| Summary: | Allow more fields at root of CRD schema if status is enabled | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | James Munnelly <james.munnelly> | |
| Component: | kube-apiserver | Assignee: | Stefan Schimanski <sttts> | |
| Status: | CLOSED ERRATA | QA Contact: | Ke Wang <kewang> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 3.11.0 | CC: | aos-bugs, mfojtik, xxia | |
| Target Milestone: | --- | |||
| Target Release: | 3.11.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1803171 (view as bug list) | Environment: | ||
| Last Closed: | 2020-04-07 17:45:54 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | 1803171 | |||
| Bug Blocks: | ||||
Verified with the following OCP ENV, $ ./oc version oc v3.11.188 kubernetes v1.11.0+d4cacc0 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://ci-vm-...redhat.com:8443 openshift v3.11.188 kubernetes v1.11.0+d4cacc0 - Created one CRD that enable the status with subresource and specifed type: object at the root of their CRD schema, see below, $ cat mycrd1.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: crontabs.test1.example.com spec: group: test1.example.com versions: - name: v1 served: true storage: true scope: Namespaced names: plural: crontabs singular: crontab kind: CronTab shortNames: - ct # subresources describes the subresources for custom resources. subresources: # status enables the status subresource. status: description: Status of the condition, one of ('True', 'False','Unknown'). enum: - "True" - "False" - Unknown type: string type: object $ ./oc create -f mycrd1.yaml customresourcedefinition.apiextensions.k8s.io/crontabs.test1.example.com created - Created one CRD that enable the status with empty resource and specifed type: object at the root of their CRD schema, see below, $ cat mycrd2.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: crontabs.test2.example.com spec: group: test2.example.com versions: - name: v1 served: true storage: true scope: Namespaced names: plural: crontabs singular: crontab kind: CronTab shortNames: - ct # subresources describes the subresources for custom resources. subresources: # status enables the status subresource. status: {} type: object $ ./oc create -f mycrd2.yaml customresourcedefinition.apiextensions.k8s.io/crontabs.test2.example.com created We can see all are well, move the bug verify. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1285 |
Description of problem: Kubernetes 1.11 unnecessarily restricts the fields that can be specified at the root of an OpenAPI validation schema if the `status` subresource is enabled. This makes it difficult for operator authors to produce CRD manifests that are compatible with the 'structural schema' support in OpenShift 4/Kubernetes 1.15+. Version-Release number of selected component (if applicable): 3.11 How reproducible: Trivial Steps to Reproduce: 1. Attempt to create a CRD resource that specifies `type: object` at the root of its OpenAPI validation schema as well as enables the `status` subresource. Actual results: ``` Error from server (Invalid): error when creating "cert-manager-openshift-v0.13.0.yaml": CustomResourceDefinition.apiextensions.k8s.io "certificaterequests.cert-manager.io" is invalid: spec.validation.openAPIV3Schema: Invalid value: apiextensions.JSONSchemaProps{ID:"" ... ensions.JSONSchemaDefinitions(nil), ExternalDocs:(*apiextensions.ExternalDocumentation)(nil), Example:(*apiextensions.JSON)(nil)}: must only have "properties", "required" or "description" at the root if the status subresource is enabled ``` Expected results: The CRD to be created Additional info: The original pull request to relax validation upstream is here: https://github.com/kubernetes/kubernetes/pull/65357 It points out that allowing these fields has no adverse side-effects. Given the support window for OpenShift 3, it'd be great to get this patch in to reduce burden on extension developers. ref https://github.com/openshift/origin/pull/24540