KEP-4427 : AllowRelaxedDNSSearchValidation #127167
Conversation
k8s-ci-robot
added
release-note
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
|
Hi @adrianmoisey. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
area/test
kind/api-change
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
thockin
added
the
sig/network
|
/ok-to-test I'm happy to sponsor you if you want, so you just need to get a sponsor that is not from Google |
k8s-ci-robot
added
ok-to-test
|
@adrianmoisey can you add an e2e test , you can duplicate one of those kubernetes/test/e2e/network/dns.go Lines 563 to 601 in 0e4cf67 |
pkg/api/pod/util.go
Outdated
| @@ -386,11 +386,13 @@ func GetValidationOptionsFromPodSpecAndMeta(podSpec, oldPodSpec *api.PodSpec, po | |||
| AllowNamespacedSysctlsForHostNetAndHostIPC: false, | |||
| AllowNonLocalProjectedTokenPath: false, | |||
| AllowImageVolumeSource: utilfeature.DefaultFeatureGate.Enabled(features.ImageVolume), | |||
| AllowRelaxedDNSSearchValidation: utilfeature.DefaultFeatureGate.Enabled(features.RelaxedDNSSearchValidation), | |||
There was a problem hiding this comment.
kind of a nit, but why set this if you just override it below?
There was a problem hiding this comment.
Whoops, good catch, thanks.
Fixed in 1290574
| dnsConfig *core.PodDNSConfig | ||
| }{ | ||
| { | ||
| name: "beings with underscore, contains underscore, featuregate enabled", |
There was a problem hiding this comment.
Yup, thanks!
Fixed in 1b7aa45
| dnsConfig: &core.PodDNSConfig{Searches: []string{"."}}, | ||
| }, | ||
| { | ||
| name: "beings with underscore, contains underscore, featuregate disabled", |
thockin
added
the
tide/merge-method-squash
|
Thanks! /lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: ac624577e3d42e5a51c86056989e07597928961d
|
adrianmoisey
force-pushed
the
KEP-4427-relaxed-dns-search
branch
2 times, most recently
from
7236d2e to
e31cc2e
Compare
|
/test pull-kubernetes-node-e2e-containerd |
|
@adrianmoisey we have to modify the nftables job to not pick your change, lgtm kubernetes/test-infra#33440 and once it merges retest and report back |
|
/test pull-kubernetes-e2e-kind-nftables |
| // Owner: sig-network | ||
| // Marks tests of KEP-4427 that require the `RelaxedDNSSearchValidation` feature gate | ||
| RelaxedDNSSearchValidation = framework.WithFeature(framework.ValidFeatures.Add("RelaxedDNSSearchValidation")) | ||
|
|
There was a problem hiding this comment.
this was my mistake, we don't need this here, Feature means you need something special on the cluster to use this fcuntionality, per example, IPv6DualStack needs to configure the cluster in a specific way, or Loadbalancer means you need to have a cluster that implements load balancer
There was a problem hiding this comment.
clarified in another PR by Patrick Ohly, we need this meanwhile we don't fully migrate to labels
test/e2e/network/dns.go
Outdated
| @@ -597,7 +598,38 @@ var _ = common.SIGDescribe("DNS", func() { | |||
| } | |||
| validateDNSResults(ctx, f, pod, append(wheezyFileNames, jessieFileNames...)) | |||
| }) | |||
| }) | |||
|
|
|||
| var _ = common.SIGDescribe("DNS", feature.RelaxedDNSSearchValidation, func() { | |||
There was a problem hiding this comment.
| var _ = common.SIGDescribe("DNS", feature.RelaxedDNSSearchValidation, func() { | |
| var _ = common.SIGDescribe("DNS", framework.WithFeatureGate(features.RelaxedDNSSearchValidation), func() { |
|
@adrianmoisey the e2e error will be fixed by #126977 |
test/e2e/network/dns.go
Outdated
| @@ -597,7 +599,38 @@ var _ = common.SIGDescribe("DNS", func() { | |||
| } | |||
| validateDNSResults(ctx, f, pod, append(wheezyFileNames, jessieFileNames...)) | |||
| }) | |||
| }) | |||
|
|
|||
| var _ = common.SIGDescribe(feature.RelaxedDNSSearchValidation, framework.WithFeatureGate(features.RelaxedDNSSearchValidation), func() { | |||
There was a problem hiding this comment.
we can try to add a TODO and try to label directly
| var _ = common.SIGDescribe(feature.RelaxedDNSSearchValidation, framework.WithFeatureGate(features.RelaxedDNSSearchValidation), func() { | |
| // TODO replace WithLabel by framework.WithFeatureGate(features.RelaxedDNSSearchValidation) once https://github.com/kubernetes/kubernetes/pull/126977 is solved | |
| var _ = common.SIGDescribe(feature.RelaxedDNSSearchValidation, framework.WithLabel("Feature:Alpha"), func() { |
|
/retest |
|
@adrianmoisey squash for final review, that job failing is not required and besides that, it is independent of this PR content |
adrianmoisey
force-pushed
the
KEP-4427-relaxed-dns-search
branch
from
edd5168 to
014f07c
Compare
| @@ -24193,6 +24193,64 @@ func TestValidateSleepAction(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| // TODO: merge these test to TestValidatePodSpec after AllowRelaxedDNSSearchValidation feature graduates to Beta | |||
| func TestValidatePodDNSConfigWithRelaxedSearchDomain(t *testing.T) { | |||
There was a problem hiding this comment.
