Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seccomp annotations name format need redefine #26610

Closed
mdshuai opened this issue Jun 1, 2016 · 5 comments
Closed

Seccomp annotations name format need redefine #26610

mdshuai opened this issue Jun 1, 2016 · 5 comments
Assignees
@sttts
Milestone
v1.3

Comments

@mdshuai
Copy link

mdshuai commented Jun 1, 2016

Now pod annotations validation only allow no more than one slash. But seccomp annotations format has more than one slash. like: security.alpha.kubernetes.io/seccomp/container/
https://github.com/kubernetes/kubernetes/blob/master/docs/design/seccomp.md#api-changes

When create a pod with seccomp annotations, it will error.

$ kubectl create -f pod-seccomp.yaml
The Pod "pod-seccomp" is invalid.
metadata.annotations: Invalid value: "security.alpha.kubernetes.io/seccomp/pod": must be a qualified name (at most 63 characters, matching regex ([A-Za-z0-9][-A-Za-z0-9_.])?[A-Za-z0-9]), with an optional DNS subdomain prefix (at most 253 characters, matching regex [a-z0-9]([-a-z0-9][a-z0-9])?(.a-z0-9?)*) and slash (/): e.g. "MyName" or "example.com/MyName"

which is caused by name validation. (more than one slash)
https://github.com/kubernetes/kubernetes/blob/master/pkg/api/validation/validation.go#L92
https://github.com/kubernetes/kubernetes/blob/master/pkg/util/validation/validation.go#L38
related #25324
@mdshuai
Copy link
Author

mdshuai commented Jun 1, 2016
edited
Loading

@ncdc @pmorie @jfrazelle

@sttts
Copy link
Contributor

sttts commented Jun 1, 2016

It's not only the slash which might lead to conflicts, but also the length. The container name field is a DNS_LABEL (https://github.com/kubernetes/kubernetes/blob/master/pkg/api/types.go#L40) with up to 63 characters. The same limit applies to the string right to the / in the annotation key.

Moving everything other than the container name to the left of the / should help.

@ncdc
Copy link
Member

ncdc commented Jun 1, 2016

@sttts @pmorie who wants to fix this? 😄

@sttts
Copy link
Contributor

sttts commented Jun 1, 2016

I can do that tomorrow (if @pmorie doesn't insist to do it himself before ;) )

@jessfraz
Copy link
Contributor

jessfraz commented Jun 1, 2016

ah good catch

@sttts sttts mentioned this issue Jun 2, 2016
Merged
@ncdc ncdc added this to the v1.3 milestone Jun 3, 2016
k8s-github-robot pushed a commit that referenced this issue Jun 11, 2016
Merge pull request #26710 from sttts/sttts-fix-seccomp-annotations
911e84e 
Automatic merge from submit-queue

Move /seccomp/ into domain prefix in seccomp annotations

Fixes #26610.

/cc @mdshuai @ncdc @jfrazelle
xingzhou pushed a commit to xingzhou/kubernetes that referenced this issue Dec 15, 2016
Merge pull request kubernetes#26710 from sttts/sttts-fix-seccomp-anno…
292048e 
…tations

Automatic merge from submit-queue

Move /seccomp/ into domain prefix in seccomp annotations

Fixes kubernetes#26610.

/cc @mdshuai @ncdc @jfrazelle
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sttts sttts

Labels
None yet
Projects
None yet
Milestone
v1.3
Development

No branches or pull requests
5 participants
@ncdc @sttts @jessfraz @mikedanese @mdshuai