipBlock:
cidr: 8.8.4.4/32
cidr: 1.1.1.1/32
ports:
- protocol: TCP
port: 53
Running kubeval:
kubeval --strict policy.yaml
PASS - policy.yaml contains a valid NetworkPolicy (default.backend)
Expected result: kubeval should report an invalid policy, since it contains multiple cidr blocks -- although CIDR is a string field.
I noticed yaml.UnmarshalStrict does report this problem:
error converting YAML to JSON: yaml: unmarshal errors:
line 17: key "cidr" already set in map
Happy to help out on this if I can get a couple pointers to start moving in the right direction!
this is defined in the schemas https://github.com/instrumenta/kubernetes-json-schema
in https://github.com/instrumenta/kubernetes-json-schema/blob/master/v1.15.7/ipblock-networking-v1.json or https://github.com/instrumenta/kubernetes-json-schema/blob/master/v1.15.7/ipblock.json
I may be missing something, but to me those schemas seem to be correct since they say cidr
is a string:
"cidr": {
"description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\"",
"type": [
"string",
"null"
]
},
Whereas the problem (again, sorry if I'm missing something! this is just my understanding 😄 ) is that kubeval doesn't report a problem when the cidr
field is specified multiple times.
I m having the same issue with kubeconform, it seems like it might have to do with using Unmarshall vs UnmarshallStrict https://github.com/go-yaml/yaml/issues/284 , https://pkg.go.dev/gopkg.in/yaml.v2#UnmarshalStrict
I'm not sure UnmarshallStrict can be used here since it will also fail if "ny fields that are found in the data that do not have corresponding struct members,". Ideally yaml.Unmarshall would have a parameter to fail on duplicate keys, but it does not.
Note: UnmarshallStrict seems to be gone from goyaml.v3 :man_shrugging: