Accept OpenAPI spec instead of JSON Schema for CRD validation

[mbohlool]

According to this proposal:

https://github.com/kubernetes/community/blob/master/contributors/design-proposals/customresources-validation.md

We accept JSON Schema for validation. Kubectl and other tools we have, uses OpenAPI to validate objects (as well as other custom validations on the server). While The proposal claims that OpenAPI and JSON Schema are compatible, but they are not. OpenAPI's Schema is a subset of JSON Schema (e.g. it does not support multiple values for type field). We would be in much better shape if we ask for the OpenAPI spec of the custom resource. In that way, we can just aggregate the Spec with current OpenAPI spec and kubectl and other tools can use that to validate the resource. If we accept a JSON Schema, it would not be possible to convert it to OpenAPI if user provides any incompatible values for that Schema.

@nikhita, @sttts @lavalamp

[k8s-github-robot]

@mbohlool
There are no sig labels on this issue. Please add a sig label by:

1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
   e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

2. specifying the label manually: /sig <label>
   e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. You can find the group list here and label list here.
The <group-suffix> in the method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

[mbohlool]

/sig api-machinery

[sttts]

Copying my answer from kubernetes/community#708 (comment):

Why should we restrict ourselfes to openapi? The openapi spec is a side-product of this validation and I don't want to loose expressivity for validation because openapi hasn't updated to the JSON schema draft 4 yet.

Moreover, some day openapi v3 is finalized, we will support v3 and v2 for backward compatibility. Do you suggest that we stay at the common denominator, i.e. to that JSON schema subset supported by v2? In other words, at some point we will have to diverge anyway.

Is there anything that stops us from stripping the given spec from unsupported features for consumation by the openapi aggregator? As far as I see all JSON Schema fields are monotonic in the sense that stripping fields makes the spec weaker. That's what we need for easy openapi consumation.

[sttts]

@mbohlool can you summerize the v3 restrictions regarding JSON Schema draft 4?

[sttts]

@mbohlool Regarding my comment above: which API guarantees do we have regarding the served OpenAPI spec? Do we have to version that? Or do we expect that every consumer now suddenly support v3 and doesn't fall over the new schema?

[nikhita]

@mbohlool From the OpenAPI v3 specification: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#properties, the only difference between the types that are mentioned in the proposal and the OpenAPI types is the type field.

We use an array of strings (instead of a single string) right now but it can be changed. Also, patternProperties can be changed to accommodate OpenAPI.

Do you believe there are any further problems with the types that we have now? IMHO it should work with OpenAPI well after these changes.

[mbohlool]

There are differences in v2 and v3 spec. Why do we want to say we accept JSON Schema while we really accept the subset that is OpenAPI v3 (and meanwhile till we upgrade kubernetes to OpenAPI v3, OpenAPI v2) defined. I think we better just get OpenAPI spec from user and validate based on that (kubectl is already doing that). We would accept v2 now, when we upgrade kubernetes to accept v3, we would accept v3 instead of v2 in CRDs too (and would have the same level of backward compatibility we will foreseen for the whole kubernetes).

[sttts]

We have analysed the different specs:

• JSON-Schema draft 4,
• OpenAPI v2,
• OpenAPI v3,
• go-openapi's support as of today.

Here is a spread-sheet with the results: https://docs.google.com/spreadsheets/d/1Mkm9L7CXGvRorV0Cr4Vwfu0DH7XRi24YHPiDK1NZWo4/edit?usp=sharing

These are the main takeaways:

• go-openapi supports most of JSON Schema draft 4, only lacks some (optional) formats

• go-openapi supports most of OpenAPI v3, only lacks some documentary fields: nullable, writeOnly, deprecated

• go-openapi supports all of OpenAPI v2.

• OpenAPI v2 lacks the anyOf operator. Removing this from a CRD spec makes a lot specifications impossible. this hurts. anyOf basically allows to express alternatives, e.g. to have two variants or versions embedded in a CR spec.

• We can easily drop any anyOf fields when exporting to the OpenAPI spec. Every object validating under go-openapi will validate under the served OpenAPI spec then. So this is consistent, though not complete (until we serve OpenAPI v3 spec). But consistency is what is required. Completeness is a nice to have.

  => We have a trivial, consistent conversion to OpenAPI spec.

• If we go with full JSON-Schema draft 4, we will have to translate:

  • array items
  • possibly no type-matching defaults
  • array types

  => It's not so obivous how to map these to OpenAPI, not even to v3. So in the near future we won't have a good OpenAPI v3 mapping for the OpenAPI v3 spec.

My conclusion from this:

We should go with OpenAPI v3 and for the time being drop everything in the OpenAPI spec that is not in OpenAPI v2. But in the near future – when go-openapi supports v3 completely and we have switched to that version, we will be completely clean and have a real 1:1 mapping.

[sttts]

Now the technical part of a change from JSON-Schema to OpenAPI v3:

Let's assume we want to be OpenAPI v3 compatible in the validation. We also want to be able to upgrade some day, e.g. to v4 as supported by go-openapi.

Then we have these choices:

1. leave it as it is and do everything implicitly, i.e. silently allow more features of JSON Schema / OpenAPI
2. use the $schema field and some URL to declare which standard is used https://some-openapi-schema-url/v3.
3. turn CustomResourceValidation.JSONSchema into a RawExtension and define a JSONSchema object with APIVersion and Kind. Then we can use Kind: "OpenAPISpecV3"
4. rename CustomResourceValidation.JSONSchema to CustomResourceValidation.OpenAPISpecV3 and add CustomResourceValidation.OpenAPISpecV4 some day.

[nikhita]

Re: technical part of change from JSON-Schema to OpenAPI v3:

1. things could change anyhow in the future. What if some field gets deleted? Removing a field would be a breaking change.
2. we could do this but would need to change the structure as the standard changes. For one structure, there is really only one $schema value possible.
3. and 4. seems good. But will this create a "bloat"? As standards keep on changing, we'll have more and more types...

[sttts]

@deads2k @enisoc @bgrant0607 @brendandburns @mbohlool please comment on the upper two design decisions for CRD validation:

A) which JSON Schema subset #49879 (comment)
B) how to express different JSON Schema subset versions #49879 (comment)

cc @kubernetes/sig-api-machinery-api-reviews