Open
Description
DNS names can only be up to 255 characters in length:
https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.4
Furthermore, DNS matchpattern rules that are excessively long could cause Cilium agent to take a long time to process the rules. It would make sense to impose a (configurable?) limit on these, perhaps something like 63 to begin with.
Tasks:
- Check whether matchName statements are limited to the maximum length of a DNS name
- Create a new hidden configuration flag for max dns matchpattern string length
- Extend the CiliumNetworkPolicy sanitization logic to limit the length of DNS matchname/matchpattern rules
- Extend the preflight check to validate whether any existing CNPs or CCNPs have matchpattern / matchnames that exceed the default limits. If yes, highlight the statements. Instruct the user to configure the above Cilium flag to raise the limits to match the policies they use in their environment.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
Please volunteer for this by adding yourself as an assignee!Please volunteer for this by adding yourself as an assignee!This would improve or streamline existing functionality.This would improve or streamline existing functionality.These issues are not marked stale by our issue bot.These issues are not marked stale by our issue bot.Cilium agent related.Cilium agent related.The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.