Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-648

cbopctl: Decoding error while providing spec.securityContext.fsGroup as text value

    XMLWordPrintable

Details

    Description

      Yaml file content:

      securityContext:
          fsGroup: "1000_text"

      cbopctl output:

      couchbase-operator]$ ./build/bin/cbopctl create -f test/e2e/resources/validation/validation.yaml
      Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.SecurityContext: v1.PodSecurityContext.FSGroup: readUint64: unexpected character: �, error found in #10 byte of ...|fsGroup":"1000_text"|..., bigger context ...|alse,"paused":false,"securityContext":{"fsGroup":"1000_text"},"serverGroups":["RzaGroup-1","RzaGroup|...
       
      couchbase-operator]$ ./build/bin/cbopctl --version
      cbopctl version 1.1.0 (master e901fdccd98ec67330cb81556391d3a2297af628)

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          Behavior is same for field type mismatch in other SecurityContext values,

          couchbase-operator]$ ./build/bin/cbopctl create -f test/e2e/resources/validation/validation.yaml
          Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.SecurityContext: v1.PodSecurityContext.FSGroup: readUint64: unexpected character: �, error found in #10 byte of ...|fsGroup":"1000_text"|..., bigger context ...|alse,"paused":false,"securityContext":{"fsGroup":"1000_text"},"serverGroups":["RzaGroup-1","RzaGroup|...
           
          couchbase-operator]$ ./build/bin/cbopctl create -f test/e2e/resources/validation/validation.yaml
          Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.SecurityContext: v1.PodSecurityContext.RunAsNonRoot: ReadBool: expect t or f, but found ", error found in #10 byte of ...|NonRoot":"true","run|..., bigger context ...|"securityContext":{"fsGroup":1000,"runAsNonRoot":"true","runAsUser":1000},"serverGroups":["RzaGroup-|...
           
          couchbase-operator]$ ./build/bin/cbopctl create -f test/e2e/resources/validation/validation.yaml
          Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.SecurityContext: v1.PodSecurityContext.RunAsUser: readUint64: unexpected character: �, error found in #10 byte of ...|nAsUser":"1000"},"se|..., bigger context ...|:{"fsGroup":1000,"runAsNonRoot":true,"runAsUser":"1000"},"serverGroups":["RzaGroup-1","RzaGroup-2","|...

          ashwin.govindarajulu Ashwin Govindarajulu added a comment - Behavior is same for field type mismatch in other SecurityContext values, couchbase-operator]$ ./build/bin/cbopctl create -f test/e2e/resources/validation/validation.yaml Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.SecurityContext: v1.PodSecurityContext.FSGroup: readUint64: unexpected character: �, error found in #10 byte of ...|fsGroup":"1000_text"|..., bigger context ...|alse,"paused":false,"securityContext":{"fsGroup":"1000_text"},"serverGroups":["RzaGroup-1","RzaGroup|...   couchbase-operator]$ ./build/bin/cbopctl create -f test/e2e/resources/validation/validation.yaml Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.SecurityContext: v1.PodSecurityContext.RunAsNonRoot: ReadBool: expect t or f, but found ", error found in #10 byte of ...|NonRoot":"true","run|..., bigger context ...|"securityContext":{"fsGroup":1000,"runAsNonRoot":"true","runAsUser":1000},"serverGroups":["RzaGroup-|...   couchbase-operator]$ ./build/bin/cbopctl create -f test/e2e/resources/validation/validation.yaml Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.SecurityContext: v1.PodSecurityContext.RunAsUser: readUint64: unexpected character: �, error found in #10 byte of ...|nAsUser":"1000"},"se|..., bigger context ...|:{"fsGroup":1000,"runAsNonRoot":true,"runAsUser":"1000"},"serverGroups":["RzaGroup-1","RzaGroup-2","|...
          simon.murray Simon Murray added a comment -

          This is an internal Kubernetes type so we do not (will not by ourselves - it's too prone to errors) perform any validation on it.  We'll need to look into possibly using ValidatePodSecurityContext from pkg/apis/core/validation/validation.go in the main kubernetes package.  Not possible in the 1.1.0 time frame.

          simon.murray Simon Murray added a comment - This is an internal Kubernetes type so we do not (will not by ourselves - it's too prone to errors) perform any validation on it.  We'll need to look into possibly using ValidatePodSecurityContext from pkg/apis/core/validation/validation.go in the main kubernetes package.  Not possible in the 1.1.0 time frame.

          But Simon, this is observed even while providing invalid exposeAdminConsole type in the spec.

          spec:
            antiAffinity: false
            baseImage: couchbase/server
            version: enterprise-5.5.0
            authSecret: basic-test-secret
            exposeAdminConsole: "false" <-- Invalid type "string" instead of bool
            paused: false
            disableBucketManagement: false

           

          couchbase-operator]$ ./build/bin/cbopctl apply -f test/e2e/resources/validation/validation.yaml
          Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.ExposeAdminConsole: ReadBool: expect t or f, but found ", error found in #10 byte of ...|Console":"false","pa|..., bigger context ...|ableBucketManagement":false,"exposeAdminConsole":"false","paused":false,"securityContext":{"fsGroup"|...

          ashwin.govindarajulu Ashwin Govindarajulu added a comment - But Simon, this is observed even while providing invalid exposeAdminConsole type in the spec. spec: antiAffinity: false baseImage: couchbase/server version: enterprise-5.5.0 authSecret: basic-test-secret exposeAdminConsole: "false" <-- Invalid type "string" instead of bool paused: false disableBucketManagement: false   couchbase-operator]$ ./build/bin/cbopctl apply -f test/e2e/resources/validation/validation.yaml Error decoding specification: v1.CouchbaseCluster.Spec: v1.ClusterSpec.ExposeAdminConsole: ReadBool: expect t or f, but found ", error found in #10 byte of ...|Console":"false","pa|..., bigger context ...|ableBucketManagement":false,"exposeAdminConsole":"false","paused":false,"securityContext":{"fsGroup"|...
          simon.murray Simon Murray added a comment -

          Oh right, so we need to run the CRD validation as a an unstructured object before deserializing it.  This will not fix the first issue which is still too complex to get into 1.1.0.  Will have an experiment, not promising anything.

          simon.murray Simon Murray added a comment - Oh right, so we need to run the CRD validation as a an unstructured object before deserializing it.  This will not fix the first issue which is still too complex to get into 1.1.0.  Will have an experiment, not promising anything.
          simon.murray Simon Murray added a comment -

          Bumping to 1.1 as I believe this is sufficiently important.

          simon.murray Simon Murray added a comment - Bumping to 1.1 as I believe this is sufficiently important.
          simon.murray Simon Murray added a comment -

          As I've said we'll make the output better, but we won't validate native resources.  Will open a new issue for this.

          simon.murray Simon Murray added a comment - As I've said we'll make the output better, but we won't validate native resources.  Will open a new issue for this.

          People

            simon.murray Simon Murray
            ashwin.govindarajulu Ashwin Govindarajulu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty