New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate ingress TLS secretName in v1 #93929
Conversation
if len(name) == 0 { | ||
return nil | ||
} | ||
return apivalidation.ValidateSecretName(name, false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense to me, but the doc on the .secretName field is vague. it's not clear whether it must be a kube secret ref or if it can be a reference to nearly anything and we should only enforce some large length limit.
If the latter, the field doc needs to be improved to make it clear that consumers need to defend against traversal attacks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's definitely a kubernetes secret. A separate field to indicate a named credential managed by the ingress controller was discussed as an alternative to the requests for cluster-scoped secrets, but was not accepted.
bazel debian error |
b285d9b
to
e008f1f
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
e008f1f
to
f87a846
Compare
/priority critical-urgent to resolve API issue prior to initial release |
lgtm, but I'd like someone from sig-network to sign off. |
/retest |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
Thanks! /lgtm |
What type of PR is this?
/kind bug
/kind api-change
What this PR does / why we need it:
Validates the Ingress TLS secretName field in
networking.k8s.io/v1
Which issue(s) this PR fixes:
Fixes #93928
Special notes for your reviewer:
Tightens validation in v1 for new objects, and for existing objects that already pass the tightened validation. Preserves backwards compatibility for existing objects and previously released APIs.
Does this PR introduce a user-facing change?:
/cc @robscott @deads2k
/sig network
/milestone v1.19