-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add field-level warnings for deprecated / known bad values #94626
Comments
cc @deads2k Do we have a KEP discussing how to emit the warnings? |
The mechanism was put in place in 1.19. See https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1693-warnings |
I'm thinking more about finding a way to make it easy to discover these. Are you thinking about placing the checks in validating admission or storage or somewhere else? Validating admissions seems like a reasonable place that could be mirrored for out of tree providers as well. |
I think that deprecated fields could/should be labeled by tag in the API itself, similar to how we handle it for the structs themselves. |
I'd be fine with that, though the immediate ones I want to warn about are specific selector label values and alpha seccomp annotations, so there's not really a place to attach declarative deprecations for those |
Another area for warnings related to "pods setting both linux and windows options" is #93220 |
is that always invalid? are multi-os images possible? |
AppArmor is a linux only security module so it is not valid on windows. I might have misunderstood the item. What is a multi-os image? It is possible to have multi-arch image manifests. |
e.g. https://www.docker.com/blog/docker-official-images-now-multi-platform/ |
Thanks for confirming. Since it is possible to have multi-os image (multi-arch) I don't think that we would be able to effectively warn for pods that set both linux and windows options. In azure we use a mutli-os/multi arch image for the pause container:
|
@saschagrunert should this issue be milestoned to v1.23? Basing this off of kubernetes/enhancements#135 |
next set of tasks expected to be done in looks like 1.22 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Hello! 👋 This issue has not been updated for a long time, so I'd like to check what's the status. The code freeze is starting March 9th, 2021 (about 1 week from now). As the Issue is tagged for 1.21, is it still planned for this release? |
Agree. |
Since we're in 1.23 code freeze, I'm moving this to milestone 1.24. @liggitt Let me know if this is an error. /milestone v1.24 |
kick the can down the road /milestone v1.25 |
updated description with work completed in 1.25 |
kubernetes/pkg/api/pod/warnings.go Lines 179 to 184 in f3ae27f
As the Pod spec.volumes[0].secret.secretName is required value. This is also not a problem
|
I opened 2 PR to add bad values warnings.
|
#118547 will add a warn for env dup. |
#72593 (comment) is another case that we may warn user or refuse it during creation. A proposal would be adding a warning for pod creation with sysctl that would most likely be rejected by kubelet.
|
Another important case that should be addressed is when attempting to set a |
m
are not counted in ResourceQuota and block ResourceQuota updates #94313)kubectl apply
drops all hostAlias entries when removing a duplicate entry from an existing object #91670,kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477) - Add field-level warning plumbing and add pod spec warnings #101688kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477) - Add field-level warning plumbing and add pod spec warnings #101688kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477) - Add field-level warning plumbing and add pod spec warnings #101688kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477) - Add field-level warning plumbing and add pod spec warnings #101688kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477)pods setting both linux and windows options? (if multi-OS images are not possible. xref fix windows container root validate #92355 (comment)){port,protocol}
items in ports list (apiserver allows duplicate service port #59119,kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477, PATCH merges Services with same port, different protocol #47249)See:
kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477/assign
/sig api-machinery
/milestone v1.20
See:
kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477/assign
/sig api-machinery
/milestone v1.20
See:
kubectl apply
(client-side) removes all entries when attempting to remove a single duplicated entry in a persisted object #58477/assign
/sig api-machinery
/milestone v1.20
The text was updated successfully, but these errors were encountered: