Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pod creations are missing validation on spec.topologySpreadConstraints[*].labelSelector #111791

Closed
alaypatel07 opened this issue Aug 10, 2022 · 5 comments · Fixed by #111802
Closed

pod creations are missing validation on spec.topologySpreadConstraints[*].labelSelector #111791

alaypatel07 opened this issue Aug 10, 2022 · 5 comments · Fixed by #111802
Assignees
@maaoBit
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling.

Comments

@alaypatel07
Copy link
Contributor

alaypatel07 commented Aug 10, 2022
edited

What happened?

When a pod is created with invalid topologySpreadConstraints, it is not rejected by the validating webhook, but the same label selector is rejected during deployment creation

$ cat busy-box-invalid-topology-spread.yaml
apiVersion: v1
kind: Pod
metadata:
  name: busybox1
  labels:
    app: busybox1
spec:
  containers:
    - image: busybox
      command:
        - sleep
        - "3600"
      imagePullPolicy: IfNotPresent
      name: busybox
  restartPolicy: Always
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: "kubernetes.io/hostname"
      whenUnsatisfiable: ScheduleAnyway
      labelSelector:
        matchExpressions:
          - key: "os=linux"
            operator: "In"
            values:
              - ""
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployments-simple-deployment-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: deployments-simple-deployment-app
    matchExpressions:
      - key: "os=linux"
        operator: "In"
        values:
          - ""
  template:
    metadata:
      labels:
        app: deployments-simple-deployment-app
    spec:
      containers:
        - name: busybox
          image: busybox
          command:
            - sleep
            - "3600"
 
$ k create -f busy-box-invalid-topology-spread.yaml
pod/busybox1 created
The Deployment "deployments-simple-deployment-deployment" is invalid:
* spec.selector.matchExpressions[0].key: Invalid value: "os=linux": name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
* spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"deployments-simple-deployment-app"}, MatchExpressions:[]v1.LabelSelectorRequirement{v1.LabelSelectorRequirement{Key:"os=linux", Operator:"In", Values:[]string{""}}}}: invalid label selector

$  k get pods
NAME                  READY   STATUS    RESTARTS   AGE
busybox1              0/1     Pending   0          5s

What did you expect to happen?

Expected the pod to be rejected with an error similar to deployment

How can we reproduce it (as minimally and precisely as possible)?

Create a pod with above mentioned spec.

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
  Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"clean", BuildDate:"2022-05-24T12:17:11Z", GoVersion:"go1.18.2", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.24) and server (1.21) exceeds the supported minor version skew of +/-1

Cloud provider

N/A

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@alaypatel07 alaypatel07 added the kind/bug Categorizes issue or PR as related to a bug. label Aug 10, 2022
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Aug 10, 2022
@k8s-ci-robot
Copy link
Contributor

@alaypatel07: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Aug 10, 2022
@maaoBit
Copy link
Contributor

maaoBit commented Aug 11, 2022

/assign

@maaoBit maaoBit mentioned this issue Aug 11, 2022
Merged
@neolit123
Copy link
Member

/sig scheduling
?

@k8s-ci-robot k8s-ci-robot added sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 18, 2022
@alculquicondor alculquicondor mentioned this issue Aug 29, 2022
Merged
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 16, 2022
@junjunjunk
Copy link

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maaoBit maaoBit

Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate labelSelector in topologySpreadConstraints maaoBit/kubernetes
6 participants
@neolit123 @maaoBit @alaypatel07 @k8s-ci-robot @junjunjunk @k8s-triage-robot