@thockin @adrianmoisey I'm worried about this combinations of underscore and dots
can we extend the coverage here?
diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go
index d3ed0288685..d1fdf4e2eba 100644
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@@ -24219,6 +24219,42 @@ func TestValidatePodDNSConfigWithRelaxedSearchDomain(t *testing.T) {
featureEnabled: true,
dnsConfig: &core.PodDNSConfig{Searches: []string{"."}},
},
+ {
+ name: "two dots, featuregate enabled",
+ expectError: true,
+ featureEnabled: true,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{".."}},
+ },
+ {
+ name: "underscore and dot, featuregate enabled",
+ expectError: true,
+ featureEnabled: true,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"_."}},
+ },
+ {
+ name: "two underscore and dot, featuregate enabled",
+ expectError: true,
+ featureEnabled: true,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"__."}},
+ },
+ {
+ name: "dot and two underscore, featuregate enabled",
+ expectError: true,
+ featureEnabled: true,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{".__"}},
+ },
+ {
+ name: "dot and underscore, featuregate enabled",
+ expectError: true,
+ featureEnabled: true,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"._"}},
+ },
+ {
+ name: "lot of underscores, featuregate enabled",
+ expectError: true,
+ featureEnabled: true,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"____________"}},
+ },
{
name: "begins with underscore, contains underscore, featuregate disabled",
expectError: true,
@@ -24237,6 +24273,42 @@ func TestValidatePodDNSConfigWithRelaxedSearchDomain(t *testing.T) {
featureEnabled: false,
dnsConfig: &core.PodDNSConfig{Searches: []string{"."}},
},
+ {
+ name: "two dots, featuregate disabled",
+ expectError: true,
+ featureEnabled: false,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{".."}},
+ },
+ {
+ name: "underscore and dot, featuregate disabled",
+ expectError: true,
+ featureEnabled: false,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"_."}},
+ },
+ {
+ name: "dot and underscore, featuregate disabled",
+ expectError: true,
+ featureEnabled: false,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"._"}},
+ },
+ {
+ name: "lot of underscores, featuregate disabled",
+ expectError: true,
+ featureEnabled: false,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"____________"}},
+ },
+ {
+ name: "two underscore and dot, featuregate disabled",
+ expectError: true,
+ featureEnabled: false,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{"__."}},
+ },
+ {
+ name: "dot and two underscore, featuregate dsiable",
+ expectError: true,
+ featureEnabled: false,
+ dnsConfig: &core.PodDNSConfig{Searches: []string{".__"}},
+ },
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {and validate those testcases that fail are legit or no?
go test -timeout 30s -run ^TestValidatePodDNSConfigWithRelaxedSearchDomain$ k8s.io/kubernetes/pkg/apis/core/validation
--- FAIL: TestValidatePodDNSConfigWithRelaxedSearchDomain (0.00s)
--- FAIL: TestValidatePodDNSConfigWithRelaxedSearchDomain/underscore_and_dot,_featuregate_enabled (0.00s)
validation_test.go:24317: Unexpected success
FAIL
FAIL k8s.io/kubernetes/pkg/apis/core/validation 0.244s
FAIL
There was a problem hiding this comment.
.. should fail, I think - can't start with a dot unless the whole token is "."
_. should fail, I think - RFC952 and RFC1035 say it must start with alphabetic, RFC1123 allows that to be a letter or digit, RFC2782 allows an underscore to be prepended to the service and proto fields, which cannot be empty (RFC2052). We are choosing to allow '_' anywhere we would allow '-', and we do not allow a leading hyphen, so we must have at least one alphanumeric. Does that analysis make sense?
._ should fail for the same reason as .. -- we do not allow leading dots (BTW, your "dot and underscore" case is broken, it says "_."
There was a problem hiding this comment.
_.should fail, I think - RFC952 and RFC1035 say it must start with alphabetic, RFC1123 allows that to be a letter or digit, RFC2782 allows an underscore to be prepended to the service and proto fields, which cannot be empty (RFC2052). We are choosing to allow '_' anywhere we would allow '-', and we do not allow a leading hyphen, so we must have at least one alphanumeric. Does that analysis make sense?
Just to be clear:
_. should not be allowed
_tcp.exampe.com should be allowed
That right?
🍿 looking for the regex 😄
🥳
There was a problem hiding this comment.
const dns1123LabelFmtWithUnderscore string = "[_a-z0-9]([-_a-z0-9]*[a-z0-9])?"
That looks like it will allow _ which is wrong. https://go.dev/play/p/S0rjL6SGJrO
`_?[a-z0-9]([-_a-z0-9]*[a-z0-9])?`
That seems more correct?
There was a problem hiding this comment.
More test cases added in 1c2f8b8 (thanks Antonio)
Regex updated in the same commit (thanks Tim)
I'm happy to add more test cases if needed.
Also update Regex to match the case we want. Thanks Tim and Antonio!
|
@adrianmoisey: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm @adrianmoisey we (most probable me) broke the pull-kubernetes-e2e-gce-network-policies with the new label, but we don't need to wait for it to merge this, do you mind sending a PR for fixing that job, most probable something related to bash expansion or quotes or likes
|
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 17d26d63e000c0bc3622edd55fd0e45ac506ad14
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adrianmoisey, aojea, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* KEP-4427 : AllowRelaxedDNSSearchValidation * Add e2e test with feature gate to test KEP-4427 RelaxedDNSSearchValidation * Add more validatePodDNSConfig test cases Also update Regex to match the case we want. Thanks Tim and Antonio!
What type of PR is this?
/kind feature
What this PR does / why we need it:
Relates to https://kep.k8s.io/4427
Adds relaxed DNS search string validation behind an alpha feature flag.
Which issue(s) this PR fixes:
Fixes # N/A (I think)
Special notes for your reviewer:
staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go, any suggestions will be welcome.Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: