Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Completing CEL validation for Gateway #2246

Merged
merged 1 commit into from
Aug 3, 2023

Conversation

robscott
Copy link
Member

@robscott robscott commented Jul 27, 2023

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
This is a follow up to @gauravkghildiyal's PR that added CEL validation (#2226). It contains a few things:

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 27, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 27, 2023
@@ -537,6 +537,7 @@ type RouteGroupKind struct {
// GatewayAddress describes an address that can be bound to a Gateway.
//
// +kubebuilder:validation:XValidation:message="Hostname value must only contain valid characters (matching ^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)",rule="self.type == 'Hostname' ? self.value.matches('^(\\\\*\\\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'): true"
// +kubebuilder:validation:XValidation:message="IPAddress value must only contain valid characters",rule="self.type == 'IPAddress' ? self.value.matches('((^\\\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\\\s*$)|(^\\\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:)))(%.+)?\\\\s*$))'): true"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With all the escaping this gets to be pretty hard to parse - here's the original: https://regex101.com/r/Kzijkp/1

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The escaping is making me wonder if we should hang out with the kubebuilder group a bit and see about options to get these rules from other files and locations.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@robscott thanks for the link, without the escaping it is super easy to understand!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Less sarcastic: can we use https://github.com/kubernetes/kubernetes/pull/85381/files? Seems we already use it in some other places (date-time - interestingly, the link I sent says it should be datetime.

Actually that may be tricky since we need this conditional... maybe there is some way to get these into the CEL... I can't help but think there must be a better way to do this (or if not, there should be)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked in with @jpbetz and sadly we're stuck with a regex for now. The good news is that this will get better with KEP 3937. Unfortunately in the best case this will be enabled by default in 1.31+, and with our 5 minor version support window, we'd need to wait for 1.36, or >2 years from now for this to be available.

The closest thing we have available now is isURL("https://" + ip + "/") which uses https://github.com/kubernetes/kubernetes/blob/97c7dbcd227ec253bb277a91575706fe30f519dc/staging/src/k8s.io/apiserver/pkg/cel/library/urls.go#L234, but of course that would still be too permissive for what we need here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops sorry I didn't see I was tagged earlier. Yeah i think Joe's suggestion would be fine, though having

         type:
           not:
             enum: ["IPAddress"]

makes it look like any other value can be accepted if it doesn't fit the enum? If the fallback is string, why not keep that in the oneOf?

  oneOf:
     - properties:
         type:
           enum: ["IPAddress"]
         value:
           anyOf:
             - format: ipv4
             - format: ipv6
     - properties:
          type:
            type: string
          value:
            type: string

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eliminating the "not: enum: ..." part SGTM since the fallback is that you can have any value. Thanks @Jefftree

Copy link
Member Author

@robscott robscott Aug 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Jefftree @jpbetz I think I'm misunderstanding the suggestion. It seems like that would be interpreted as

One Of:
A) type == IPAddress && (format == ipv4 || format == ipv6)
OR
B) type == any string && value == any string

Wouldn't that allow any value to pass through validation via B), including type==IPAddress?

What we really want is:

A) type == IPAddress && (format == ipv4 || format == ipv6)
OR
B) type == anything other than IPAddress

I think that's closer to what we actually have.

We already have the following x-kubernetes-validations value at the same level to cover the hostname type:

                  x-kubernetes-validations:
                  - message: Hostname value must only contain valid characters (matching
                      ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
                    rule: 'self.type == ''Hostname'' ? self.value.matches(''^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$''):
                      true'

Admittedly it would probably make sense to combine that all into the oneOf for a CRD that was a bit easier to understand. We're avoiding that because the Hostname validation can be expressed with a relatively simple regex that fits in a +kubebuilder annotation and doesn't require customizing the CRD generation like we're doing for IP Addresses here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah right that will allow even invalid IPAddress types to pass validation via B. In that case would Joe's first suggestion should suffice then? It's already quite concise for what we want to express.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, Joe's first suggestion seems to work well here, thanks for the help!

@robscott robscott added this to the v0.8.0 milestone Jul 27, 2023
Copy link
Member

@gauravkghildiyal gauravkghildiyal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Thanks a lot for the corrections and additions!

hack/cel-validation/gateway_test.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 3, 2023
@jpbetz jpbetz mentioned this pull request Aug 3, 2023
11 tasks
@youngnick
Copy link
Contributor

I don't think the generator hack is that bad. 😁

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 3, 2023
@k8s-ci-robot k8s-ci-robot merged commit 83e2ede into kubernetes-sigs:main Aug 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants