Kubernetes: kubectl --validate flag pass when yaml file is wrong

Created on 6 Jun 2018 · 2Comments · Source: kubernetes/kubernetes

/kind bug

I think that is is a bug

What happened:
kubectl is successfuly validate a yaml file that contains invalid data (see below for the yaml file contents):

$ kubectl --context=minikube  create --dry-run --validate -f invalid.yml 
deployment "test" created (dry run)

However when issuing the command without the validate, it fails

$ kubectl --context=minikube apply -f invalid.yml 
The Deployment "test" is invalid: 
* metadata.labels: Invalid value: "£\"+=_+!¹²³€}{{@\"}{@~@:>?|\\|¬`}": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')
* spec.replicas: Invalid value: -100: must be greater than or equal to 0
* spec.selector.matchLabels: Invalid value: "£\"+=_+!¹²³€}{{@\"}{@~@:>?|\\|¬`}": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')
* spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"£\"+=_+!¹²³€}{{@\"}{@~@:>?|\\|¬`}"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: invalid label selector.

What you expected to happen:
kubectl create --dry-run --validate should report that there are errors in the yaml file

How to reproduce it (as minimally and precisely as possible):
Save the yaml below in a yaml file and apply once with
kubectl create --dry-run --validate -f file.yaml

and then go for real with
kubectl create -f file.yaml

Minikube can be used.

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: test
  labels:
    app: £"+=_+!¹²³€}{{@"}{@~@:>?|\|¬`}
  namespace: default
spec:
  replicas: -100
  revisionHistoryLimit: 2
  template:
    metadata:
      labels:
        app: £"+=_+!¹²³€}{{@"}{@~@:>?|\|¬`}
    spec:
      containers:
      - image: £"+=_+!¹²³€}{{@"}{@~@:>?|\|¬`}
        name: £"+=_+!¹²³€}{{@"}{@~@:>?|\|¬`}
        envFrom:
        - secretRef:
            name: £"+=_+!¹²³€}{{@"}{@~@:>?|\|¬`}

Anything else we need to know?:

Environment:

Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6", GitCommit:"9f8ebd171479bec0ada837d7ee641dec2f8c6dd1", GitTreeState:"clean", BuildDate:"2018-03-21T15:21:50Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"", Minor:"", GitVersion:"v1.9.4", GitCommit:"bee2d1505c4fe820744d26d41ecd3fdd4a3d6546", GitTreeState:"clean", BuildDate:"2018-03-21T21:48:36Z", GoVersion:"go1.9.1", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider or hardware configuration:
minikube on linux, also happens on other non minikube-clusters
OS (e.g. from /etc/os-release):

NAME="Linux Mint"
VERSION="18.3 (Sylvia)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 18.3"
VERSION_ID="18.3"
VERSION_CODENAME=sylvia
UBUNTU_CODENAME=xenial

Kernel (e.g. uname -a):
Linux nb 4.13.0-43-generic #48~16.04.1-Ubuntu SMP Thu May 17 12:56:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Install tools:
Others:

/sig cli

kinbug sicli

Source

dawez

Most helpful comment

client-side validation is not exhaustive. it primarily ensures the fields names and types in the yaml file are valid. full validation is always done by the server, and can always impose additional restrictions/constraints over client-side validation.