Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNS-1123 being enforced on path componentes for auditsink webhook service configuration #87185

Open
airadier opened this issue Jan 14, 2020 · 5 comments
Assignees

Comments

@airadier
Copy link

@airadier airadier commented Jan 14, 2020

What happened:

According to https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#service-reference, I can configure the auditsink webhook to use a service, inside clientConfig spec. The service.path attribute allows to specify the URL path for the service, as:

apiVersion: auditregistration.k8s.io/v1alpha1
kind: AuditSink
...
spec:
  webhook:
    clientConfig:
      service:
        namespace: my-service-namespace
        name: my-service-name
        path: /my-path
        port: 1234

However, if any of the path segments is not a valid DNS-1123 name, the validation will fail, as it is being checked in here:

failures := validation.IsDNS1123Subdomain(step)

So I cannot use a path like /my_path (with an underscore).

What you expected to happen:

I would expect that path components are not restricted to valid DNS-1123 names.

How to reproduce it (as minimally and precisely as possible):

Try to create an AuditSink resource like:

apiVersion: auditregistration.k8s.io/v1alpha1
kind: AuditSink
metadata:
  name: test-auditsink
...
spec:
  webhook:
    clientConfig:
      service:
        namespace: my-service-namespace
        name: my-service-name
        path: /my_path
        port: 1234

and you get an error like:

Error: AuditSink.auditregistration.k8s.io "test-auditsink" is invalid: spec.webhook.clientConfig.service.path: Invalid value: "/my_path": segment[0]: a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is 'a-z0-9?(.a-z0-9?)*')

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:36:53Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:27:17Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release):
  • Kernel (e.g. uname -a):
  • Install tools:
  • Network plugin and version (if this is a network-related bug):
  • Others:
@airadier

This comment has been minimized.

Copy link
Author

@airadier airadier commented Jan 14, 2020

/sig api-machinery

@tedyu

This comment has been minimized.

Copy link
Contributor

@tedyu tedyu commented Jan 14, 2020

Is the underscore the only character to be allowed on top of the given regex ?

@airadier

This comment has been minimized.

Copy link
Author

@airadier airadier commented Jan 14, 2020

For this specific use case, it is failing because we are using the underscore. But I think path segments should not have the limitations of DNS-1123. According to:

https://tools.ietf.org/html/rfc3986#section-3.3

and

https://stackoverflow.com/questions/4669692/valid-characters-for-directory-part-of-a-url-for-short-links/4669755#4669755:

A–Z, a–z, 0–9, -, ., _, ~, !, $, &, ', (, ), *, +, ,, ;, =, :, @, as well as % that must be followed by two hexadecimal digits. Any other character/byte needs to be encoded using the percent-encoding.

So the set of characters that are allowed for a path component are much less restrictive.

Unless there is any reason I am missing to force path components to follow DNS-1123

@fedebongio

This comment has been minimized.

Copy link
Contributor

@fedebongio fedebongio commented Jan 14, 2020

/assign @tallclair
Could you take a look Tim please? Thank you

@neolit123

This comment has been minimized.

Copy link
Member

@neolit123 neolit123 commented Jan 15, 2020

xref #54145

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.