kubeadm: enable strict config unmarhaling

[neolit123]

What type of PR is this?
/kind bug

What this PR does / why we need it:

EDITED

my PR here has the potential to break the whole k8s:
#70839

so instead this kubeadm localized PR can be used, which enables YAML field validation outside of codecs.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

Fixes kubernetes/kubeadm#1066

Special notes for your reviewer:
NONE

Does this PR introduce a user-facing change?:

kubeadm: enable strict unmarshaling of YAML configuration files and show warnings for unknown and duplicate fields.

/assign @fabriziopandini @rosti
/priority important-longterm
cc @kubernetes/sig-cluster-lifecycle-pr-reviews
cc @luxas @dims

[neolit123]

some of these _test changes are bugs in our test config data..

[neolit123]

updated the PR.
the solution is much cleaner now, but comments would be appreciated.

[neolit123]

/hold

[neolit123]

/retest

[fabriziopandini]

@neolit123 thanks for this PR!
As you are saying this change has potential implications and so I would like it to be discussed at sig level.
My personal first impression about this is that I would like kubeadm to be aligned with kubernetes, and that this change is kind of risky at this stage of the cycle

[rosti]

I like the general idea. I see a couple things however:

• I don't like the idea of imposing this on component configs (Kube-Proxy and Kubelet). Technically speaking, this validation should be done on their side and we should simply invoke their code to pre-validate things. Ideally, this should be done centrally like you suggested in [WIP] runtime/serializer: use DisallowUnknownFields for the json-iter config #70839 . I am not convinced, that we should single handedly impose restrictions in other people's configs.
• Missing tests for InitConfiguration. We need those in the spirit of ClusterConfiguration.

[neolit123]

@fabriziopandini

My personal first impression about this is that I would like kubeadm to be aligned with kubernetes, and that this change is kind of risky at this stage of the cycle

api machinery will not enable strict unmarshaling for the core codecs.
i don't see it happening in the next +4 cycles.

i will have office hours agenda on this. the change on the kubeadm side will always be risky, due to users having typos or duplicate fields in production YAMLs.

@rosti

I don't like the idea of imposing this on component configs (Kube-Proxy and Kubelet). Technically speaking, this validation should be done on their side and we should simply invoke their code to pre-validate things. Ideally, this should be done centrally like you suggested in #70839 . I am not convinced, that we should single handedly impose restrictions in other people's configs.

70839 is not going to happen. i just did it to see how many bogus YAML documents will fail the CI and there are quite a few all over the project.

i do agree about kubeproxy and kubelet not being our responsibility, but the maintainers are not going to do it anytime in the future. given kubeadm is a tool for the end user it feels to me that we have to do it now, even if temporary.

/assign @timothysc
for comments too please.

[timothysc]

We'll
/hold
until group consensus.

[neolit123]

the reason for this localscheme is that i cannot find a way to obtain external empty objects from our schemes such as:

&kubeadmapiv1beta1.ClusterConfiguration{}

in the case of: constants.ClusterConfigurationKind and kubeadmapiv1alpha3.SchemeGroupVersion

@fabriziopandini @rosti @timothysc please advise.
is there a magical way to convert from GroupVersionKind to such an external empty object for our already registered config types including component configs?

[rosti]

@neolit123 Isn't this one working for you?

kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go

Line 31 in 90245be

var Scheme = runtime.NewScheme()

[rosti]

I'll do a more thorough review tomorrow. Hope the suggestion works.

[rosti]

@neolit123 Isn't this one working for you?

kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go

Line 31 in 90245be

var Scheme = runtime.NewScheme()

[neolit123]

after the suggestion by @rosti this was greatly simplified and the init function was removed. 🎉
what this is doing is to check if a certain GVK exists in our kubeadm configs and if it doesn't it checks the component configs.

if it's missing for both it outputs such an error:

W1116 02:17:13.388274   30409 strict.go:47] unknown configuration schema.GroupVersionKind{Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind:"KubeProxyConfiguration1"} for scheme definitions "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme/scheme.go:31" and "k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs/scheme.go:28"

@timothysc please let me know if you want me to further amend the error output.

[timothysc]

thx @neolit123 !
/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubeadm/OWNERS [timothysc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[timothysc]

/hold cancel

[neolit123]

/test pull-kubernetes-e2e-gce-100-performance

[luxas]

LGTM, thanks, but some small cleanup notes

[luxas]

Why don't you run klog if err != nil on the caller side instead?

[neolit123]

i did this to contain the klog messages in one location.
otherwise i have to copy them two times - one for init and one for join config.

[luxas]

nit: this isn't needed, just use := on first invocation instead

[neolit123]

i managed to flip "got" and "expected" here..