kubeval icon indicating copy to clipboard operation
kubeval copied to clipboard

Published 20 hours ago verified publisher icon instrumenta

'kubeval --strict' fails to report duplicate cidr field

Open mattfenwick opened this issue 3 years ago • 4 comments

From https://github.com/kubernetes/kubernetes/issues/100213

Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: backend
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 8.8.4.4/32
        cidr: 1.1.1.1/32
    ports:
    - protocol: TCP
      port: 53

Running kubeval:

kubeval --strict policy.yaml                                                
PASS - policy.yaml contains a valid NetworkPolicy (default.backend)

Expected result: kubeval should report an invalid policy, since it contains multiple cidr blocks -- although CIDR is a string field.

I noticed yaml.UnmarshalStrict does report this problem:

error converting YAML to JSON: yaml: unmarshal errors:
  line 17: key "cidr" already set in map

mattfenwick avatar Mar 15 '21 10:03 mattfenwick

Happy to help out on this if I can get a couple pointers to start moving in the right direction!

mattfenwick avatar Mar 15 '21 10:03 mattfenwick

this is defined in the schemas https://github.com/instrumenta/kubernetes-json-schema

in https://github.com/instrumenta/kubernetes-json-schema/blob/master/v1.15.7/ipblock-networking-v1.json or https://github.com/instrumenta/kubernetes-json-schema/blob/master/v1.15.7/ipblock.json

carlossg avatar Mar 30 '21 08:03 carlossg

I may be missing something, but to me those schemas seem to be correct since they say cidr is a string:

    "cidr": {
      "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\"",
      "type": [
        "string",
        "null"
      ]
    },

Whereas the problem (again, sorry if I'm missing something! this is just my understanding 😄 ) is that kubeval doesn't report a problem when the cidr field is specified multiple times.

mattfenwick avatar Mar 30 '21 11:03 mattfenwick

I m having the same issue with kubeconform, it seems like it might have to do with using Unmarshall vs UnmarshallStrict https://github.com/go-yaml/yaml/issues/284 , https://pkg.go.dev/gopkg.in/yaml.v2#UnmarshalStrict

I'm not sure UnmarshallStrict can be used here since it will also fail if "ny fields that are found in the data that do not have corresponding struct members,". Ideally yaml.Unmarshall would have a parameter to fail on duplicate keys, but it does not.

Note: UnmarshallStrict seems to be gone from goyaml.v3 :man_shrugging:

yannh avatar Mar 31 '21 11:03 yannh