apiextensions-apiserver: CRD validation doesn't accept empty values for type "object" fields

Create example CRD, but make spec an object

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: crontabs.stable.example.com
spec:
  group: stable.example.com
  version: v1
  scope: Namespaced
  names:
    plural: crontabs
    singular: crontab
    kind: CronTab
    shortNames:
    - ct
  validation:
   # openAPIV3Schema is the schema for validating custom objects.
    openAPIV3Schema:
      properties:
        spec:
          type: object
          properties:
            cronSpec:
              type: string
              pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$'
            replicas:
              type: integer
              minimum: 1
              maximum: 10

Create an instance with an empty spec

apiVersion: stable.example.com/v1
kind: CronTab
metadata:
  name: c
spec:

This throws the following error, but shouldn’t since spec doesn’t have any required fields:

The CronTab “c” is invalid: []: Invalid value: map[string]interface {}{“apiVersion”:“stable.example.com/v1”, “kind”:“CronTab”, “metadata”:map[string]interface {}{“name”:“c”, “namespace”:“default”, “creationTimestamp”:“2018-02-16T15:53:27Z”, “uid”:“86df4c72-1331-11e8-8944-42010a800029”, “selfLink”:“”, “clusterName”:“”}, “spec”:interface {}(nil)}: validation failure list:

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 18 (11 by maintainers)

Commits related to this issue

Remove openAPIV3Schema validation When we were using kubebuilder, it generated openAPIV3schema validation for us in our CRD declarations. However: 1. No other knative projects use this 2. Continuing... — committed to bobcatfish/pipeline by bobcatfish 6 years ago
Remove openAPIV3Schema validation When we were using kubebuilder, it generated openAPIV3schema validation for us in our CRD declarations. However: 1. No other knative projects use this 2. Continuing... — committed to bobcatfish/pipeline by bobcatfish 6 years ago
Remove openAPIV3Schema validation When we were using kubebuilder, it generated openAPIV3schema validation for us in our CRD declarations. However: 1. No other knative projects use this 2. Continuing... — committed to tektoncd/pipeline by bobcatfish 6 years ago

Most upvoted comments

nullable: true

sttts on Jan 13, 2021

the provided schema says that spec itself is required,

where it said spec is required?

the OpenAPI spec does not accept null for type: object.

I don’t think spec is said something about this. It look like this is a validation bug. If the field is not in Required list, it is optional and both null or empty object should be accepted.

Analogous to that is string, if a string field is optional, null or empty string both should be accepted as not provided.

mbohlool on Oct 2, 2018