Kubectl support for validating nested objects with different ApiGroups (e.g. Lists containing objects in different api groups). Closes #24089

pkg/api/validation/schema.go

@@ -26,6 +26,7 @@ import (
 	"github.com/emicklei/go-restful/swagger"
 	"github.com/golang/glog"
 	apiutil "k8s.io/kubernetes/pkg/api/util"
+	"k8s.io/kubernetes/pkg/runtime"
 	utilerrors "k8s.io/kubernetes/pkg/util/errors"
 	"k8s.io/kubernetes/pkg/util/yaml"
 )
@@ -62,15 +63,17 @@ type NullSchema struct{}
 func (NullSchema) ValidateBytes(data []byte) error { return nil }
 
 type SwaggerSchema struct {
-	api swagger.ApiDeclaration
+	api      swagger.ApiDeclaration
+	delegate Schema // For delegating to other api groups
 }
 
-func NewSwaggerSchemaFromBytes(data []byte) (Schema, error) {
+func NewSwaggerSchemaFromBytes(data []byte, factory Schema) (Schema, error) {
 	schema := &SwaggerSchema{}
 	err := json.Unmarshal(data, &schema.api)
 	if err != nil {
 		return nil, err
 	}
+	schema.delegate = factory
 	return schema, nil
 }
 
@@ -78,11 +81,15 @@ func NewSwaggerSchemaFromBytes(data []byte) (Schema, error) {
 // It return nil if every item is ok.
 // Otherwise it return an error list contain errors of every item.
 func (s *SwaggerSchema) validateList(obj map[string]interface{}) []error {
-	allErrs := []error{}
 	items, exists := obj["items"]
 	if !exists {
-		return append(allErrs, fmt.Errorf("no items field in %#v", obj))
+		return []error{fmt.Errorf("no items field in %#v", obj)}
 	}
+	return s.validateItems(items)
+}
+
+func (s *SwaggerSchema) validateItems(items interface{}) []error {
+	allErrs := []error{}
 	itemList, ok := items.([]interface{})
 	if !ok {
 		return append(allErrs, fmt.Errorf("items isn't a slice"))
@@ -125,6 +132,7 @@ func (s *SwaggerSchema) validateList(obj map[string]interface{}) []error {
 			allErrs = append(allErrs, errs...)
 		}
 	}
+
 	return allErrs
 }
 
@@ -171,6 +179,25 @@ func (s *SwaggerSchema) ValidateObject(obj interface{}, fieldName, typeName stri
 	allErrs := []error{}
 	models := s.api.Models
 	model, ok := models.At(typeName)
+
+	// Verify the api version matches.  This is required for nested types with differing api versions because
+	// s.api only has schema for 1 api version (the parent object type's version).
+	// e.g. an extensions/v1beta1 Template embedding a /v1 Service requires the schema for the extensions/v1beta1
+	// api to delegate to the schema for the /v1 api.
+	// Only do this for !ok objects so that cross ApiVersion vendored types take precedence.
+	if !ok && s.delegate != nil {
+		fields, mapOk := obj.(map[string]interface{})
+		if !mapOk {
+			return append(allErrs, fmt.Errorf("field %s: expected object of type map[string]interface{}, but the actual type is %T", fieldName, obj))
+		}
+		if delegated, err := s.delegateIfDifferentApiVersion(runtime.Unstructured{Object: fields}); delegated {
+			if err != nil {
+				allErrs = append(allErrs, err)
+			}
+			return allErrs
+		}
+	}
+
 	if !ok {
 		return append(allErrs, TypeNotFoundError(typeName))
 	}
@@ -194,6 +221,17 @@ func (s *SwaggerSchema) ValidateObject(obj interface{}, fieldName, typeName stri
 	}
 	for key, value := range fields {
 		details, ok := properties.At(key)
+
+		// Special case for runtime.RawExtension and runtime.Objects because they always fail to validate
+		// This is because the actual values will be of some sub-type (e.g. Deployment) not the expected
+		// super-type (RawExtention)
+		if s.isGenericArray(details) {
+			errs := s.validateItems(value)
+			if len(errs) > 0 {
+				allErrs = append(allErrs, errs...)
+			}
+			continue
+		}
 		if !ok {
 			allErrs = append(allErrs, fmt.Errorf("found invalid field %s for %s", key, typeName))
 			continue
@@ -219,6 +257,42 @@ func (s *SwaggerSchema) ValidateObject(obj interface{}, fieldName, typeName stri
 	return allErrs
 }
 
+// delegateIfDifferentApiVersion delegates the validation of an object if its ApiGroup does not match the
+// current SwaggerSchema.
+// First return value is true if the validation was delegated (by a different ApiGroup SwaggerSchema)
+// Second return value is the result of the delegated validation if performed.
+func (s *SwaggerSchema) delegateIfDifferentApiVersion(obj runtime.Unstructured) (bool, error) {
+	// Never delegate objects in the same ApiVersion or we will get infinite recursion
+	if !s.isDifferentApiVersion(obj) {
+		return false, nil
+	}
+
+	// Convert the object back into bytes so that we can pass it to the ValidateBytes function
+	m, err := json.Marshal(obj.Object)
+	if err != nil {
+		return true, err
+	}
+
+	// Delegate validation of this object to the correct SwaggerSchema for its ApiGroup
+	return true, s.delegate.ValidateBytes(m)
+}
+
+// isDifferentApiVersion Returns true if obj lives in a different ApiVersion than the SwaggerSchema does.
+// The SwaggerSchema will not be able to process objects in different ApiVersions unless they are vendored.
+func (s *SwaggerSchema) isDifferentApiVersion(obj runtime.Unstructured) bool {
+	groupVersion := obj.GetAPIVersion()
+	return len(groupVersion) > 0 && s.api.ApiVersion != groupVersion
+}
+
+// isGenericArray Returns true if p is an array of generic Objects - either RawExtension or Object.
+func (s *SwaggerSchema) isGenericArray(p swagger.ModelProperty) bool {
+	return p.DataTypeFields.Type != nil &&
+		*p.DataTypeFields.Type == "array" &&
+		p.Items != nil &&
+		p.Items.Ref != nil &&
+		(*p.Items.Ref == "runtime.RawExtension" || *p.Items.Ref == "runtime.Object")
+}
+
 // This matches type name in the swagger spec, such as "v1.Binding".
 var versionRegexp = regexp.MustCompile(`^v.+\..*`)