mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
csi: validate the secretnames in the CSI spec against NameIsDNSSubdomain
At present the CSI spec secret name validation for ControllerPublish, ControllerExpand, NodePublish secrets are performed against ValidateDNS1123Label() and it causes the secret name validation inside the CSI spec to go wrong if the secret name is more than 63 chars. Kubernetes allow the secret object name to be on `DNS SubDomainName` and having a secret name length between 0-253 is correct/valid. So the CSI spec validation also has to be performed accordingly. This commit address this issue in validation for above mentioned funcs. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
This commit is contained in:
Humble Chirammal
parent
15f111f78f
commit
5c92e4b816
@ -1532,13 +1532,16 @@ func validateStorageOSPersistentVolumeSource(storageos *core.StorageOSPersistent
|
||||
|
||||
// validatePVSecretReference check whether provided SecretReference object is valid in terms of secret name and namespace.
|
||||
|
||||
func validatePVSecretReference(secretRef *core.SecretReference, fldPath *field.Path) field.ErrorList {
|
||||
func validatePVSecretReference(secretRef *core.SecretReference, allowDNSSubDomainSecretName bool, fldPath *field.Path) field.ErrorList {
|
||||
var allErrs field.ErrorList
|
||||
if len(secretRef.Name) == 0 {
|
||||
allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
|
||||
} else if allowDNSSubDomainSecretName {
|
||||
allErrs = append(allErrs, ValidateDNS1123Subdomain(secretRef.Name, fldPath.Child("name"))...)
|
||||
} else {
|
||||
allErrs = append(allErrs, ValidateDNS1123Label(secretRef.Name, fldPath.Child("name"))...)
|
||||
}
|
||||
|
||||
if len(secretRef.Namespace) == 0 {
|
||||
allErrs = append(allErrs, field.Required(fldPath.Child("namespace"), ""))
|
||||
} else {
|
||||
@ -1565,7 +1568,7 @@ func ValidateCSIDriverName(driverName string, fldPath *field.Path) field.ErrorLi
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func validateCSIPersistentVolumeSource(csi *core.CSIPersistentVolumeSource, fldPath *field.Path) field.ErrorList {
|
||||
func validateCSIPersistentVolumeSource(csi *core.CSIPersistentVolumeSource, allowDNSSubDomainSecretName bool, fldPath *field.Path) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
|
||||
allErrs = append(allErrs, ValidateCSIDriverName(csi.Driver, fldPath.Child("driver"))...)
|
||||
@ -1574,16 +1577,16 @@ func validateCSIPersistentVolumeSource(csi *core.CSIPersistentVolumeSource, fldP
|
||||
allErrs = append(allErrs, field.Required(fldPath.Child("volumeHandle"), ""))
|
||||
}
|
||||
if csi.ControllerPublishSecretRef != nil {
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.ControllerPublishSecretRef, fldPath.Child("controllerPublishSecretRef"))...)
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.ControllerPublishSecretRef, allowDNSSubDomainSecretName, fldPath.Child("controllerPublishSecretRef"))...)
|
||||
}
|
||||
if csi.ControllerExpandSecretRef != nil {
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.ControllerExpandSecretRef, fldPath.Child("controllerExpandSecretRef"))...)
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.ControllerExpandSecretRef, allowDNSSubDomainSecretName, fldPath.Child("controllerExpandSecretRef"))...)
|
||||
}
|
||||
if csi.NodePublishSecretRef != nil {
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.NodePublishSecretRef, fldPath.Child("nodePublishSecretRef"))...)
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.NodePublishSecretRef, allowDNSSubDomainSecretName, fldPath.Child("nodePublishSecretRef"))...)
|
||||
}
|
||||
if csi.NodeExpandSecretRef != nil {
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.NodeExpandSecretRef, fldPath.Child("nodeExpandSecretRef"))...)
|
||||
allErrs = append(allErrs, validatePVSecretReference(csi.NodeExpandSecretRef, allowDNSSubDomainSecretName, fldPath.Child("nodeExpandSecretRef"))...)
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
@ -1645,6 +1648,8 @@ var allowedPVCTemplateObjectMetaFields = map[string]bool{
|
||||
type PersistentVolumeSpecValidationOptions struct {
|
||||
// Allow spec to contain the "ReadWiteOncePod" access mode
|
||||
AllowReadWriteOncePod bool
|
||||
// Allow the secretRef Name field to be of DNSSubDomain Format
|
||||
AllowDNSSubDomainSecretName bool
|
||||
}
|
||||
|
||||
// ValidatePersistentVolumeName checks that a name is appropriate for a
|
||||
@ -1659,7 +1664,8 @@ var supportedVolumeModes = sets.NewString(string(core.PersistentVolumeBlock), st
|
||||
|
||||
func ValidationOptionsForPersistentVolume(pv, oldPv *core.PersistentVolume) PersistentVolumeSpecValidationOptions {
|
||||
opts := PersistentVolumeSpecValidationOptions{
|
||||
AllowReadWriteOncePod: utilfeature.DefaultFeatureGate.Enabled(features.ReadWriteOncePod),
|
||||
AllowReadWriteOncePod: utilfeature.DefaultFeatureGate.Enabled(features.ReadWriteOncePod),
|
||||
AllowDNSSubDomainSecretName: false,
|
||||
}
|
||||
if oldPv == nil {
|
||||
// If there's no old PV, use the options based solely on feature enablement
|
||||
@ -1669,9 +1675,21 @@ func ValidationOptionsForPersistentVolume(pv, oldPv *core.PersistentVolume) Pers
|
||||
// If the old object allowed "ReadWriteOncePod", continue to allow it in the new object
|
||||
opts.AllowReadWriteOncePod = true
|
||||
}
|
||||
if oldCSI := oldPv.Spec.CSI; oldCSI != nil {
|
||||
opts.AllowDNSSubDomainSecretName =
|
||||
secretRefRequiresSubdomainSecretName(oldCSI.ControllerExpandSecretRef) ||
|
||||
secretRefRequiresSubdomainSecretName(oldCSI.ControllerPublishSecretRef) ||
|
||||
secretRefRequiresSubdomainSecretName(oldCSI.NodeStageSecretRef) ||
|
||||
secretRefRequiresSubdomainSecretName(oldCSI.NodePublishSecretRef)
|
||||
}
|
||||
return opts
|
||||
}
|
||||
|
||||
func secretRefRequiresSubdomainSecretName(secretRef *core.SecretReference) bool {
|
||||
// ref and name were specified and name didn't fit within label validation
|
||||
return secretRef != nil && len(secretRef.Name) > 0 && len(validation.IsDNS1123Label(secretRef.Name)) > 0
|
||||
}
|
||||
|
||||
func ValidatePersistentVolumeSpec(pvSpec *core.PersistentVolumeSpec, pvName string, validateInlinePersistentVolumeSpec bool, fldPath *field.Path, opts PersistentVolumeSpecValidationOptions) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
|
||||
@ -1926,7 +1944,7 @@ func ValidatePersistentVolumeSpec(pvSpec *core.PersistentVolumeSpec, pvName stri
|
||||
allErrs = append(allErrs, field.Forbidden(fldPath.Child("csi"), "may not specify more than 1 volume type"))
|
||||
} else {
|
||||
numVolumes++
|
||||
allErrs = append(allErrs, validateCSIPersistentVolumeSource(pvSpec.CSI, fldPath.Child("csi"))...)
|
||||
allErrs = append(allErrs, validateCSIPersistentVolumeSource(pvSpec.CSI, opts.AllowDNSSubDomainSecretName, fldPath.Child("csi"))...)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user