Show error in status if preserve unknown fields is true for nonstructural schemas

[vareti]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

/kind api-change

/kind bug

/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:

CRDs with preserveUnknownFields: true won't be published via OpenAPI and kubectl explain will not work. This is intentional. But, nothing in the CRD status suggests that preserveUnknownFields: true is the problem. This PR adds an error message when that is the case for non-structural schema.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Status of v1beta1 CRDs without "preserveUnknownFields:false" will show violation "spec.preserveUnknownFields: Invalid value: true: must be false"

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

Hi @vareti. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vareti]

/assign @sttts

[sttts]

I believe the error string can be short,i.e. "must not be true". Would the condition still look good?

[vareti]

Agreed. Field name is redundant in error message. Condition still looks good even after removing the field.

[fejta-bot]

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

[sttts]

can you make preserveUnknownFields a test input and add some test with and without?

[vareti]

I added preserveUnknownFields as test input

[sttts]

would add another step where you set preserveUnknownFields to false. Then this last violation should also go.

[vareti]

If I set preserveUnknownFields to false, I get a validation error that says the all fields in schema will be pruned which I think is a valid error. Instead, I tried fixing both the validation errors with a patch. Now there will be no violations

[sttts]

must be false is better IMO.

[vareti]

Yes, sounds good. I updated all the references to must be false

[sttts]

/ok-to-test

[liggitt]

aren't there several reasons we'll elide the schema?

• spec.preserveUnknownFields (Skip publishing OpenAPI for nonstructural schemas #82653)
• x-kubernetes-preserve-unknown-fields (Fix publishing x-kubernetes-preserve-unknown-fields working with kubectl #79636)
• array type missing items schema (apiextensions: prune array type without items in published OpenAPI #94888)
• invalid openapi types (DO NOT publish openapi specs containing bad types #79587)

should we treat those coherently (either by adding/removing a condition for each of those, or a single condition to cover "reasons openapi isn't being published")?

[sttts]

@liggitt don't mix non-structural and having constructs that kubectl does not understand or handle well.

This here is about the former. We have a NonStructural condition exactly for that, but forget the global spec.preserveUnknownFields to show as violation.

[liggitt]

This here is about the former. We have a NonStructural condition exactly for that, but forget the global spec.preserveUnknownFields to show as violation.

ah, ok

[sttts]

would instead set the value to false in all test fixtures by default, instead of changing all the expectations below.

[vareti]

done!

[sttts]

am still a little unsure and surprised about this big fallout here in the test. Would expect something very local. Isn't there a way to rewrite this test by adding steps only without rewriting what we have?

[vareti]

I agree the change is big and the same can be achieved by also adding the steps. But the intent was to just refactor the code to avoid duplication. This part of code does not change any of the previous logic and only adds some checking for preserveUnknownFields

[vareti]

made the changes to update the steps locally. please take a look.

[sttts]

good catch

[sttts]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts, vareti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiextensions-apiserver/OWNERS [sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment