Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenAPIV3 structural schema violations #2349

Closed
sebgl opened this issue Jan 6, 2020 · 8 comments
Closed

OpenAPIV3 structural schema violations #2349

sebgl opened this issue Jan 6, 2020 · 8 comments
Labels
discuss We need to figure this out

Comments

@sebgl
Copy link
Contributor

sebgl commented Jan 6, 2020

Some violations appear when describing the CRD with kubectl describe crd elasticsearch:

Status:  Accepted Names:
    Categories:      elastic
    Kind:       Elasticsearch    List Kind:  ElasticsearchList
    Plural:     elasticsearches    Short Names:
      es    Singular:  elasticsearch
  Conditions:    Last Transition Time:  2020-01-06T10:47:54Z
    Message:               no conflicts found    Reason:                NoConflicts
    Status:                True    Type:                  NamesAccepted
    Last Transition Time:  <nil>    Message:               the initial names have been accepted
    Reason:                InitialNamesAccepted    Status:                True
    Type:                  Established    Last Transition Time:  2020-01-06T10:47:54Z
    Message:               [spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].anyOf[0].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[s
ervice].properties[spec].properties[ports].items.properties[targetPort].anyOf[1].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be 
empty for specified object fields, spec.validation.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[maxUnavailable].anyOf[0].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec
].properties[maxUnavailable].anyOf[1].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[maxUnavailable].type: Required value: must not be empty for specified object fields, spec.validation.openAPIV3Schema.p
roperties[spec].properties[podDisruptionBudget].properties[spec].properties[minAvailable].anyOf[0].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[minAvailable].anyOf[1].type: Forbidden: must be empty to 
be structural, spec.validation.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[minAvailable].type: Required value: must not be empty for specified object fields, spec.validation.openAPIV3Schema.type: Required value: must not be empty at the root]
    Reason:                Violations    Status:                True
    Type:                  NonStructuralSchema  Stored Versions:
    v1
@sebgl sebgl added the discuss We need to figure this out label Jan 6, 2020
@barkbay
Copy link
Contributor

barkbay commented Jan 6, 2020

I don't have these violations, could you give more details about the steps you took and the K8S version (client and server) you are using ?

With K8S 1.12 / Client 1.17 and all-in-one at version 1.0.0-rc4 applied:

Status:
  Accepted Names:
    Categories:
      elastic
    Kind:       Elasticsearch
    List Kind:  ElasticsearchList
    Plural:     elasticsearches
    Short Names:
      es
    Singular:  elasticsearch
  Conditions:
    Last Transition Time:  2020-01-06T11:09:43Z
    Message:               no conflicts found
    Reason:                NoConflicts
    Status:                True
    Type:                  NamesAccepted
    Last Transition Time:  <nil>
    Message:               the initial names have been accepted
    Reason:                InitialNamesAccepted
    Status:                True
    Type:                  Established
  Stored Versions:
    v1

@sebgl
Copy link
Contributor Author

sebgl commented Jan 6, 2020
edited
Loading

I'm running Server 1.15.4-gke2 and Client 1.14 with 1.0.0-rc4.
1.15 brings additional support for structural schemas.

@anyasabo
Copy link
Contributor

anyasabo commented Jan 7, 2020

I can repro it in 1.15 and opened #2365 to make spinning up 1.15 a little easier. Same in Kibana:

[spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].anyOf[0].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].anyOf[1].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.validation.openAPIV3Schema.type: Required value: must not be empty at the root]

and apm

[spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].anyOf[0].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].anyOf[1].type: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.validation.openAPIV3Schema.type: Required value: must not be empty at the root]

@anyasabo
Copy link
Contributor

anyasabo commented Jan 7, 2020

So this comes from the us embedding the corev1.ServiceSpec which has TargetPort intstr.IntOrString
https://github.com/kubernetes/kubernetes/blob/8548a253de80c787dbcd2b022faffc75c7c23025/pkg/apis/core/types.go#L3545

and we would also need to specify x-kubernetes-int-or-string: true for that to work with structural schema.

See: https://github.com/kubernetes/website/blob/dev-1.15/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md#specifying-a-structural-schema

Looks like this already landed in controller-tools, but just missed the last release:
kubernetes-sigs/controller-tools#360

So we should be able to update to the next version of controller-tools and regenerate CRDs to resolve these.

