genpolicy: fix svc_name regex #11314
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The service name is specified as RFC 1035 lable name [1]. The svc_name regex in the genpolicy settings is applied to the downward API env variables created based on the service name. So it tries to match RFC 1035 labels after they are transformed to downward API variable names [2]. So the set of lower case alphanumerics and dashes is transformed to upper case alphanumerics and underscores. The previous regex wronly permitted use of numbers, but did allow dot and dash, which shouldn't be allowed (dot not because they aren't conform with RFC 1035, dash not because it is transformed to underscore). We have to take care not to also try to use the regex in places where we actually want to check for RFC 1035 label instead of the downward API transformed version of it. Further, we should consider using a format like JSON5/JSONC for the policy settings, as these are far from trivial and would highly benefit from proper documentation through comments. [1]: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service [2]: https://github.com/kubernetes/kubernetes/blob/b2dfba4151b859c31a27fe31f8703f9b2b758270/pkg/kubelet/envvars/envvars.go#L29-L70 Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Just to be more explicit what this matches. Signed-off-by: Paul Meyer <katexochen0@gmail.com>
b30a5e9 to
8de8b81
Compare
burgerdev
approved these changes
May 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The service name is specified as RFC 1035 lable name. The svc_name regex in the genpolicy settings is applied to the downward API env variables created based on the service name. So it tries to match RFC 1035 labels after they are transformed to downward API variable names. So the set of lower case alphanumerics and dashes is transformed to upper case alphanumerics and underscores. The previous regex wronly permitted use of numbers, but did allow dot and dash, which shouldn't be allowed (dot not because they aren't conform with RFC 1035, dash not because it is transformed to underscore).
We have to take care not to also try to use the regex in places where we actually want to check for RFC 1035 label instead of the downward API transformed version of it.
Further, we should consider using a format like JSON5/JSONC for the policy settings, as these are far from trivial and would highly benefit from proper documentation through comments.