-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attempt to create ClusterRbacAssessmentReport with invalid name #343
Comments
Looks like this happens for any Role or ClusterRole that has capital letters in its name. Seems the name of the CRD is subject to one of the DNS-like object name rules (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names) however it is basing its name on the Role/ClusterRole it describes, and those objects are not subject to the same rules. |
@jrhunger Thanks, would you know if the name rules are documented somewhere? I am bit surprised to see a clusterrole name with uppercase letters, but I am developer and not a cluster-admin. 😸 Found a similar issue, and suggest we add some logic to our custom resource names. WDYT, @chen-keinan? |
@chen-keinan I think we use the wrong func to validate. Rules for names are stricter than for labels. There seems to be other validation funcs in the same package that we should use to validate resource names. Ref. https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names |
I think the correct func to use for resource name is |
since the role name is kept in label we have to pass it via label validator as well. |
But resource names have stricter validation than labels. So all valid resource names are valid labels. |
Some insights to this problem by Master Liggitt on Slack: https://kubernetes.slack.com/archives/C0EG7JC6T/p1658391621520889 |
@erikgb just curious, did #388 fix this for you?
|
When rbac resources is having capital letter in its name then trivy-operator throws error for creating its configaudit report OR rbac report. This happens bcoz capital letter name is not allowed in majority of the resources except rbac. To resolve this, we will make sure that trivy-operator doesnot try create report with capital letter, if capital letter comes then we generate report with hashvalue name - replace IsValidLabelValue to IsDNS1123Label which allows only lower case value other similar constraint on length resolve: aquasecurity#343
When rbac resources is having capital letter in its name then trivy-operator throws error for creating its configaudit report OR rbac report. This happens bcoz capital letter name is not allowed in majority of the resources except rbac. To resolve this, we will make sure that trivy-operator doesnot try create report with capital letter, if capital letter comes then we generate report with hashvalue name - replace IsValidLabelValue to IsDNS1123Label which allows only lower case value other similar constraint on length resolve: aquasecurity#343
When rbac resources is having capital letter in its name then trivy-operator throws error for creating its configaudit report OR rbac report. This happens bcoz capital letter name is not allowed in majority of the resources except rbac. To resolve this, we will make sure that trivy-operator doesnot try create report with capital letter, if capital letter comes then we generate report with hashvalue name - replace IsValidLabelValue to IsDNS1123Label which allows only lower case value other similar constraint on length resolve: aquasecurity#343
When rbac resources is having capital letter in its name then trivy-operator throws error for creating its configaudit report OR rbac report. This happens bcoz capital letter name is not allowed in majority of the resources except rbac. To resolve this, we will make sure that trivy-operator doesnot try create report with capital letter, if capital letter comes then we generate report with hashvalue name - replace IsValidLabelValue to IsDNS1123Label which allows only lower case value other similar constraint on length resolve: #343
What steps did you take and what happened:
I just booted up a fresh cluster with trivy-operator and some other stuff installed. It seems like our ClusterRbacAssessmentReport-reconciler is attempting to create a report with an invalid name:
What did you expect to happen:
Resources scanned without errors.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
trivy-operator version
): 0.1.3kubectl version
): RKE2 1.23.8The text was updated successfully, but these errors were encountered: