Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate namespace parameter as DNS subdomain name #602

Merged
merged 1 commit into from
Dec 13, 2022
Merged

Validate namespace parameter as DNS subdomain name #602

merged 1 commit into from
Dec 13, 2022

Conversation

deric
Copy link
Collaborator

@deric deric commented Dec 12, 2022
edited
Loading

Namespace naming should conform to DNS subdomain name as defined in RFC 1035 and RFC 1123:

  • contain at most 63 characters
  • contain only lowercase alphanumeric characters or '-'
  • start with an alphanumeric character
  • end with an alphanumeric character

When enforcing such policy code injection should not be possible (no need to escape namespace name).

@deric deric requested a review from a team as a code owner December 12, 2022 16:49
@puppet-community-rangefinder
Copy link

kubernetes::wait_for_default_sa is a type

that may have no external impact to Forge modules.

This module is declared in 0 of 580 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@chelnak
Copy link
Contributor

chelnak commented Dec 13, 2022

Morning! This looks great. Two things though.

  1. Looks like we have a conflict
  2. I notice you link to a SO post and mention an RFC.. I wonder if we could also include a link to some official documentation or maybe even the code that enforces the naming policy on the K8s side (appreciate the latter is probably not possible)

@deric deric force-pushed the namespace branch 2 times, most recently from 4613a4e to 0cb2141 Compare December 13, 2022 10:26
@deric
Validate namespace parameter as DNS subdomain name
85d67ca 
Namespace naming should conform to DNS subdomain name as defined in RFC 1123
https://tools.ietf.org/html/rfc1123

When enforcing such policy code injection should not be possible (no
need to escape namespace name).
@deric
Copy link
Collaborator Author

deric commented Dec 13, 2022

@chelnak Thanks, I've added links to the documentation, the here's k8s source code for label validation. The code has been moved to a separate repo, but I wouldn't expect major changes in this area.

The go regexp looks like this:

([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]

@chelnak
Copy link
Contributor

chelnak commented Dec 13, 2022

fantastic @deric - specs are green... we know that the integration tests are dead so lets get this merged.

@chelnak chelnak self-assigned this Dec 13, 2022
@chelnak chelnak merged commit c0857cd into puppetlabs:main Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chelnak chelnak chelnak approved these changes

Assignees

@chelnak chelnak

Labels
backwards-incompatible community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@deric @chelnak @ia-content