Skip to content

Instantly share code, notes, and snippets.

@jpbetz

jpbetz/kubernetes-validations.md

Last active February 4, 2025 22:34
Show Gist options
  • Save jpbetz/80269858e5744a5310ff9cfb56331271 to your computer and use it in GitHub Desktop.
Save jpbetz/80269858e5744a5310ff9cfb56331271 to your computer and use it in GitHub Desktop.
Download ZIP
Some high level analysis of kubernetes validations
Raw
kubernetes-validations.md

Admissionregistration API Group Validations (from pkg/apis/admissionregistration/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
ResourceValidation spec.resources array-unique, non-empty Required, Invalid No No
MatchConditionsValidation spec.matchConditions maxItems=64, unique-names TooMany, Duplicate No No
ValidateParamKind spec.paramKind.apiVersion format=dns1123subdomain Required, Invalid No No
ValidateParamKind spec.paramKind.kind format=dns1035label Required, Invalid No No
MatchResourcesValidation spec.matchResources.matchPolicy enum=Exact,Equivalent Required, NotSupported No No
ValidationActionsValidation spec.validationActions enum=Deny,Warn,Audit NotSupported, Duplicate Deny+Warn cannot coexist No
CELExpressionValidation spec.validations[].expression format=cel-expression Required, Invalid No Yes - tracks preexisting expressions
AuditAnnotationValidation spec.auditAnnotations maxItems=20 TooMany No No
MatchConditionCELValidation spec.matchConditions[].expression format=cel-expression Invalid No Yes - tracks preexisting expressions

Apps API Group Validations (from pkg/apis/apps/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
DeploymentStrategyValidation spec.strategy.type enum=Recreate,RollingUpdate NotSupported No No
RollingUpdateValidation spec.strategy.rollingUpdate.maxUnavailable format=int-or-percentage Invalid Cannot be 0 if maxSurge=0 No
StatefulSetValidation spec.podManagementPolicy enum=OrderedReady,Parallel Required, Invalid No No
StatefulSetValidation spec.updateStrategy.type enum=OnDelete,RollingUpdate Required, Invalid No No
DeploymentStatusValidation status.replicas non-negative Invalid Compared with other count fields No

Authentication API Group Validations (from pkg/apis/authentication/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-Field Update-Specific
TokenRequestExpiration spec.expirationSeconds min=600,max=4294967296 Invalid: must be ≥ 10 minutes, Invalid: must be ≤ 2^32 seconds No No

Authorization API Group Validations (from pkg/apis/authorization/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-Field Update-Specific
SubjectAccessReviewResourceOrNonResource spec.resourceAttributes, spec.nonResourceAttributes exclusive Invalid: cannot specify both Yes No
SubjectAccessReviewUserOrGroup spec.user, spec.groups required_one Invalid: at least one required Yes No
LocalSARNamespace spec.resourceAttributes.namespace, metadata.namespace equality Invalid: must match metadata.namespace Yes No
FieldSelectorValidation spec.resourceAttributes.fieldSelector format=field_selector Invalid: malformed selector No No
LabelSelectorValidation spec.resourceAttributes.labelSelector format=label_selector Invalid: malformed selector No No

Autoscaling API Group Validations (from pkg/apis/autoscaling/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-Field Update-Specific
HPAMinReplicas spec.minReplicas min=0/1 (feature gated) Invalid: must be ≥ minimum No No
HPAMaxReplicas spec.maxReplicas min=1 Invalid: must be > 0 No No
HPAMinMaxRelation spec.minReplicas, spec.maxReplicas comparison Invalid: max must be ≥ min Yes No
MetricsValidation spec.metrics[*] complex Multiple validation errors for metric specs No No
ScaleTargetRef spec.scaleTargetRef format=dns_subdomain Invalid: malformed reference No No

Certificates API Group Validations (from pkg/apis/certificates/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-Field Update-Specific
CSRValidation spec.request format=pem_csr Invalid: malformed CSR No No
SignerNameValidation spec.signerName format=qualified_name Invalid: malformed signer name No Yes - immutable
CSRConditionValidation status.conditions[*] enum=Approved,Denied,Failed Invalid: unknown condition No Yes
CertificateValidation status.certificate format=pem_cert Invalid: malformed certificate No Yes

