nfd-master: add validation of label names and values

Validate labels before trying to update the node. Makes us fail early nad prevent useless retries in case invalid labels are tried. (backported from commit 2a3c7e4c93)
2024-12-14 11:57:51 +00:00 · 2023-05-31 14:30:44 +03:00 · 2023-05-31 14:30:44 +03:00 · 5b58574100
commit 5b58574100
parent 22916e62ab
2 changed files with 17 additions and 2 deletions
--- a/pkg/nfd-master/nfd-master-internal_test.go
+++ b/pkg/nfd-master/nfd-master-internal_test.go
@ -367,8 +367,10 @@ func TestSetLabels(t *testing.T) {
 				"random.denied.ns/feature-3":     "val-3",
 				"kubernetes.io/feature-4":        "val-4",
 				"sub.ns.kubernetes.io/feature-5": "val-5",
-				vendorFeatureLabel:               " val-6",
-				vendorProfileLabel:               " val-7"}
+				vendorFeatureLabel:               "val-6",
+				vendorProfileLabel:               "val-7",
+				"--invalid-name--":               "valid-val",
+				"valid-name":                     "--invalid-val--"}
 			expectedPatches := []apihelper.JsonPatch{
 				apihelper.NewJsonPatch("add", "/metadata/annotations", instance+"."+nfdv1alpha1.WorkerVersionAnnotation, workerVer),
 				apihelper.NewJsonPatch("add", "/metadata/annotations",
--- a/pkg/nfd-master/nfd-master.go
+++ b/pkg/nfd-master/nfd-master.go
@ -39,6 +39,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8sQuantity "k8s.io/apimachinery/pkg/api/resource"
 	k8sLabels "k8s.io/apimachinery/pkg/labels"
+	k8svalidation "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
@ -462,6 +463,12 @@ func (m *nfdMaster) filterFeatureLabels(labels Labels) (Labels, ExtendedResource
 		// Add possibly missing default ns
 		label := addNs(label, nfdv1alpha1.FeatureLabelNs)

+		//Validate label name
+		if errs := k8svalidation.IsQualifiedName(label); len(errs) > 0 {
+			klog.Errorf("ignoring label %q, invalid name: %s", label, strings.Join(errs, "; "))
+			continue
+		}
+
 		ns, name := splitNs(label)

 		// Check label namespace, filter out if ns is not whitelisted
@ -481,6 +488,12 @@ func (m *nfdMaster) filterFeatureLabels(labels Labels) (Labels, ExtendedResource
 			klog.Errorf("%s (%s) does not match the whitelist (%s) and will not be published.", name, label, m.config.LabelWhiteList.Regexp.String())
 			continue
 		}
+
+		// Validate the label value
+		if errs := k8svalidation.IsValidLabelValue(value); len(errs) > 0 {
+			klog.Errorf("ignoring label %q, invalid value %q: %s", label, value, strings.Join(errs, "; "))
+			continue
+		}
 		outLabels[label] = value
 	}