Calico NetworkPolicy: int64 must be of type int-or-string
jplitza opened this issue · 1 comments
jplitza commented
What happened?
I validated a Calico network policy that is successfully loaded in the cluster, and it reported:
NetworkPolicy.projectcalico.org "testcase-int-or-string" is invalid: spec.egress[0].destination.ports[0]: Invalid value: "int64": spec.egress[0].destination.ports[0] in body must be of type int-or-string: "int64"
What did you expect to happen?
No validation errors.
How can we reproduce it (as minimally and precisely as possible)?
Validate the following resource with the Calico CRDs referenced with --local-crds:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: testcase-int-or-string
namespace: default
spec:
egress:
- action: Allow
destination:
namespaceSelector: kubernetes.io/metadata.name == "kube-system"
selector: app.kubernetes.io/name == "coredns"
ports:
- 53
protocol: UDP
source: {}Anything else we need to know?
It works when the port is specified as string instead of number.
The relevant part of the CRD:
ports:
description: "[...]"
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: trueKubernetes version
$ kubectl version
Client Version: v1.29.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.2jplitza commented
I mixed up crd.projectcalico.org/v1 and projectcalico.org/v3. The latter specifies this in its schema:
ports:
type: string
format: int-or-stringwhich quite obviously doesn't apply to an integer. So the bug is with Calico, not with this project. Apologies.
The problem can be fixed by passing this schema patch to kubectl-validate:
{
"components": {
"schemas": {
"com.github.projectcalico.api.pkg.lib.numorstring.Port": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"type": null,
"format": null
}
}
}
}