After analyzing the comprehensive validation rules from all Kubernetes resources, I've identified several resource kinds with diverse validation rules, particularly focusing on those with cross-field validations. These resources are prioritized based on both validation diversity and relative simplicity.
Kubernetes API validation ensures that objects created or updated through the API server meet specific formatting requirements, constraints, and semantic rules before being stored in etcd. Validation occurs in multiple layers:
Admissionregistration API Group Validations (from pkg/apis/admissionregistration/validation/validation.go)
| Validation Name | JSON Path | Validation Type | Error Types | Cross-field | Update-specific |
|---|---|---|---|---|---|
| ResourceValidation | spec.resources | array-unique, non-empty | Required, Invalid | No | No |
| MatchConditionsValidation | spec.matchConditions | maxItems=64, unique-names | TooMany, Duplicate | No | No |
| ValidateParamKind | spec.paramKind.apiVersion | format=dns1123subdomain | Required, Invalid | No | No |
| ValidateParamKind | spec.paramKind.kind | format=dns1035label | Required, Invalid | No | No |
| MatchResourcesValidation | spec.matchResources.matchPolicy | enum=Exact,Equivalent | Required, NotSupported | No | No |
| #!/bin/bash | |
| # Check if input file is provided | |
| if [ $# -ne 1 ]; then | |
| echo "Usage: $0 <input-file>" | |
| exit 1 | |
| fi | |
| input_file="$1" |
| goos: linux | |
| goarch: amd64 | |
| pkg: sigs.k8s.io/structured-merge-diff/v4/fieldpath | |
| cpu: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz | |
| │ old.txt │ new.txt │ | |
| │ sec/op │ sec/op vs base │ | |
| FieldSet/insert-20-8 12.02µ ± ∞ ¹ 11.00µ ± ∞ ¹ ~ (p=1.000 n=1) ² | |
| FieldSet/has-20-8 434.6n ± ∞ ¹ 541.8n ± ∞ ¹ ~ (p=1.000 n=1) ² | |
| FieldSet/serialize-20-8 6.667µ ± ∞ ¹ 8.090µ ± ∞ ¹ ~ (p=1.000 n=1) ² | |
| FieldSet/deserialize-20-8 22.98µ ± ∞ ¹ 21.10µ ± ∞ ¹ ~ (p=1.000 n=1) ² |
| package main | |
| import ( | |
| "fmt" | |
| ) | |
| // An interface can be implemented by a function type definition. | |
| // This can be convenient for allowing inline function declarations | |
| // of interfaces with only a single function. |
| +++ [0829 20:58:12] Generating protobufs for 70 targets | |
| +++ [0829 20:58:12] protoc 23.4 not found (can install with hack/install-protoc.sh); generating containerized... | |
| +++ [0829 20:58:12] Verifying Prerequisites.... | |
| +++ [0829 20:58:13] Building Docker image kube-build:build-41f60316fe-5-v1.31.0-go1.22.5-bullseye.0 | |
| +++ [0829 20:58:14] Syncing sources to container | |
| +++ [0829 20:58:23] Output from this container will be rsynced out upon completion. Set KUBE_RUN_COPY_OUTPUT=n to disable. | |
| +++ [0829 20:58:23] Running build command... | |
| +++ [0829 20:58:48] Syncing out of container | |
| +++ [0829 20:58:51] Generating deepcopy code for 254 targets | |
| +++ [0829 20:59:02] Generating swagger for 58 targets |
What happens:
Create a mult-version CRD with a conversion webhook configured with an invalid CABundle:
$ kubectl apply -f crd.yaml
customresourcedefinition.apiextensions.k8s.io/replicant.stable.example.com created
Read the CRD back:
| # config for 1 control plane node and 2 workers (necessary for conformance) | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| networking: | |
| ipFamily: ipv4 | |
| kubeProxyMode: iptables | |
| # don't pass through host search paths | |
| # TODO: possibly a reasonable default in the future for kind ... | |
| dnsSearch: [] | |
| nodes: |