Core API Group Validations (from pkg/apis/core/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
SecurityContextValidation spec.containers[].securityContext.privileged boolean Forbidden Checks cluster policy No
SecurityContextValidation spec.containers[].securityContext.procMount enum=Default,Unmasked Invalid Checks hostUsers setting No
EndpointPortValidation ports[].port format=port-number Invalid No No
EndpointPortValidation ports[].protocol enum=TCP,UDP,SCTP Required, NotSupported No No
GlusterfsValidation spec.glusterfs.endpoints non-empty Required No No
AzureDiskValidation spec.azureDisk.diskURI format=azure-disk-uri NotSupported Validates against disk kind No

Discovery API Group Validations (from pkg/apis/discovery/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-Field Update-Specific
EndpointAddressType addressType enum=IPv4,IPv6,FQDN Invalid: unknown type No Yes - immutable
EndpointAddressValidation endpoints[].addresses[] format=ipv4/ipv6/fqdn Invalid: malformed address No No
EndpointPortValidation ports[*] format=port_name,range=1-65535 Invalid: malformed port No No
EndpointHints endpoints[*].hints maxItems=8 Invalid: too many hints No No

Policy API Group Validations (from pkg/apis/policy/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
PDBSpecValidation spec.minAvailable format=int-or-percentage, max=100% Invalid Cannot set both minAvailable and maxUnavailable No
PDBSpecValidation spec.maxUnavailable format=int-or-percentage, max=100% Invalid Cannot set both minAvailable and maxUnavailable No
PDBSpecValidation spec.unhealthyPodEvictionPolicy enum=IfHealthyBudget,AlwaysAllow NotSupported No No
SysctlValidation sysctls[].name format=sysctl-pattern, maxLength=253 Invalid No No

RBAC API Group Validations (from pkg/apis/rbac/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
RoleValidation metadata.name format=dns-subdomain Invalid No No
PolicyRuleValidation rules[].verbs non-empty Required No No
PolicyRuleValidation rules[].apiGroups non-empty Required No No
RoleBindingValidation roleRef.apiGroup enum=rbac.authorization.k8s.io NotSupported No No
RoleBindingValidation roleRef.kind enum=Role,ClusterRole NotSupported No No
SubjectValidation subjects[].kind enum=User,Group,ServiceAccount NotSupported No No

Batch API Group Validations (from pkg/apis/batch/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
JobCompletions spec.completions non-negative Invalid No No
JobParallelism spec.parallelism non-negative Invalid No No
JobBackoffLimit spec.backoffLimit non-negative Invalid No No
JobTTLAfterFinished spec.ttlSecondsAfterFinished non-negative Invalid No No
JobBackoffLimitPerIndex spec.backoffLimitPerIndex non-negative Required with maxFailedIndexes Yes No
JobMaxFailedIndexes spec.maxFailedIndexes non-negative, ≤ completions Invalid Yes No
JobManagedBy spec.managedBy format=dns-prefixed-path, maxLength=63 Invalid No No
JobCompletionMode spec.completionMode enum=NonIndexed,Indexed NotSupported No No
JobSelector spec.selector format=label-selector Invalid Must match template labels No
JobPodTemplate spec.template pod-spec-validation Multiple No No
JobPodRestartPolicy spec.template.spec.restartPolicy enum=OnFailure,Never Required Yes with PodFailurePolicy No
PodFailurePolicyRules spec.podFailurePolicy.rules maxItems=20 TooMany No Yes - immutable
PodFailurePolicyOnExitCodes spec.podFailurePolicy.rules[].onExitCodes maxItems=255 TooMany No No
PodFailurePolicyOnPodConditions spec.podFailurePolicy.rules[].onPodConditions maxItems=20 TooMany No No
JobSuccessPolicy spec.successPolicy format=success-policy Invalid Requires Indexed mode No

