Bug 1803163 - Allow more fields at root of CRD schema if status is enabled
Summary: Allow more fields at root of CRD schema if status is enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.11.z
Assignee: Stefan Schimanski
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On: 1803171
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-14 15:22 UTC by James Munnelly
Modified: 2020-04-07 17:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1803171 (view as bug list)
Environment:
Last Closed: 2020-04-07 17:45:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 24540 0 None closed Bug 1803163: UPSTREAM: 65357: Allow more fields at root of CRD schema if status is enabled 2021-01-19 16:25:46 UTC
Red Hat Product Errata RHBA-2020:1285 0 None None None 2020-04-07 17:45:59 UTC

Description James Munnelly 2020-02-14 15:22:58 UTC
Description of problem:


Kubernetes 1.11 unnecessarily restricts the fields that can be specified at the root of an OpenAPI validation schema if the `status` subresource is enabled.

This makes it difficult for operator authors to produce CRD manifests that are compatible with the 'structural schema' support in OpenShift 4/Kubernetes 1.15+.

 
Version-Release number of selected component (if applicable): 3.11


How reproducible:
Trivial

Steps to Reproduce:
1. Attempt to create a CRD resource that specifies `type: object` at the root of its OpenAPI validation schema as well as enables the `status` subresource.


Actual results:

```
Error from server (Invalid): error when creating "cert-manager-openshift-v0.13.0.yaml": CustomResourceDefinition.apiextensions.k8s.io "certificaterequests.cert-manager.io" is invalid: spec.validation.openAPIV3Schema: Invalid value: apiextensions.JSONSchemaProps{ID:""

...

ensions.JSONSchemaDefinitions(nil), ExternalDocs:(*apiextensions.ExternalDocumentation)(nil), Example:(*apiextensions.JSON)(nil)}: must only have "properties", "required" or "description" at the root if the status subresource is enabled
```

Expected results:

The CRD to be created

Additional info:

The original pull request to relax validation upstream is here: https://github.com/kubernetes/kubernetes/pull/65357

It points out that allowing these fields has no adverse side-effects. Given the support window for OpenShift 3, it'd be great to get this patch in to reduce burden on extension developers.

ref https://github.com/openshift/origin/pull/24540

Comment 1 Ke Wang 2020-03-16 10:25:45 UTC
Verified with the following OCP ENV,
$ ./oc version
oc v3.11.188
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ci-vm-...redhat.com:8443
openshift v3.11.188
kubernetes v1.11.0+d4cacc0

- Created one CRD that enable the status with subresource and specifed type: object at the root of their CRD schema, see below,

$ cat mycrd1.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: crontabs.test1.example.com
spec:
  group: test1.example.com
  versions:
    - name: v1
      served: true
      storage: true
  scope: Namespaced
  names:
    plural: crontabs
    singular: crontab
    kind: CronTab
    shortNames:
    - ct
  # subresources describes the subresources for custom resources.
  subresources:
    # status enables the status subresource.
    status:
      description: Status of the condition, one of ('True', 'False','Unknown').
      enum:
      - "True"
      - "False"
      - Unknown
      type: string
  type: object
  
$ ./oc create -f mycrd1.yaml
customresourcedefinition.apiextensions.k8s.io/crontabs.test1.example.com created

- Created one CRD that enable the status with empty resource and specifed type: object at the root of their CRD schema, see below,
$ cat mycrd2.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: crontabs.test2.example.com
spec:
  group: test2.example.com
  versions:
    - name: v1
      served: true
      storage: true
  scope: Namespaced
  names:
    plural: crontabs
    singular: crontab
    kind: CronTab
    shortNames:
    - ct
  # subresources describes the subresources for custom resources.
  subresources:
    # status enables the status subresource.
    status: {}
  type: object
  
$ ./oc create -f mycrd2.yaml
customresourcedefinition.apiextensions.k8s.io/crontabs.test2.example.com created

We can see all are well, move the bug verify.

Comment 4 errata-xmlrpc 2020-04-07 17:45:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1285


Note You need to log in before you can comment on or make changes to this bug.