kubeval icon indicating copy to clipboard operation
kubeval copied to clipboard

Published 20 hours ago verified publisher icon instrumenta

Namespace name isn't validated

Open davidxia opened this issue 5 years ago • 4 comments

Thanks for this useful tool.

I noticed Namespace names aren't validated. Here's my Namespace manifest.

apiVersion: v1
kind: Namespace
metadata:
  name: example.com/dxia-test

kubectl apply -f namespace.yaml

error: error when retrieving current configuration of:
&{0xc4204e1140 0xc4203be0e0 namespace.yaml 0xc420d52458  false}
from server for: "namespace.yaml": invalid resource name "example.com/dxia-test": [may not contain '/']

Expected behavior

The validator gives me the same error as kubectl

Actual behavior

But when I run the validator on that file I get an OK.

docker run -t --rm \
  -v parent-dir-of-namespace-yaml:ro \
  garethr/kubeval \
  --kubernetes-version=1.10.4

The document namespace.yaml contains a valid Namespace

More info

I think these are the k8s validation rules. So I think it's lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc', regex used for validation is [a-z0-9]([-a-z0-9]*[a-z0-9])?).

kubectl version

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.7", GitCommit:"dd5e1a2978fd0b97d9b78e1564398aeea7e7fe92", GitTreeState:"clean", BuildDate:"2018-04-19T00:05:56Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.5-gke.3", GitCommit:"6265b9797fc8680c8395abeab12c1e3bad14069a", GitTreeState:"clean", BuildDate:"2018-07-19T23:02:51Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

davidxia avatar Aug 02 '18 16:08 davidxia

This is a bug in the Kubernetes OpenAPI schemas on which kubeval relies unfortunately. It's likely worth filing upstream too.

garethr avatar Aug 17 '18 10:08 garethr

@garethr, thanks for responding. I guess the validation should've been generated here? Do you mind creating an issue upstream? I'm afraid I'm not familiar enough with how things should be setup in a way that'll work.

davidxia avatar Aug 17 '18 13:08 davidxia

@garethr Any idea how to fix that ? Create an issue on the main kubernetes repository ?

nlamirault avatar Aug 21 '19 14:08 nlamirault

The error is saying that the namespace name "example.com/dxia-test" is invalid because it contains the slash '/' which is not allowed. The namespace name must follow the DNS naming rules, this means that it can only contain lowercase letters, numbers and hyphens and cannot begin or end with hyphens.

The solution would be to change the namespace name to something like "example-com-dxia-test". In fact, this needs to be added to kubeval for better code checking.

scovl avatar Feb 06 '23 22:02 scovl