fix: validate resourcePrefix in NCP DP

In the admission controller, the `resourcePrefix` field in Device Plugins configuration is now validated to be a valid FQDN. Signed-off-by: Fred Rolland <frolland@nvidia.com>
rollandf · Oct 23, 2023 · 38ec224 · 38ec224
1 parent 053bc17
commit 38ec224
Show file tree

Hide file tree

Showing 2 changed files with 106 additions and 258 deletions.
diff --git a/api/v1alpha1/nicclusterpolicy_webhook.go b/api/v1alpha1/nicclusterpolicy_webhook.go
@@ -206,6 +206,15 @@ func (dp *DevicePluginSpec) validateSriovNetworkDevicePlugin(fldPath *field.Path
 						"or '123_abc', regex used for validation is '([A-Za-z0-9][A-Za-z0-9_.]*)?[A-Za-z0-9]')"))
 				return allErrs
 			}
+			resourcePrefix, ok := resource["resourcePrefix"]
+			if ok {
+				if !isValidFQDN(resourcePrefix.(string)) {
+					allErrs = append(allErrs, field.Invalid(fldPath.Child("Config"), dp.Config,
+						"Invalid Resource prefix, it must be a valid FQDN"+
+							"regex used for validation is '^[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z]{2,})+$'"))
+					return allErrs
+				}
+			}
 			deviceType := resource["deviceType"]
 			switch deviceType {
 			case "accelerator":
@@ -266,6 +275,15 @@ func (dp *DevicePluginSpec) validateRdmaSharedDevicePlugin(fldPath *field.Path)
 						"(e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0"+
 						"-9_.]*)?[A-Za-z0-9]')"))
 			}
+			resourcePrefix, ok := config["resourcePrefix"]
+			if ok {
+				if !isValidFQDN(resourcePrefix.(string)) {
+					allErrs = append(allErrs, field.Invalid(fldPath.Child("Config"), dp.Config,
+						"Invalid Resource prefix, it must be a valid FQDN "+
+							"regex used for validation is '^[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z]{2,})+$'"))
+					return allErrs
+				}
+			}
 		}
 	} else {
 		for _, ResultErr := range result.Errors() {
@@ -347,6 +365,12 @@ func isValidRdmaSharedDevicePluginResourceName(resourceName string) bool {
 	return resourceNameRegex.MatchString(resourceName)
 }
 
+func isValidFQDN(input string) bool {
+	pattern := `^[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+$`
+	regex := regexp.MustCompile(pattern)
+	return regex.MatchString(input)
+}
+
 // +kubebuilder:object:generate=false
 type schemaValidator struct {
 	schemas map[string]*gojsonschema.Schema