-
Notifications
You must be signed in to change notification settings - Fork 821
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to create ResourceBinding for resources with ::
in the name
#4681
Comments
@a7i Thanks a lot for your feedback!
I agree with you that propagate system Role don't seem to have a reasonable usage scenario. We should consider banning propagation system Role (and other RBAC resources, including RoleBinding, ClusterRole, and ClusterRoleBinding). By the way, how did you discover the problem? Are you trying to propagate a system Role? |
@XiShanYongYe-Chang that is correct, I accidentally propagated a system role. With that being said,
|
Ask @RainbowMango to help take a look. |
That is because the CRD resources can not accept names with karmada/pkg/util/names/names.go Lines 65 to 71 in e7300c3
This is indeed a tradeoff to do the replacement. :(
The trouble is that we can not assume there is one or two colons in the name. There may be more. Echo from https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects:
Given the RBAC system doesn't require any format, that means the users might create resources with any number of colons, like: # kubectl create role "foo:::bar" --verb=get --resource=pods // 3 colons
role.rbac.authorization.k8s.io/foo:::bar created
# kubectl create role "foo::::bar" --verb=get --resource=pods // 4 colons
role.rbac.authorization.k8s.io/foo::::bar created
# # kubectl create role "foo:::::bar" --verb=get --resource=pods // 5 colons
role.rbac.authorization.k8s.io/foo:::::bar created How do we handle these cases? Or shall we handle that? |
Perhaps we could replace Given that |
|
This is a feasible method. |
Yeah, but it might be a breaking change incompatible with previous versions. That is concerning. right? |
What happened:
If a Role has two colons in the name
::
, then a ResourceBinding nor Work is created. Karmada replaces colon with dot (not sure why), but this causes issues as the name ends up having two dots in it which is not RFC 1123 compliantWhat you expected to happen:
The name to be sanitized by karmada-controller-manager
How to reproduce it (as minimally and precisely as possible):
test::double-colon
Anything else we need to know?:
To be fair, we should have never propagated this role (since it's a system role), but regardless it should be sanitized.
Environment:
kubectl-karmada version
orkarmadactl version
):The text was updated successfully, but these errors were encountered: