Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update CEL validation for expireAfter and consolidateAfter fields to block invalid values like 1hr #2055

Merged
merged 1 commit into from
Mar 7, 2025
Merged

fix: update CEL validation for expireAfter and consolidateAfter fields to block invalid values like 1hr #2055

merged 1 commit into from
Mar 7, 2025

Conversation

saurav-agarwalla
Copy link
Contributor

@saurav-agarwalla saurav-agarwalla commented Mar 6, 2025
edited
Loading

Fixes #N/A

Description
Current CEL validation allows values like 1hr to be set in the spec which causes the resources to be stuck in a weird state.

How was this change tested?

Used this spec for nodepool:

apiVersion: karpenter.sh/v1
kind: NodePool
metadata:
  name: malformed
spec:
  disruption:
    budgets:
    - nodes: 10%
    consolidateAfter: 1hr
    consolidationPolicy: WhenEmpty
  template:
    spec:
      expireAfter: 12h
      nodeClassRef:
        group: karpenter.k8s.aws
        kind: EC2NodeClass
        name: default
      requirements:
      - key: karpenter.sh/capacity-type
        operator: In
        values:
        - on-demand
      terminationGracePeriod: 24h0m0s

Before the change:

~ k apply -f malformed-nodepool.yaml
nodepool.karpenter.sh/malformed created

~ k get nodepool
NAME        NODECLASS   NODES   READY   AGE
default     default     0       True    8d
malformed   default                     89s

In the logs:

{"level":"INFO","time":"2025-03-06T18:14:19.413Z","logger":"controller","caller":"cache/reflector.go:370","message":"k8s.io/[email protected]/tools/cache/reflector.go:251: failed to list *v1.NodePool: time: unknown unit \"hr\" in duration \"1hr\"","commit":"974a323-dirty"}

After the change:

 ~ k apply -f malformed-nodepool.yaml
The NodePool "malformed" is invalid: spec.disruption.consolidateAfter: Invalid value: "1hr": spec.disruption.consolidateAfter in body should match '^(([0-9]+(s|m|h))+|Never)$'

I can't replicate this in the unit tests since the tests parse the duration so testing that kind of makes it pointless since what we really want to test is CEL server-side validation catching it like it did above. I've added other unit tests to ensure that there's no regression.

Regex testing:

Before: https://regex101.com/r/C8F0Wf/1
After: https://regex101.com/r/nHnhl2/1

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 6, 2025
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 6, 2025
@coveralls
Copy link

coveralls commented Mar 6, 2025
edited
Loading

Pull Request Test Coverage Report for Build 13712102484

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 2 unchanged lines in 1 file lost coverage.
  • Overall coverage remained the same at 81.616%
Files with Coverage Reduction New Missed Lines %
pkg/test/expectations/expectations.go 2 95.0%
Totals Coverage Status
Change from base Build 13683176482: 0.0%
Covered Lines: 9594
Relevant Lines: 11755
💛 - Coveralls

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 7, 2025
jonathan-innis
jonathan-innis approved these changes Mar 7, 2025
View reviewed changes
Copy link
Member

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 7, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jonathan-innis, saurav-agarwalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2025
@k8s-ci-robot k8s-ci-robot merged commit 0ce6eb5 into kubernetes-sigs:main Mar 7, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonathan-innis jonathan-innis jonathan-innis approved these changes

@jackfrancis jackfrancis Awaiting requested review from jackfrancis

@jmdeal jmdeal Awaiting requested review from jmdeal

Assignees

@jonathan-innis jonathan-innis

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@saurav-agarwalla @coveralls @k8s-ci-robot @jonathan-innis