1/* 2Copyright 2019 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17package defaulting 18 19import ( 20 "fmt" 21 "reflect" 22 23 structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema" 24 schemaobjectmeta "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/objectmeta" 25 "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning" 26 apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation" 27 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 28 "k8s.io/apimachinery/pkg/runtime" 29 "k8s.io/apimachinery/pkg/util/validation/field" 30 "k8s.io/kube-openapi/pkg/validation/strfmt" 31 kubeopenapivalidate "k8s.io/kube-openapi/pkg/validation/validate" 32) 33 34// ValidateDefaults checks that default values validate and are properly pruned. 35func ValidateDefaults(pth *field.Path, s *structuralschema.Structural, isResourceRoot, requirePrunedDefaults bool) (field.ErrorList, error) { 36 f := NewRootObjectFunc().WithTypeMeta(metav1.TypeMeta{APIVersion: "validation/v1", Kind: "Validation"}) 37 38 if isResourceRoot { 39 if s == nil { 40 s = &structuralschema.Structural{} 41 } 42 if !s.XEmbeddedResource { 43 clone := *s 44 clone.XEmbeddedResource = true 45 s = &clone 46 } 47 } 48 49 return validate(pth, s, s, f, false, requirePrunedDefaults) 50} 51 52// validate is the recursive step func for the validation. insideMeta is true if s specifies 53// TypeMeta or ObjectMeta. The SurroundingObjectFunc f is used to validate defaults of 54// TypeMeta or ObjectMeta fields. 55func validate(pth *field.Path, s *structuralschema.Structural, rootSchema *structuralschema.Structural, f SurroundingObjectFunc, insideMeta, requirePrunedDefaults bool) (field.ErrorList, error) { 56 if s == nil { 57 return nil, nil 58 } 59 60 if s.XEmbeddedResource { 61 insideMeta = false 62 f = NewRootObjectFunc().WithTypeMeta(metav1.TypeMeta{APIVersion: "validation/v1", Kind: "Validation"}) 63 rootSchema = s 64 } 65 66 allErrs := field.ErrorList{} 67 68 if s.Default.Object != nil { 69 validator := kubeopenapivalidate.NewSchemaValidator(s.ToKubeOpenAPI(), nil, "", strfmt.Default) 70 71 if insideMeta { 72 obj, _, err := f(runtime.DeepCopyJSONValue(s.Default.Object)) 73 if err != nil { 74 // this should never happen. f(s.Default.Object) only gives an error if f is the 75 // root object func, but the default value is not a map. But then we wouldn't be 76 // in this case. 77 return nil, fmt.Errorf("failed to validate default value inside metadata: %v", err) 78 } 79 80 // check ObjectMeta/TypeMeta and everything else 81 if err := schemaobjectmeta.Coerce(nil, obj, rootSchema, true, false); err != nil { 82 allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, fmt.Sprintf("must result in valid metadata: %v", err))) 83 } else if errs := schemaobjectmeta.Validate(nil, obj, rootSchema, true); len(errs) > 0 { 84 allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, fmt.Sprintf("must result in valid metadata: %v", errs.ToAggregate()))) 85 } else if errs := apiservervalidation.ValidateCustomResource(pth.Child("default"), s.Default.Object, validator); len(errs) > 0 { 86 allErrs = append(allErrs, errs...) 87 } 88 } else { 89 // check whether default is pruned 90 if requirePrunedDefaults { 91 pruned := runtime.DeepCopyJSONValue(s.Default.Object) 92 pruning.Prune(pruned, s, s.XEmbeddedResource) 93 if !reflect.DeepEqual(pruned, s.Default.Object) { 94 allErrs = append(allErrs, field.Invalid(pth.Child("default"), s.Default.Object, "must not have unknown fields")) 95 } 96 } 97 98 // check ObjectMeta/TypeMeta and everything else 99 if err := schemaobjectmeta.Coerce(pth.Child("default"), s.Default.Object, s, s.XEmbeddedResource, false); err != nil { 100 allErrs = append(allErrs, err) 101 } else if errs := schemaobjectmeta.Validate(pth.Child("default"), s.Default.Object, s, s.XEmbeddedResource); len(errs) > 0 { 102 allErrs = append(allErrs, errs...) 103 } else if errs := apiservervalidation.ValidateCustomResource(pth.Child("default"), s.Default.Object, validator); len(errs) > 0 { 104 allErrs = append(allErrs, errs...) 105 } 106 } 107 } 108 109 // do not follow additionalProperties because defaults are forbidden there 110 111 if s.Items != nil { 112 errs, err := validate(pth.Child("items"), s.Items, rootSchema, f.Index(), insideMeta, requirePrunedDefaults) 113 if err != nil { 114 return nil, err 115 } 116 allErrs = append(allErrs, errs...) 117 } 118 119 for k, subSchema := range s.Properties { 120 subInsideMeta := insideMeta 121 if s.XEmbeddedResource && (k == "metadata" || k == "apiVersion" || k == "kind") { 122 subInsideMeta = true 123 } 124 errs, err := validate(pth.Child("properties").Key(k), &subSchema, rootSchema, f.Child(k), subInsideMeta, requirePrunedDefaults) 125 if err != nil { 126 return nil, err 127 } 128 allErrs = append(allErrs, errs...) 129 } 130 131 return allErrs, nil 132} 133