Skip to content

Commit

Permalink
fix: over-restrictive validation of wildcard match patterns (#3310)
Browse files Browse the repository at this point in the history 
Signed-off-by: Ben Couture <Benjamin.Couture@LibertyMutual.com>
Signed-off-by: Ben Couture <bencouture@protonmail.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
  • Loading branch information
@bencouture @ritazh
bencouture and ritazh committed Mar 27, 2024
1 parent 58f25a2 commit 9a5539a
Show file tree
Hide file tree
Showing 15 changed files with 238 additions and 213 deletions.
7 changes: 4 additions & 3 deletions config/crd/bases/config.gatekeeper.sh_configs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,11 @@ spec:
excludedNamespaces:
items:
description: 'A string that supports globbing at its front
or end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
and end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
processes:
Expand Down
20 changes: 11 additions & 9 deletions config/crd/bases/match.gatekeeper.sh_matchcrd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,12 @@ spec:
`kube-system` and `kube-public`, and `excludedNamespaces: [*-system]`
matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end.
description: 'A string that supports globbing at its front and end.
Ex: "kube-*" will match "kube-system" or "kube-public", "*-system"
will match "kube-system" or "gatekeeper-system". The asterisk
is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
will match "kube-system" or "gatekeeper-system", "*system*" will
match "system-kube" or "kube-system". The asterisk is required
for wildcard matching.'
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
kinds:
Expand Down Expand Up @@ -120,7 +121,7 @@ spec:
a prefix or suffix glob. For example, `name: pod-*` would match
both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod`
and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's
Expand Down Expand Up @@ -174,11 +175,12 @@ spec:
[kube-*]` matches both `kube-system` and `kube-public`, and `namespaces:
[*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end.
description: 'A string that supports globbing at its front and end.
Ex: "kube-*" will match "kube-system" or "kube-public", "*-system"
will match "kube-system" or "gatekeeper-system". The asterisk
is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
will match "kube-system" or "gatekeeper-system", "*system*" will
match "system-kube" or "kube-system". The asterisk is required
for wildcard matching.'
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
scope:
Expand Down
48 changes: 27 additions & 21 deletions config/crd/bases/mutations.gatekeeper.sh_assign.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,11 +75,12 @@ spec:
matches both `kube-system` and `kube-public`, and `excludedNamespaces:
[*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
kinds:
Expand Down Expand Up @@ -158,7 +159,7 @@ spec:
a prefix or suffix glob. For example, `name: pod-*` would match
both `pod-a` and `pod-b`, and `name: *-pod` would match both
`a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an
Expand Down Expand Up @@ -213,11 +214,12 @@ spec:
[kube-*]` matches both `kube-system` and `kube-public`, and
`namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
scope:
Expand Down Expand Up @@ -422,11 +424,12 @@ spec:
matches both `kube-system` and `kube-public`, and `excludedNamespaces:
[*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
kinds:
Expand Down Expand Up @@ -505,7 +508,7 @@ spec:
a prefix or suffix glob. For example, `name: pod-*` would match
both `pod-a` and `pod-b`, and `name: *-pod` would match both
`a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an
Expand Down Expand Up @@ -560,11 +563,12 @@ spec:
[kube-*]` matches both `kube-system` and `kube-public`, and
`namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
scope:
Expand Down Expand Up @@ -769,11 +773,12 @@ spec:
matches both `kube-system` and `kube-public`, and `excludedNamespaces:
[*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
kinds:
Expand Down Expand Up @@ -852,7 +857,7 @@ spec:
a prefix or suffix glob. For example, `name: pod-*` would match
both `pod-a` and `pod-b`, and `name: *-pod` would match both
`a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an
Expand Down Expand Up @@ -907,11 +912,12 @@ spec:
[kube-*]` matches both `kube-system` and `kube-public`, and
`namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
scope:
Expand Down
16 changes: 9 additions & 7 deletions config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,11 +75,12 @@ spec:
matches both `kube-system` and `kube-public`, and `excludedNamespaces:
[*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
kinds:
Expand Down Expand Up @@ -158,7 +159,7 @@ spec:
a prefix or suffix glob. For example, `name: pod-*` would match
both `pod-a` and `pod-b`, and `name: *-pod` would match both
`a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an
Expand Down Expand Up @@ -213,11 +214,12 @@ spec:
[kube-*]` matches both `kube-system` and `kube-public`, and
`namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or
description: 'A string that supports globbing at its front and
end. Ex: "kube-*" will match "kube-system" or "kube-public",
"*-system" will match "kube-system" or "gatekeeper-system". The
"*-system" will match "kube-system" or "gatekeeper-system",
"*system*" will match "system-kube" or "kube-system". The
asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^\*?[-:a-z0-9]*\*?$
type: string
type: array
scope:
Expand Down

0 comments on commit 9a5539a

Please sign in to comment.