From cafbfbea9a1014268d8ee40bed3a251a7add9491 Mon Sep 17 00:00:00 2001 From: Claudiu Belu Date: Wed, 28 Aug 2019 10:00:18 -0700 Subject: [PATCH] api: Loosens RunAsUserName validation Currently, the character limit for the usernames set in the RunAsUserName is 20, which is too low, considering that "ContainerAdministrator" is a valid username and it is longer than 20 characters. A user should be able to run containers as Administrator, if needed. According to [1], Logon names can be up to 104 characters. The previous limit only applies to local user accounts for the local system. [1] https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984(v=technet.10) --- pkg/apis/core/validation/validation.go | 8 ++++---- pkg/apis/core/validation/validation_test.go | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index f609b0980b4..00135d10bd5 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -5518,12 +5518,12 @@ func ValidateSecurityContext(sc *core.SecurityContext, fldPath *field.Path) fiel // is the max character length for the USER itself. Both the DOMAIN and USER have their // own restrictions, and more information about them can be found here: // https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and -// https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1 +// https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984(v=technet.10) const ( maxGMSACredentialSpecLengthInKiB = 64 maxGMSACredentialSpecLength = maxGMSACredentialSpecLengthInKiB * 1024 maxRunAsUserNameDomainLength = 256 - maxRunAsUserNameUserLength = 21 + maxRunAsUserNameUserLength = 104 ) var ( @@ -5604,8 +5604,8 @@ func validateWindowsSecurityContextOptions(windowsOptions *core.WindowsSecurityC if l := len(user); l == 0 { errMsg := fmt.Sprintf("runAsUserName's User cannot be empty") allErrs = append(allErrs, field.Invalid(fieldPath.Child("runAsUserName"), windowsOptions.RunAsUserName, errMsg)) - } else if l >= maxRunAsUserNameUserLength { - errMsg := fmt.Sprintf("runAsUserName's User length must be under %d characters", maxRunAsUserNameUserLength) + } else if l > maxRunAsUserNameUserLength { + errMsg := fmt.Sprintf("runAsUserName's User length must not be longer than %d characters", maxRunAsUserNameUserLength) allErrs = append(allErrs, field.Invalid(fieldPath.Child("runAsUserName"), windowsOptions.RunAsUserName, errMsg)) } diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go index fd10c767e4d..da385344d41 100644 --- a/pkg/apis/core/validation/validation_test.go +++ b/pkg/apis/core/validation/validation_test.go @@ -14204,9 +14204,9 @@ func TestValidateWindowsSecurityContextOptions(t *testing.T) { { testName: "RunAsUserName's User is too long", windowsOptions: &core.WindowsSecurityContextOptions{ - RunAsUserName: toPtr(strings.Repeat("a", maxRunAsUserNameUserLength)), + RunAsUserName: toPtr(strings.Repeat("a", maxRunAsUserNameUserLength+1)), }, - expectedErrorSubstring: "runAsUserName's User length must be under", + expectedErrorSubstring: "runAsUserName's User length must not be longer than", }, { testName: "RunAsUserName's User cannot contain only spaces or periods",