@anyasabo
Copy link
Contributor

anyasabo commented Jan 8, 2020

I went ahead and verified tried to verify that would fix it. Looks like it adds that marker at least. Here's the CRD generated against the master branch of controller-tools
anyasabo@6c40e06

But it causes more issues due to adding some other ones related to server side apply that don't seem to be recognized in 1.15:
kubernetes-sigs/structured-merge-diff#115

19:23 $ kubectl apply -f config/crds/all-crds.yaml
error: error validating "config/crds/all-crds.yaml": error validating data: [ValidationError(CustomResourceDefinition.spec.validation.openAPIV3Schema.properties.spec.properties.http.properties.service.properties.spec.properties.ports): unknown field "x-kubernetes-list-map-keys" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps, ValidationError(CustomResourceDefinition.spec.validation.openAPIV3Schema.properties.spec.properties.http.properties.service.properties.spec.properties.ports): unknown field "x-kubernetes-list-type" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps]; if you choose to ignore these errors, turn validation off with --validate=false

tl;dr I think we want to wait until the next release of controller-tools and revisit

@barkbay barkbay mentioned this issue Jun 23, 2020
Closed
@CannibalVox
Copy link

CannibalVox commented Apr 7, 2021
edited
Loading 

  Accepted Names:
    Categories:
      elastic
    Kind:       Elasticsearch
    List Kind:  ElasticsearchList
    Plural:     elasticsearches
    Short Names:
      es
    Singular:  elasticsearch
  Conditions:
    Last Transition Time:  2021-04-06T03:34:19Z
    Message:               [spec.preserveUnknownFields: Invalid value: true: must be false, spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[spec].properties[resources].properties[limits].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[spec].properties[resources].properties[requests].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[status].properties[capacity].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[maxUnavailable].type: Required value: must not be empty for specified object fields, spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[minAvailable].type: Required value: must not be empty for specified object fields, spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[transport].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.versions[0].schema.openAPIV3Schema.type: Required value: must not be empty at the root, spec.versions[1].schema.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.versions[1].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[spec].properties[resources].properties[limits].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[1].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[spec].properties[resources].properties[requests].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[1].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[status].properties[capacity].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[1].schema.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[maxUnavailable].type: Required value: must not be empty for specified object fields, spec.versions[1].schema.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[minAvailable].type: Required value: must not be empty for specified object fields, spec.versions[1].schema.openAPIV3Schema.properties[spec].properties[transport].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.versions[1].schema.openAPIV3Schema.type: Required value: must not be empty at the root, spec.versions[2].schema.openAPIV3Schema.properties[spec].properties[http].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.versions[2].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[spec].properties[resources].properties[limits].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[2].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[spec].properties[resources].properties[requests].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[2].schema.openAPIV3Schema.properties[spec].properties[nodeSets].items.properties[volumeClaimTemplates].items.properties[status].properties[capacity].additionalProperties.type: Required value: must not be empty for specified object fields, spec.versions[2].schema.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[maxUnavailable].type: Required value: must not be empty for specified object fields, spec.versions[2].schema.openAPIV3Schema.properties[spec].properties[podDisruptionBudget].properties[spec].properties[minAvailable].type: Required value: must not be empty for specified object fields, spec.versions[2].schema.openAPIV3Schema.properties[spec].properties[transport].properties[service].properties[spec].properties[ports].items.properties[targetPort].type: Required value: must not be empty for specified object fields, spec.versions[2].schema.openAPIV3Schema.type: Required value: must not be empty at the root]
    Reason:                Violations
    Status:                True
    Type:                  NonStructuralSchema
    Last Transition Time:  2021-04-06T03:34:20Z
    Message:               no conflicts found
    Reason:                NoConflicts
    Status:                True
    Type:                  NamesAccepted
    Last Transition Time:  2021-04-06T03:34:20Z
    Message:               the initial names have been accepted
    Reason:                InitialNamesAccepted
    Status:                True
    Type:                  Established
  Stored Versions:
    v1
Events:  <none>

Similar issues, installed from helm chart eck-operator-1.5.0, server version v1.20.2, kubectl client v1.19.7

@CannibalVox
Copy link

I just saw in a related issue an elastic engineer say that you could still spin up resources despite this issue, and I want to clarify that now that schema is out and gaining adoption, tools are starting to depend on it. The new experimental terraform kubernetes provider can spin up CRD resources, but it can't spin up ECK ones, because the schema is busted.

@barkbay
Copy link
Contributor

barkbay commented Jun 10, 2021

I think this should be fixed by #4489

@pebrc pebrc closed this as completed Oct 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss We need to figure this out
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pebrc @barkbay @sebgl @anyasabo @CannibalVox