Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

labelfilter: Refine default label regexps #18693

Merged
merged 2 commits into from
Feb 3, 2022
Merged

labelfilter: Refine default label regexps #18693

merged 2 commits into from
Feb 3, 2022

Conversation

twpayne
Copy link
Contributor

@twpayne twpayne commented Feb 1, 2022

Cilium treats label patterns as regular expressions. The existing
default labels, e.g. "!k8s.io", used a '.', which matches any character.
This led to the default labels being too permissive in their matching
and consequently labels like "k8sXo" being excluded from the identity,
with consequent security implications.

This PR properly escapes the regular expressions used in the default
labels and updates the documentation to describe Cilium's actual behavior.

@twpayne
labelfilter: Refine default label regexps
e75de2d 
Cilium treats label patterns as regular expressions. The existing
default labels, e.g. "!k8s.io", used a '.', which matches any character.
This led to the default labels being too permissive in their matching
and consequently labels like "k8sXo" being excluded from the identity,
with consequent security implications.

This commit properly escapes the regular expressions used in the default
labels.

Signed-off-by: Tom Payne <tom@isovalent.com>
@twpayne twpayne added area/daemon Impacts operation of the Cilium daemon. release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.9 labels Feb 1, 2022
@twpayne twpayne requested review from pchaigno, aanm and a team February 1, 2022 16:12
@twpayne twpayne requested review from a team as code owners February 1, 2022 16:12
@twpayne twpayne requested a review from qmonnet February 1, 2022 16:12
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.2 Feb 1, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.10.8 Feb 1, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.9.13 Feb 1, 2022
qmonnet
qmonnet approved these changes Feb 1, 2022
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thank you!

Documentation/operations/performance/scalability/identity-relevant-labels.rst Outdated Show resolved Hide resolved
Documentation/operations/performance/scalability/identity-relevant-labels.rst Outdated Show resolved Hide resolved
sayboras
sayboras approved these changes Feb 1, 2022
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot 💯

Just curious, do we have something in release note to highlight about (potential) breaking change in general ? This [docs] is mainly for new version but not a patch version if i am not wrong.

@maintainer-s-little-helper
Copy link

Commit e644df4954f67a51171fb06a55c62cadf6645f4e does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Feb 1, 2022
@maintainer-s-little-helper
Copy link

Commit e644df4954f67a51171fb06a55c62cadf6645f4e does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

1 similar comment
@maintainer-s-little-helper
Copy link

Commit e644df4954f67a51171fb06a55c62cadf6645f4e does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@twpayne
Copy link
Contributor Author

twpayne commented Feb 1, 2022

Commit e644df4 does not contain "Signed-off-by".

Hey, @maintainer-s-little-helper, that's because the commit was created by clicking the "Commit suggestion" button here in GitHub.

I've squashed the suggested changes from @qmo into the document update commit.

@twpayne twpayne added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 2, 2022
@twpayne
docs(labels): Document that labels are in fact patterns
a29fee1 
Signed-off-by: Tom Payne <tom@isovalent.com>
@joamaki joamaki merged commit cf39553 into cilium:master Feb 3, 2022
@joamaki joamaki mentioned this pull request Feb 7, 2022
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.10.8 Feb 7, 2022
@joamaki joamaki mentioned this pull request Feb 7, 2022
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.11.2 Feb 7, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.10 to Backport done to v1.10 in 1.10.8 Feb 8, 2022
@joamaki joamaki mentioned this pull request Feb 8, 2022
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.9 in 1.9.13 Feb 8, 2022
@joamaki joamaki added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.9 and removed backport-pending/1.11 labels Feb 8, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.10 to Backport done to v1.11 in 1.11.2 Feb 9, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.9 to Backport done to v1.9 in 1.9.13 Feb 9, 2022
@twpayne twpayne deleted the pr/twpayne/fix-label-regexps branch February 9, 2022 15:16
This was referenced Feb 23, 2022
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@pchaigno pchaigno pchaigno approved these changes

@aanm aanm aanm approved these changes

@sayboras sayboras sayboras approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/daemon Impacts operation of the Cilium daemon. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.10.8
Backport done to v1.10
1.11.2
Backport done to v1.11
1.9.13
Backport done to v1.9
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@twpayne @joestringer @pchaigno @aanm @sayboras @qmonnet @joamaki