-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Completing CEL validation for Gateway #2246
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
apis/v1beta1/gateway_types.go
Outdated
@@ -537,6 +537,7 @@ type RouteGroupKind struct { | |||
// GatewayAddress describes an address that can be bound to a Gateway. | |||
// | |||
// +kubebuilder:validation:XValidation:message="Hostname value must only contain valid characters (matching ^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)",rule="self.type == 'Hostname' ? self.value.matches('^(\\\\*\\\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'): true" | |||
// +kubebuilder:validation:XValidation:message="IPAddress value must only contain valid characters",rule="self.type == 'IPAddress' ? self.value.matches('((^\\\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\\\s*$)|(^\\\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:)))(%.+)?\\\\s*$))'): true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With all the escaping this gets to be pretty hard to parse - here's the original: https://regex101.com/r/Kzijkp/1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The escaping is making me wonder if we should hang out with the kubebuilder group a bit and see about options to get these rules from other files and locations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@robscott thanks for the link, without the escaping it is super easy to understand!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Less sarcastic: can we use https://github.com/kubernetes/kubernetes/pull/85381/files? Seems we already use it in some other places (date-time
- interestingly, the link I sent says it should be datetime
.
Actually that may be tricky since we need this conditional... maybe there is some way to get these into the CEL... I can't help but think there must be a better way to do this (or if not, there should be)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked in with @jpbetz and sadly we're stuck with a regex for now. The good news is that this will get better with KEP 3937. Unfortunately in the best case this will be enabled by default in 1.31+, and with our 5 minor version support window, we'd need to wait for 1.36, or >2 years from now for this to be available.
The closest thing we have available now is isURL("https://" + ip + "/")
which uses https://github.com/kubernetes/kubernetes/blob/97c7dbcd227ec253bb277a91575706fe30f519dc/staging/src/k8s.io/apiserver/pkg/cel/library/urls.go#L234, but of course that would still be too permissive for what we need here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops sorry I didn't see I was tagged earlier. Yeah i think Joe's suggestion would be fine, though having
type:
not:
enum: ["IPAddress"]
makes it look like any other value can be accepted if it doesn't fit the enum? If the fallback is string, why not keep that in the oneOf?
oneOf:
- properties:
type:
enum: ["IPAddress"]
value:
anyOf:
- format: ipv4
- format: ipv6
- properties:
type:
type: string
value:
type: string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eliminating the "not: enum: ..." part SGTM since the fallback is that you can have any value. Thanks @Jefftree
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Jefftree @jpbetz I think I'm misunderstanding the suggestion. It seems like that would be interpreted as
One Of:
A) type == IPAddress && (format == ipv4 || format == ipv6)
OR
B) type == any string && value == any string
Wouldn't that allow any value to pass through validation via B), including type==IPAddress?
What we really want is:
A) type == IPAddress && (format == ipv4 || format == ipv6)
OR
B) type == anything other than IPAddress
I think that's closer to what we actually have.
We already have the following x-kubernetes-validations
value at the same level to cover the hostname type:
x-kubernetes-validations:
- message: Hostname value must only contain valid characters (matching
^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
rule: 'self.type == ''Hostname'' ? self.value.matches(''^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$''):
true'
Admittedly it would probably make sense to combine that all into the oneOf
for a CRD that was a bit easier to understand. We're avoiding that because the Hostname
validation can be expressed with a relatively simple regex that fits in a +kubebuilder
annotation and doesn't require customizing the CRD generation like we're doing for IP Addresses here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah right that will allow even invalid IPAddress types to pass validation via B. In that case would Joe's first suggestion should suffice then? It's already quite concise for what we want to express.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, Joe's first suggestion seems to work well here, thanks for the help!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me! Thanks a lot for the corrections and additions!
config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
Outdated
Show resolved
Hide resolved
I don't think the generator hack is that bad. 😁 /lgtm |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
This is a follow up to @gauravkghildiyal's PR that added CEL validation (#2226). It contains a few things:
https://regex101.com/r/Kzijkp/1our custom CRD generation +oneOf
)Does this PR introduce a user-facing change?: