// ValidateDaemonSetSpec tests if required fields in the DaemonSetSpec are set. func ValidateDaemonSetSpec(spec *experimental.DaemonSetSpec) errs.ValidationErrorList { allErrs := errs.ValidationErrorList{} selector := labels.Set(spec.Selector).AsSelector() if selector.Empty() { allErrs = append(allErrs, errs.NewFieldRequired("selector")) } if spec.Template == nil { allErrs = append(allErrs, errs.NewFieldRequired("template")) } else { labels := labels.Set(spec.Template.Labels) if !selector.Matches(labels) { allErrs = append(allErrs, errs.NewFieldInvalid("template.metadata.labels", spec.Template.Labels, "selector does not match template")) } allErrs = append(allErrs, apivalidation.ValidatePodTemplateSpec(spec.Template).Prefix("template")...) // Daemons typically run on more than one node, so mark Read-Write persistent disks as invalid. allErrs = append(allErrs, apivalidation.ValidateReadOnlyPersistentDisks(spec.Template.Spec.Volumes).Prefix("template.spec.volumes")...) // RestartPolicy has already been first-order validated as per ValidatePodTemplateSpec(). if spec.Template.Spec.RestartPolicy != api.RestartPolicyAlways { allErrs = append(allErrs, errs.NewFieldValueNotSupported("template.spec.restartPolicy", spec.Template.Spec.RestartPolicy, []string{string(api.RestartPolicyAlways)})) } } return allErrs }
func ValidateJobSpec(spec *experimental.JobSpec) errs.ValidationErrorList { allErrs := errs.ValidationErrorList{} if spec.Parallelism != nil && *spec.Parallelism < 0 { allErrs = append(allErrs, errs.NewFieldInvalid("parallelism", spec.Parallelism, isNegativeErrorMsg)) } if spec.Completions != nil && *spec.Completions < 0 { allErrs = append(allErrs, errs.NewFieldInvalid("completions", spec.Completions, isNegativeErrorMsg)) } selector := labels.Set(spec.Selector).AsSelector() if selector.Empty() { allErrs = append(allErrs, errs.NewFieldRequired("selector")) } if spec.Template == nil { allErrs = append(allErrs, errs.NewFieldRequired("template")) } else { labels := labels.Set(spec.Template.Labels) if !selector.Matches(labels) { allErrs = append(allErrs, errs.NewFieldInvalid("template.labels", spec.Template.Labels, "selector does not match template")) } allErrs = append(allErrs, apivalidation.ValidatePodTemplateSpec(spec.Template).Prefix("template")...) if spec.Template.Spec.RestartPolicy != api.RestartPolicyOnFailure && spec.Template.Spec.RestartPolicy != api.RestartPolicyNever { allErrs = append(allErrs, errs.NewFieldValueNotSupported("template.spec.restartPolicy", spec.Template.Spec.RestartPolicy, []string{string(api.RestartPolicyOnFailure), string(api.RestartPolicyNever)})) } } return allErrs }
func ValidateJobSpec(spec *extensions.JobSpec) errs.ValidationErrorList { allErrs := errs.ValidationErrorList{} if spec.Parallelism != nil { allErrs = append(allErrs, apivalidation.ValidatePositiveField(int64(*spec.Parallelism), "parallelism")...) } if spec.Completions != nil { allErrs = append(allErrs, apivalidation.ValidatePositiveField(int64(*spec.Completions), "completions")...) } if spec.Selector == nil { allErrs = append(allErrs, errs.NewFieldRequired("selector")) } else { allErrs = append(allErrs, ValidatePodSelector(spec.Selector).Prefix("selector")...) } if selector, err := extensions.PodSelectorAsSelector(spec.Selector); err == nil { labels := labels.Set(spec.Template.Labels) if !selector.Matches(labels) { allErrs = append(allErrs, errs.NewFieldInvalid("template.metadata.labels", spec.Template.Labels, "selector does not match template")) } } allErrs = append(allErrs, apivalidation.ValidatePodTemplateSpec(&spec.Template).Prefix("template")...) if spec.Template.Spec.RestartPolicy != api.RestartPolicyOnFailure && spec.Template.Spec.RestartPolicy != api.RestartPolicyNever { allErrs = append(allErrs, errs.NewFieldValueNotSupported("template.spec.restartPolicy", spec.Template.Spec.RestartPolicy, []string{string(api.RestartPolicyOnFailure), string(api.RestartPolicyNever)})) } return allErrs }
func ValidateRoleBindingSubject(subject kapi.ObjectReference, isNamespaced bool) fielderrors.ValidationErrorList { allErrs := fielderrors.ValidationErrorList{} if len(subject.Name) == 0 { allErrs = append(allErrs, fielderrors.NewFieldRequired("name")) } if len(subject.UID) != 0 { allErrs = append(allErrs, fielderrors.NewFieldForbidden("uid", subject.UID)) } if len(subject.APIVersion) != 0 { allErrs = append(allErrs, fielderrors.NewFieldForbidden("apiVersion", subject.APIVersion)) } if len(subject.ResourceVersion) != 0 { allErrs = append(allErrs, fielderrors.NewFieldForbidden("resourceVersion", subject.ResourceVersion)) } if len(subject.FieldPath) != 0 { allErrs = append(allErrs, fielderrors.NewFieldForbidden("fieldPath", subject.FieldPath)) } switch subject.Kind { case authorizationapi.ServiceAccountKind: if valid, reason := validation.ValidateServiceAccountName(subject.Name, false); len(subject.Name) > 0 && !valid { allErrs = append(allErrs, fielderrors.NewFieldInvalid("name", subject.Name, reason)) } if !isNamespaced && len(subject.Namespace) == 0 { allErrs = append(allErrs, fielderrors.NewFieldRequired("namespace")) } case authorizationapi.UserKind: if valid, reason := uservalidation.ValidateUserName(subject.Name, false); len(subject.Name) > 0 && !valid { allErrs = append(allErrs, fielderrors.NewFieldInvalid("name", subject.Name, reason)) } case authorizationapi.GroupKind: if valid, reason := uservalidation.ValidateGroupName(subject.Name, false); len(subject.Name) > 0 && !valid { allErrs = append(allErrs, fielderrors.NewFieldInvalid("name", subject.Name, reason)) } case authorizationapi.SystemUserKind: isValidSAName, _ := validation.ValidateServiceAccountName(subject.Name, false) isValidUserName, _ := uservalidation.ValidateUserName(subject.Name, false) if isValidSAName || isValidUserName { allErrs = append(allErrs, fielderrors.NewFieldInvalid("name", subject.Name, "conforms to User.name or ServiceAccount.name restrictions")) } case authorizationapi.SystemGroupKind: if valid, _ := uservalidation.ValidateGroupName(subject.Name, false); len(subject.Name) > 0 && valid { allErrs = append(allErrs, fielderrors.NewFieldInvalid("name", subject.Name, "conforms to Group.name restrictions")) } default: allErrs = append(allErrs, fielderrors.NewFieldValueNotSupported("kind", subject.Kind, []string{authorizationapi.ServiceAccountKind, authorizationapi.UserKind, authorizationapi.GroupKind, authorizationapi.SystemGroupKind, authorizationapi.SystemUserKind})) } return allErrs }
// validateTLS tests fields for different types of TLS combinations are set. Called // by ValidateRoute. func validateTLS(route *routeapi.Route) fielderrors.ValidationErrorList { result := fielderrors.ValidationErrorList{} tls := route.Spec.TLS // no tls config present, no need for validation if tls == nil { return nil } switch tls.Termination { // reencrypt must specify destination ca cert // cert, key, cacert may not be specified because the route may be a wildcard case routeapi.TLSTerminationReencrypt: if len(tls.DestinationCACertificate) == 0 { result = append(result, fielderrors.NewFieldRequired("destinationCACertificate")) } //passthrough term should not specify any cert case routeapi.TLSTerminationPassthrough: if len(tls.Certificate) > 0 { result = append(result, fielderrors.NewFieldInvalid("certificate", tls.Certificate, "passthrough termination does not support certificates")) } if len(tls.Key) > 0 { result = append(result, fielderrors.NewFieldInvalid("key", tls.Key, "passthrough termination does not support certificates")) } if len(tls.CACertificate) > 0 { result = append(result, fielderrors.NewFieldInvalid("caCertificate", tls.CACertificate, "passthrough termination does not support certificates")) } if len(tls.DestinationCACertificate) > 0 { result = append(result, fielderrors.NewFieldInvalid("destinationCACertificate", tls.DestinationCACertificate, "passthrough termination does not support certificates")) } // edge cert should only specify cert, key, and cacert but those certs // may not be specified if the route is a wildcard route case routeapi.TLSTerminationEdge: if len(tls.DestinationCACertificate) > 0 { result = append(result, fielderrors.NewFieldInvalid("destinationCACertificate", tls.DestinationCACertificate, "edge termination does not support destination certificates")) } default: validValues := []string{string(routeapi.TLSTerminationEdge), string(routeapi.TLSTerminationPassthrough), string(routeapi.TLSTerminationReencrypt)} result = append(result, fielderrors.NewFieldValueNotSupported("termination", tls.Termination, validValues)) } if err := validateInsecureEdgeTerminationPolicy(tls); err != nil { result = append(result, err) } result = append(result, validateNoDoubleEscapes(tls)...) return result }
func ValidateIdentityProvider(identityProvider api.IdentityProvider) ValidationResults { validationResults := ValidationResults{} if len(identityProvider.Name) == 0 { validationResults.AddErrors(fielderrors.NewFieldRequired("name")) } if ok, err := validation.ValidateIdentityProviderName(identityProvider.Name); !ok { validationResults.AddErrors(fielderrors.NewFieldInvalid("name", identityProvider.Name, err)) } if len(identityProvider.MappingMethod) == 0 { validationResults.AddErrors(fielderrors.NewFieldRequired("mappingMethod")) } else if !validMappingMethods.Has(identityProvider.MappingMethod) { validationResults.AddErrors(fielderrors.NewFieldValueNotSupported("mappingMethod", identityProvider.MappingMethod, validMappingMethods.List())) } if !api.IsIdentityProviderType(identityProvider.Provider) { validationResults.AddErrors(fielderrors.NewFieldInvalid("provider", identityProvider.Provider, fmt.Sprintf("%v is invalid in this context", identityProvider.Provider))) } else { switch provider := identityProvider.Provider.Object.(type) { case (*api.RequestHeaderIdentityProvider): validationResults.Append(ValidateRequestHeaderIdentityProvider(provider, identityProvider)) case (*api.BasicAuthPasswordIdentityProvider): validationResults.AddErrors(ValidateRemoteConnectionInfo(provider.RemoteConnectionInfo).Prefix("provider")...) case (*api.HTPasswdPasswordIdentityProvider): validationResults.AddErrors(ValidateFile(provider.File, "provider.file")...) case (*api.LDAPPasswordIdentityProvider): validationResults.Append(ValidateLDAPIdentityProvider(provider)) case (*api.KeystonePasswordIdentityProvider): validationResults.Append(ValidateKeystoneIdentityProvider(provider, identityProvider).Prefix("provider")) case (*api.GitHubIdentityProvider): validationResults.AddErrors(ValidateOAuthIdentityProvider(provider.ClientID, provider.ClientSecret, identityProvider.UseAsChallenger)...) case (*api.GoogleIdentityProvider): validationResults.AddErrors(ValidateOAuthIdentityProvider(provider.ClientID, provider.ClientSecret, identityProvider.UseAsChallenger)...) case (*api.OpenIDIdentityProvider): validationResults.AddErrors(ValidateOpenIDIdentityProvider(provider, identityProvider)...) } } return validationResults }
func ValidateStorageVersionLevel(level string, knownAPILevels, deadAPILevels []string, name string) fielderrors.ValidationErrorList { allErrs := fielderrors.ValidationErrorList{} if len(level) == 0 { allErrs = append(allErrs, fielderrors.NewFieldRequired(name)) return allErrs } supportedLevels := sets.NewString(knownAPILevels...) supportedLevels.Delete(deadAPILevels...) if !supportedLevels.Has(level) { allErrs = append(allErrs, fielderrors.NewFieldValueNotSupported(name, level, supportedLevels.List())) } return allErrs }
func validateHorizontalPodAutoscalerSpec(autoscaler extensions.HorizontalPodAutoscalerSpec) errs.ValidationErrorList { allErrs := errs.ValidationErrorList{} if autoscaler.MinReplicas != nil && *autoscaler.MinReplicas < 1 { allErrs = append(allErrs, errs.NewFieldInvalid("minReplicas", autoscaler.MinReplicas, `must be bigger or equal to 1`)) } if autoscaler.MaxReplicas < 1 { allErrs = append(allErrs, errs.NewFieldInvalid("maxReplicas", autoscaler.MaxReplicas, `must be bigger or equal to 1`)) } if autoscaler.MinReplicas != nil && autoscaler.MaxReplicas < *autoscaler.MinReplicas { allErrs = append(allErrs, errs.NewFieldInvalid("maxReplicas", autoscaler.MaxReplicas, `must be bigger or equal to minReplicas`)) } if autoscaler.CPUUtilization != nil && autoscaler.CPUUtilization.TargetPercentage < 1 { allErrs = append(allErrs, errs.NewFieldInvalid("cpuUtilization.targetPercentage", autoscaler.CPUUtilization.TargetPercentage, `must be bigger or equal to 1`)) } if refErrs := ValidateSubresourceReference(autoscaler.ScaleRef); len(refErrs) > 0 { allErrs = append(allErrs, refErrs.Prefix("scaleRef")...) } else if autoscaler.ScaleRef.Subresource != "scale" { allErrs = append(allErrs, errs.NewFieldValueNotSupported("scaleRef.subresource", autoscaler.ScaleRef.Subresource, []string{"scale"})) } return allErrs }
func ValidateKubernetesMasterConfig(config *api.KubernetesMasterConfig) ValidationResults { validationResults := ValidationResults{} if len(config.MasterIP) > 0 { validationResults.AddErrors(ValidateSpecifiedIP(config.MasterIP, "masterIP")...) } if config.MasterCount == 0 || config.MasterCount < -1 { validationResults.AddErrors(fielderrors.NewFieldInvalid("masterCount", config.MasterCount, "must be a positive integer or -1")) } validationResults.AddErrors(ValidateCertInfo(config.ProxyClientInfo, false).Prefix("proxyClientInfo")...) if len(config.ProxyClientInfo.CertFile) == 0 && len(config.ProxyClientInfo.KeyFile) == 0 { validationResults.AddWarnings(fielderrors.NewFieldInvalid("proxyClientInfo", "", "if no client certificate is specified, TLS pods and services cannot validate requests came from the proxy")) } if len(config.ServicesSubnet) > 0 { if _, _, err := net.ParseCIDR(strings.TrimSpace(config.ServicesSubnet)); err != nil { validationResults.AddErrors(fielderrors.NewFieldInvalid("servicesSubnet", config.ServicesSubnet, "must be a valid CIDR notation IP range (e.g. 172.30.0.0/16)")) } } if len(config.ServicesNodePortRange) > 0 { if _, err := util.ParsePortRange(strings.TrimSpace(config.ServicesNodePortRange)); err != nil { validationResults.AddErrors(fielderrors.NewFieldInvalid("servicesNodePortRange", config.ServicesNodePortRange, "must be a valid port range (e.g. 30000-32000)")) } } if len(config.SchedulerConfigFile) > 0 { validationResults.AddErrors(ValidateFile(config.SchedulerConfigFile, "schedulerConfigFile")...) } for i, nodeName := range config.StaticNodeNames { if len(nodeName) == 0 { validationResults.AddErrors(fielderrors.NewFieldInvalid(fmt.Sprintf("staticNodeName[%d]", i), nodeName, "may not be empty")) } else { validationResults.AddWarnings(fielderrors.NewFieldInvalid(fmt.Sprintf("staticNodeName[%d]", i), nodeName, "static nodes are not supported")) } } if len(config.PodEvictionTimeout) > 0 { if _, err := time.ParseDuration(config.PodEvictionTimeout); err != nil { validationResults.AddErrors(fielderrors.NewFieldInvalid("podEvictionTimeout", config.PodEvictionTimeout, "must be a valid time duration string (e.g. '300ms' or '2m30s'). Valid time units are 'ns', 'us', 'ms', 's', 'm', 'h'")) } } for group, versions := range config.DisabledAPIGroupVersions { name := "disabledAPIGroupVersions[" + group + "]" if !api.KnownKubeAPIGroups.Has(group) { validationResults.AddWarnings(fielderrors.NewFieldValueNotSupported(name, group, api.KnownKubeAPIGroups.List())) continue } allowedVersions := sets.NewString(api.KubeAPIGroupsToAllowedVersions[group]...) for i, version := range versions { if version == "*" { continue } if !allowedVersions.Has(version) { validationResults.AddWarnings(fielderrors.NewFieldValueNotSupported(fmt.Sprintf("%s[%d]", name, i), version, allowedVersions.List())) } } } validationResults.AddErrors(ValidateAPIServerExtendedArguments(config.APIServerArguments).Prefix("apiServerArguments")...) validationResults.AddErrors(ValidateControllerExtendedArguments(config.ControllerArguments).Prefix("controllerArguments")...) return validationResults }
