Validation error: Additional property seccompProfile is not allowed

[muram]

Getting an invalid Deployment when validating custom resources using kubeval with the additional CRD schemas. The seccomp profile feature was shipped in Kubernetes 1.19, is this not supported yet?

WARN - stdin contains an invalid Deployment (flux-system.helm-controller) - seccompProfile: Additional property seccompProfile is not allowed
WARN - stdin contains an invalid Deployment (flux-system.kustomize-controller) - seccompProfile: Additional property seccompProfile is not allowed
WARN - stdin contains an invalid Deployment (flux-system.notification-controller) - seccompProfile: Additional property seccompProfile is not allowed
WARN - stdin contains an invalid Deployment (flux-system.source-controller) - seccompProfile: Additional property seccompProfile is not allowed

[kingdonb]

This issue is surfaced because the latest release of Flux has added seccompProfile settings to the deployment.

I don't know why kubeval would have an issue with this one field in particular, but:

It appears to be present in the cluster's schema A-OK, and it is matched together with the API documentation in a document where I've enabled validation through the cluster's API docs.

So I tried to figure out where kubeval gets its schemas for validation, and I noticed that you can pass a particular Kubernetes version in at manifest validation time:

-v, --kubernetes-version string   Version of Kubernetes to validate against (default "master")

I don't know any reason why this new feature wouldn't be in kubernetes master branch, I didn't notice that was the default, but I tried setting -v 1.23.3 for kicks, since it seemed likely the validation in a version of kubeval almost 1 year old would not be for the latest Kubernetes version, regardless either way I still get this validation error.

If there's something we can do to fix this in our docs, then it can be filed as an enhancement against these repos where we include kubeval in our examples:

https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/scripts/validate.sh
https://github.com/fluxcd/flux2-multi-tenancy/blob/main/scripts/validate.sh

[jakubhajek]

Adding --kubernetes-version to kubeval fix the issue. I have spent some time trying to fix and I could just quickly have a look here to find the answer. Thank you a lot Kingdon for providing the solution 👍 @kingdonb

[kingdonb]

That's funny @jakubhajek – it hadn't fixed it for me!

Turns out I was calling kubeval twice, and I had only added -v 1.23.2 to the first invocation. Adding it to both invocations I can see now, this does actually fix the issue! kingdonb/bootstrap-repo#36 set kubeval validation version to match your K8S cluster version.

I'll take this back to our tutorials and fix them up (even though the tutorials don't show any validation error because they don't include flux-system from bootstrapping, the validators we provide should definitely pass on a fresh install of Flux.) 👍

Meanwhile, if the default version is to validate against the master branch, I wonder why isn't this field present in the master branch? (Is it serving up a stale reference because we don't call it master anymore but main now? No: kubernetes/kubernetes is still defaulted to the master branch.)

[kingdonb]

It looks like we've found another option that is being actively maintained: https://github.com/yannh/kubeconform

Flux project switched our recommendation to use kubeconform instead here, it claims inspiration from kubeval and says it's designed to be very similar:

• Replace kubeval with kubeconform for static analysis fluxcd/flux2-kustomize-helm-example#52