-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
labelfilter: Refine default label regexps #18693
Conversation
Cilium treats label patterns as regular expressions. The existing default labels, e.g. "!k8s.io", used a '.', which matches any character. This led to the default labels being too permissive in their matching and consequently labels like "k8sXo" being excluded from the identity, with consequent security implications. This commit properly escapes the regular expressions used in the default labels. Signed-off-by: Tom Payne <tom@isovalent.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thank you!
Documentation/operations/performance/scalability/identity-relevant-labels.rst
Outdated
Show resolved
Hide resolved
Documentation/operations/performance/scalability/identity-relevant-labels.rst
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot 💯
Just curious, do we have something in release note to highlight about (potential) breaking change in general ? This [docs] is mainly for new version but not a patch version if i am not wrong.
Commit e644df4954f67a51171fb06a55c62cadf6645f4e does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Commit e644df4954f67a51171fb06a55c62cadf6645f4e does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
1 similar comment
Commit e644df4954f67a51171fb06a55c62cadf6645f4e does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Signed-off-by: Tom Payne <tom@isovalent.com>
Cilium treats label patterns as regular expressions. The existing
default labels, e.g. "!k8s.io", used a '.', which matches any character.
This led to the default labels being too permissive in their matching
and consequently labels like "k8sXo" being excluded from the identity,
with consequent security implications.
This PR properly escapes the regular expressions used in the default
labels and updates the documentation to describe Cilium's actual behavior.