func TestNewInvalid(t *testing.T) { testCases := []struct { Err *fielderrors.ValidationError Details *unversioned.StatusDetails }{ { fielderrors.NewFieldDuplicate("field[0].name", "bar"), &unversioned.StatusDetails{ Kind: "kind", Name: "name", Causes: []unversioned.StatusCause{{ Type: unversioned.CauseTypeFieldValueDuplicate, Field: "field[0].name", }}, }, }, { fielderrors.NewFieldInvalid("field[0].name", "bar", "detail"), &unversioned.StatusDetails{ Kind: "kind", Name: "name", Causes: []unversioned.StatusCause{{ Type: unversioned.CauseTypeFieldValueInvalid, Field: "field[0].name", }}, }, }, { fielderrors.NewFieldNotFound("field[0].name", "bar"), &unversioned.StatusDetails{ Kind: "kind", Name: "name", Causes: []unversioned.StatusCause{{ Type: unversioned.CauseTypeFieldValueNotFound, Field: "field[0].name", }}, }, }, { fielderrors.NewFieldValueNotSupported("field[0].name", "bar", nil), &unversioned.StatusDetails{ Kind: "kind", Name: "name", Causes: []unversioned.StatusCause{{ Type: unversioned.CauseTypeFieldValueNotSupported, Field: "field[0].name", }}, }, }, { fielderrors.NewFieldRequired("field[0].name"), &unversioned.StatusDetails{ Kind: "kind", Name: "name", Causes: []unversioned.StatusCause{{ Type: unversioned.CauseTypeFieldValueRequired, Field: "field[0].name", }}, }, }, } for i, testCase := range testCases { vErr, expected := testCase.Err, testCase.Details expected.Causes[0].Message = vErr.ErrorBody() err := NewInvalid("kind", "name", fielderrors.ValidationErrorList{vErr}) status := err.(*StatusError).ErrStatus if status.Code != 422 || status.Reason != unversioned.StatusReasonInvalid { t.Errorf("%d: unexpected status: %#v", i, status) } if !reflect.DeepEqual(expected, status.Details) { t.Errorf("%d: expected %#v, got %#v", i, expected, status.Details) } } }
func TestValidate_ValidateEtcdStorageConfig(t *testing.T) { osField := "openShiftStorageVersion" kubeField := "kubernetesStorageVersion" tests := []struct { label string kubeStorageVersion string openshiftStorageVersion string name string expected fielderrors.ValidationErrorList }{ { label: "valid levels", kubeStorageVersion: "v1", openshiftStorageVersion: "v1", expected: fielderrors.ValidationErrorList{}, }, { label: "unknown openshift level", kubeStorageVersion: "v1", openshiftStorageVersion: "bogus", expected: fielderrors.ValidationErrorList{ fielderrors.NewFieldValueNotSupported(osField, "bogus", []string{"v1"}), }, }, { label: "unsupported openshift level", kubeStorageVersion: "v1", openshiftStorageVersion: "v1beta3", expected: fielderrors.ValidationErrorList{ fielderrors.NewFieldValueNotSupported(osField, "v1beta3", []string{"v1"}), }, }, { label: "missing openshift level", kubeStorageVersion: "v1", openshiftStorageVersion: "", expected: fielderrors.ValidationErrorList{ fielderrors.NewFieldRequired(osField), }, }, { label: "unknown kube level", kubeStorageVersion: "bogus", openshiftStorageVersion: "v1", expected: fielderrors.ValidationErrorList{ fielderrors.NewFieldValueNotSupported(kubeField, "bogus", []string{"v1"}), }, }, { label: "unsupported kube level", kubeStorageVersion: "v1beta3", openshiftStorageVersion: "v1", expected: fielderrors.ValidationErrorList{ fielderrors.NewFieldValueNotSupported(kubeField, "v1beta3", []string{"v1"}), }, }, { label: "missing kube level", kubeStorageVersion: "", openshiftStorageVersion: "v1", expected: fielderrors.ValidationErrorList{ fielderrors.NewFieldRequired(kubeField), }, }, } for _, test := range tests { t.Logf("evaluating test: %s", test.label) config := api.EtcdStorageConfig{ OpenShiftStorageVersion: test.openshiftStorageVersion, KubernetesStorageVersion: test.kubeStorageVersion, } results := ValidateEtcdStorageConfig(config) if !kapi.Semantic.DeepEqual(test.expected, results) { t.Errorf("unexpected validation results; diff:\n%v", util.ObjectDiff(test.expected, results)) return } } }