Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
DNS-1123 being enforced on path componentes for auditsink webhook service configuration #87185
According to https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#service-reference, I can configure the auditsink webhook to use a service, inside clientConfig spec. The service.path attribute allows to specify the URL path for the service, as:
However, if any of the path segments is not a valid DNS-1123 name, the validation will fail, as it is being checked in here:
So I cannot use a path like /my_path (with an underscore).
What you expected to happen:
I would expect that path components are not restricted to valid DNS-1123 names.
How to reproduce it (as minimally and precisely as possible):
Try to create an AuditSink resource like:
and you get an error like:
Error: AuditSink.auditregistration.k8s.io "test-auditsink" is invalid: spec.webhook.clientConfig.service.path: Invalid value: "/my_path": segment: a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is 'a-z0-9?(.a-z0-9?)*')
For this specific use case, it is failing because we are using the underscore. But I think path segments should not have the limitations of DNS-1123. According to:
So the set of characters that are allowed for a path component are much less restrictive.
Unless there is any reason I am missing to force path components to follow DNS-1123