Networking API Group Validations (from pkg/apis/networking/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
NetworkPolicyPorts spec.ingress[].ports[].port format=port-number Invalid No No
NetworkPolicyProtocol spec.ingress[].ports[].protocol enum=TCP,UDP,SCTP NotSupported No No
NetworkPolicyPeer spec.ingress[].from[] format=peer-selector Invalid Cannot mix IPBlock with other peers No
NetworkPolicyTypes spec.policyTypes[] enum=Ingress,Egress NotSupported No No
IngressTLS spec.tls[].hosts[] format=dns-subdomain Invalid No No
IngressBackend spec.defaultBackend format=service-or-resource Invalid Cannot specify both service and resource No
IngressRules spec.rules[].host format=dns-subdomain Invalid No No
IngressPaths spec.rules[].http.paths[].path format=url-path Invalid No No
IngressPathType spec.rules[].http.paths[].pathType enum=Exact,Prefix,ImplementationSpecific Required No No
IPAddressParentRef spec.parentRef format=parent-reference Required No No

Node API Group Validations (from pkg/apis/node/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
RuntimeClassHandler handler format=dns-label Invalid No Yes - immutable
RuntimeClassOverhead overhead.podFixed resource-requirements Invalid No No
RuntimeClassScheduling scheduling.nodeSelector format=label-selector Invalid No No
RuntimeClassTolerations scheduling.tolerations[] format=tolerations Invalid, Duplicate No No

Scheduling API Group Validations (from pkg/apis/scheduling/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
PriorityClassName metadata.name format=dns-subdomain Invalid No Yes - immutable
PriorityValue value max=1000000000 for user classes Forbidden No Yes - immutable
PreemptionPolicy preemptionPolicy format=preemption-policy Invalid No Yes - immutable

Storage API Group Validations (from pkg/apis/storage/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
StorageClassProvisioner provisioner format=qualified-name Required No Yes - immutable
StorageClassParameters parameters maxSize=256KB, maxKeys=512 TooLong No Yes - immutable
StorageClassReclaimPolicy reclaimPolicy enum=Delete,Retain NotSupported No Yes - immutable
VolumeAttachmentSource spec.source exclusive-fields Invalid Cannot specify both PV name and inline spec No
VolumeAttachmentNodeName spec.nodeName format=node-name Invalid No No
CSINodeDriver spec.drivers[].name format=csi-driver-name Invalid No No
CSINodeID spec.drivers[].nodeID maxLength=192/256 Invalid No No
CSIDriverSpec spec.attachRequired required Required No Yes - immutable
CSIStorageCapacity nodeTopology format=label-selector Invalid No No

Storage Migration API Group Validations (from pkg/apis/storagemigration/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
MigrationResource spec.resource format=group-version-resource Required No Yes - immutable
MigrationStatus status.resourceVersion format=non-negative-int Invalid No No
MigrationConditions status.conditions[] format=condition Invalid Cannot have both success and failed Yes
ConditionReason status.conditions[].reason format=condition-reason, maxLength=1024 Invalid No No
ConditionMessage status.conditions[].message maxLength=32768 TooLong No No

Apiextensions API Group Validations (from pkg/apis/apiextensions/validation/validation.go)

Validation Name JSON Path Validation Type Error Types Cross-field Update-specific
CRDNameValidation metadata.name format=dns-subdomain Invalid No No
CRDSpecValidation spec complex Multiple validation errors for CRD spec No No
CRDStatusValidation status complex Multiple validation errors for CRD status No No
CRDStoredVersionsValidation status.storedVersions non-empty Required No No
CRDApprovalValidation spec complex Invalid API approval No No
CRDPreserveUnknownFieldsValidation spec.preserveUnknownFields boolean Invalid No No
Raw
prompt.txt
You're an API expert performing analysis of the code that validates API requests. Your goal is to catalog the validations in a validations.go file.
Please output your analysis into a table that includes:
- A name for each validation. This can be based on any information available.
- The JSON path of the field(s) that are validated.
- The type of validation that is performed. If this validates that a string is an IPv4 address, this should be text like "format=ipv4". If this validates that a string is enum of two colors, "enum=Blue,Green" would be appropriate. If this validates a max string length, "maxLength=30" would be appropriate.
- The kinds of validation errors that may be returned.
If a validation requires access to multiple fields to perform the validation check, please include notes in an additional column about this.
If a validation compares the oldObject with the current object, or in any other way is specific to validation of requests that update and existing resource conditionally, please make note of this in a separate column.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment