Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate ingress TLS secretName in v1 #93929

Merged
merged 1 commit into from Aug 12, 2020
Merged

Validate ingress TLS secretName in v1 #93929

merged 1 commit into from Aug 12, 2020

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Aug 12, 2020

What type of PR is this?
/kind bug
/kind api-change

What this PR does / why we need it:
Validates the Ingress TLS secretName field in networking.k8s.io/v1

Which issue(s) this PR fixes:
Fixes #93928

Special notes for your reviewer:
Tightens validation in v1 for new objects, and for existing objects that already pass the tightened validation. Preserves backwards compatibility for existing objects and previously released APIs.

Does this PR introduce a user-facing change?:

When creating a networking.k8s.io/v1 Ingress API object, `spec.tls[*].secretName` values are required to pass validation rules for Secret API object names.

/cc @robscott @deads2k
/sig network
/milestone v1.19

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 12, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.19 milestone Aug 12, 2020
@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 12, 2020
deads2k
deads2k reviewed Aug 12, 2020
View reviewed changes
pkg/apis/networking/validation/validation.go
if len(name) == 0 {
return nil
}
return apivalidation.ValidateSecretName(name, false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me, but the doc on the .secretName field is vague. it's not clear whether it must be a kube secret ref or if it can be a reference to nearly anything and we should only enforce some large length limit.

If the latter, the field doc needs to be improved to make it clear that consumers need to defend against traversal attacks.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's definitely a kubernetes secret. A separate field to indicate a named credential managed by the ingress controller was discussed as an alternative to the requests for cluster-scoped secrets, but was not accepted.

@liggitt
Copy link
Member Author

liggitt commented Aug 12, 2020

bazel debian error
/retest

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt
Copy link
Member Author

liggitt commented Aug 12, 2020

/priority critical-urgent

to resolve API issue prior to initial release

@k8s-ci-robot k8s-ci-robot added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 12, 2020
@deads2k
Copy link
Contributor

deads2k commented Aug 12, 2020

lgtm, but I'd like someone from sig-network to sign off.

@liggitt
Copy link
Member Author

liggitt commented Aug 12, 2020

/retest

@fejta-bot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@robscott
Copy link
Member

Thanks!

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 12, 2020
@k8s-ci-robot k8s-ci-robot merged commit 4a7804a into kubernetes:master Aug 12, 2020
@github-actions github-actions bot mentioned this pull request Aug 12, 2020
Open
@spiffxp spiffxp mentioned this pull request Aug 13, 2020
Closed
36 tasks
@liggitt liggitt deleted the ingress-secret branch August 13, 2020 15:24
@liggitt liggitt mentioned this pull request Aug 13, 2020
Merged
@github-actions github-actions bot mentioned this pull request Aug 18, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@robscott robscott Awaiting requested review from robscott

Assignees

@robscott robscott

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.

missing validation for ingress.spec.tls.secretName
5 participants
@liggitt @k8s-ci-robot @deads2k @fejta-bot @robscott