KEP-2885: Beta Graduation Criteria for Field Validation #3081
Conversation
kevindelgado
commented
Dec 9, 2021
kevindelgado
commented
- One-line PR description: Update PR for beta milestone targeting 1.24 (kubectl support and alpha follow-ups)
- Issue link: Server Side Unknown Field Validation #2885
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
sig/api-machinery
kevindelgado
force-pushed
the
2885-ss-field-validation-beta
branch
from
47ffa50 to
5dd7845
Compare
kevindelgado
force-pushed
the
2885-ss-field-validation-beta
branch
from
5dd7845 to
fb9b1d4
Compare
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
| to `Warn`. It performs server-side validation, but validation errors are | ||
| exposed as warnings in the result header rather than failing the request. This | ||
| will be the default once server-side validation goes GA. | ||
| * `strict`: same behavior as `--validate=server`. |
There was a problem hiding this comment.
"Strict", "Warn", and "Ignore" are the semantics used by the fieldValidation query param and will be permanent.
"Server" and "Client" are transitionary semantics for now since we want to give the caller the ability to choose until client side validation is no longer an option. It makes sense to offer both "server" and "strict" for now so that the user sees the expected behavior regardless of which set of semantics they are using.
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
|
cc @liggitt |
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
|
This should be ready for a prod-readiness review now @deads2k |
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
| For beta, we will modify the kubectl `--validate` flag from being a bool flag to | ||
| a string flag that accepts the following values: | ||
|
|
||
| * `true` or `strict`: If server-side validation is enabled on the server it sends |
There was a problem hiding this comment.
The conditional behavior based on the servers ability sounds confusing to me. Also, what do you do on a "client-dry-run"? i.e. kubectl create --dry-run=client --validate? Does that automatically fall back to client-side validation? How do you explain that? "Why are the errors looking so different"?
There was a problem hiding this comment.
Added a note that we will treat --dry-run=client as not being connected to any server at-all and thus will trigger a fallback to CS validation
There was a problem hiding this comment.
doesn't dry-run=client trigger local mode and prevent getting the schema from the server at all, and therefore do no validation?
There was a problem hiding this comment.
@apelisse do you know if there's some mechanism under the hood that using a cached schema or something.
FWIW I can definitely see that validation is being performed with --dry-run=client when running a simple experiment on a generic 1.23 cluster
There was a problem hiding this comment.
Yes, client dry-run still asks the server for the openapi. It has pros and cons ...
kubectl already inspects published openapi to determine support for server side dry run. Since client side validation doesn't work well and there's an end goal of dropping the current implementation from create/replace/apply, I don't think we should do anything to increase the CLI flag surface to explicitly depend on it |
It does, but it doesn't implicitly change the behavior of flags based on that, it just stops you from doing something broken, no? |
|
Since my main concern is changing the behavior without the person knowing, I suggest we go with that sort of messaging:
|
Modified the proposal to include this messaging |
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Show resolved
Hide resolved
k8s-ci-robot
added
sig/cli
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Show resolved
Hide resolved
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
|
PRR lgtm and the beta criteria lgtm too, but I'll leave time for additional reviewers there. /approve |
k8s-ci-robot
added
the
approved
| * Enhanced offline validation. Current client-side validation has been used as a | ||
| form of offline validation to simply validate configs that have no intention | ||
| of being actually applied to a server. Ideally users would have a supported | ||
| way to perform offline validation, but that is outside the scope of this KEP. |
There was a problem hiding this comment.
Not asking for a change here, but using the same yaml/json library client side would already be an improvement (even if it doesn't work with openapi support, it would at least detect duplicates for example?)
| For beta, we will modify the kubectl `--validate` flag from being a bool flag to | ||
| a string flag that accepts the following values: | ||
|
|
||
| * `true` or `strict`: If server-side validation is enabled on the server it sends |
There was a problem hiding this comment.
Yes, client dry-run still asks the server for the openapi. It has pros and cons ...
keps/sig-api-machinery/2885-server-side-unknown-field-validation/README.md
Outdated
Show resolved
Hide resolved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, kevindelgado, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
no, lgtm |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
