-
Notifications
You must be signed in to change notification settings - Fork 764
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Evaluate impact of x-kubernetes-preserve-unknown-fields: true fields introduced by 1.23 prior to 1.23.3 #1818
Comments
ABSTRACT:We are susceptible to this bug, as there are ways of creating a JSONSchema where the user hasn't provided sufficient information for us to intuit that they mean to specify a list. In those cases, the users list information is dropped when they specify it in a constraint, causing a bug. If we have enough information ( TESTINGTo test this I created a kind cluster at version 1.23.0. I then installed g8r Test Case 1: No specific type... even though it's supposed to be an arrayvalidation:
openAPIV3Schema:
type: object
properties:
labels:
# type: array
description: >-
A list of labels and values the object must specify. B/c we don't know what type parameters:
properties:
labels:
description: A list of labels and values the object must specify.
x-kubernetes-preserve-unknown-fields: true
type: object
x-kubernetes-preserve-unknown-fields: true Thus, when we add a constraint where the PARAMETERS APPLIED: ...
spec:
...
parameters:
labels:
- key: owner
allowedRegex: "^[a-zA-Z]+.agilebank.demo$" PERSISTED: spec:
...
parameters:
labels:
- {} Test Case 2:
|
@ritazh, given our small but real exposure to this bug, how would you suggest we move forward? Do we have a place for putting out something like a Public Service Announcement? I think we can recommend people to use |
Should we pin this issue? |
@julianKatz Thank you so much for verifying!
Can you pls provide an example of the fix with one of the test cases above? |
set |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
What steps did you take and what happened:
[A clear and concise description of what the bug is.]
Does this impact Gatekeeper in anyway? seems it only impacts array types https://groups.google.com/u/0/a/kubernetes.io/g/dev/c/Xl1sm-CItaY?pli=1
Relevant code to evaluate:
https://github.com/open-policy-agent/frameworks/blob/352a1b3fc276fb2cad3629945a91cdc1ae2f18ec/constraint/pkg/schema/transform.go#L34-L44
What did you expect to happen:
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
kubectl version
):The text was updated successfully, but these errors were encountered: