diff --git a/pkg/api/validation/validation.go b/pkg/api/validation/validation.go index d50a20f0713..932353ceffa 100644 --- a/pkg/api/validation/validation.go +++ b/pkg/api/validation/validation.go @@ -1483,6 +1483,7 @@ func validateContainerPorts(ports []api.ContainerPort, fldPath *field.Path) fiel return allErrs } +// ValidateEnv validates env vars func ValidateEnv(vars []api.EnvVar, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} @@ -1653,8 +1654,9 @@ func validateContainerResourceDivisor(rName string, divisor resource.Quantity, f func validateConfigMapKeySelector(s *api.ConfigMapKeySelector, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - if len(s.Name) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) + nameFn := ValidateNameFunc(ValidateSecretName) + for _, msg := range nameFn(s.Name, false) { + allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), s.Name, msg)) } if len(s.Key) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("key"), "")) @@ -1670,8 +1672,9 @@ func validateConfigMapKeySelector(s *api.ConfigMapKeySelector, fldPath *field.Pa func validateSecretKeySelector(s *api.SecretKeySelector, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - if len(s.Name) == 0 { - allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) + nameFn := ValidateNameFunc(ValidateSecretName) + for _, msg := range nameFn(s.Name, false) { + allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), s.Name, msg)) } if len(s.Key) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("key"), "")) @@ -1940,6 +1943,7 @@ func validateContainers(containers []api.Container, volumes sets.String, fldPath allErrs = append(allErrs, validateProbe(ctr.ReadinessProbe, idxPath.Child("readinessProbe"))...) allErrs = append(allErrs, validateContainerPorts(ctr.Ports, idxPath.Child("ports"))...) allErrs = append(allErrs, ValidateEnv(ctr.Env, idxPath.Child("env"))...) + allErrs = append(allErrs, ValidateEnvFrom(ctr.EnvFrom, idxPath.Child("envFrom"))...) allErrs = append(allErrs, ValidateVolumeMounts(ctr.VolumeMounts, volumes, idxPath.Child("volumeMounts"))...) allErrs = append(allErrs, validatePullPolicy(ctr.ImagePullPolicy, idxPath.Child("imagePullPolicy"))...) allErrs = append(allErrs, ValidateResourceRequirements(&ctr.Resources, idxPath.Child("resources"))...) diff --git a/pkg/api/validation/validation_test.go b/pkg/api/validation/validation_test.go index 0497c9d02c9..53a53b111b1 100644 --- a/pkg/api/validation/validation_test.go +++ b/pkg/api/validation/validation_test.go @@ -2706,6 +2706,34 @@ func TestValidateEnv(t *testing.T) { }}, expectedError: `[0].valueFrom: Invalid value: "": may not have more than one field specified at a time`, }, + { + name: "valueFrom.secretKeyRef.name invalid", + envs: []api.EnvVar{{ + Name: "abc", + ValueFrom: &api.EnvVarSource{ + SecretKeyRef: &api.SecretKeySelector{ + LocalObjectReference: api.LocalObjectReference{ + Name: "$%^&*#", + }, + Key: "a-key", + }, + }, + }}, + }, + { + name: "valueFrom.configMapKeyRef.name invalid", + envs: []api.EnvVar{{ + Name: "abc", + ValueFrom: &api.EnvVarSource{ + ConfigMapKeyRef: &api.ConfigMapKeySelector{ + LocalObjectReference: api.LocalObjectReference{ + Name: "$%^&*#", + }, + Key: "some-key", + }, + }, + }}, + }, { name: "missing FieldPath on ObjectFieldSelector", envs: []api.EnvVar{{ @@ -2912,6 +2940,26 @@ func TestValidateEnvFrom(t *testing.T) { }, expectedError: "field: Invalid value: \"\": may not have more than one field specified at a time", }, + { + name: "invalid secret ref name", + envs: []api.EnvFromSource{ + { + SecretRef: &api.SecretEnvSource{ + LocalObjectReference: api.LocalObjectReference{Name: "$%^&*#"}}, + }, + }, + expectedError: "field[0].secretRef.name: Invalid value: \"$%^&*#\": " + dnsSubdomainLabelErrMsg, + }, + { + name: "invalid config ref name", + envs: []api.EnvFromSource{ + { + ConfigMapRef: &api.ConfigMapEnvSource{ + LocalObjectReference: api.LocalObjectReference{Name: "$%^&*#"}}, + }, + }, + expectedError: "field[0].configMapRef.name: Invalid value: \"$%^&*#\": " + dnsSubdomainLabelErrMsg, + }, } for _, tc := range errorCases { if errs := ValidateEnvFrom(tc.envs, field.NewPath("field")); len(errs) == 0 { @@ -3223,6 +3271,21 @@ func TestValidateContainers(t *testing.T) { ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File", }, + { + Name: "env-from-source", + Image: "image", + ImagePullPolicy: "IfNotPresent", + TerminationMessagePolicy: "File", + EnvFrom: []api.EnvFromSource{ + { + ConfigMapRef: &api.ConfigMapEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "test", + }, + }, + }, + }, + }, {Name: "abc-1234", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File", SecurityContext: fakeValidSecurityContext(true)}, } if errs := validateContainers(successCase, volumes, field.NewPath("field")); len(errs) != 0 { @@ -3452,6 +3515,23 @@ func TestValidateContainers(t *testing.T) { TerminationMessagePolicy: "File", }, }, + "Invalid env from": { + { + Name: "env-from-source", + Image: "image", + ImagePullPolicy: "IfNotPresent", + TerminationMessagePolicy: "File", + EnvFrom: []api.EnvFromSource{ + { + ConfigMapRef: &api.ConfigMapEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "$%^&*#", + }, + }, + }, + }, + }, + }, } for k, v := range errorCases { if errs := validateContainers(v, volumes, field.NewPath("field")); len(errs) == 0 {