Bug 1414956 - Name validation on Routes is too permissive
Summary: Name validation on Routes is too permissive
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Jacob Tanenbaum
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-19 19:48 UTC by Jessica Forrester
Modified: 2017-07-24 14:11 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Default hostname generation did not take into account that routes could have the "." character Consequence: when a generated hostname was used for a route that included a "." in the name and had allowed wildcardpolicy there would be an extra subdomain. Fix: change the hostname generator to change "." in a routes name to "-" in the generated hostname Result: generated hostnames can not create additional subdomains
Clone Of: 1414691
Last Closed: 2017-04-12 19:10:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Jessica Forrester 2017-01-19 19:48:47 UTC
+++ This bug was initially created as a clone of Bug #1414691 +++

Description of problem:
When create pvc from storage page on web console, if input pvc name containing "." such as "pvc.test", it will prompt error info:"Claim names may only contain lower-case letters, numbers, and dashes. They may not start or end with a dash. Max length of 253.", but pvc with name "pvc.test" can be created successfully in cli.

Version-Release number of selected component (if applicable):
openshift v3.5.0.6+87f6173
oc v3.5.0.6+87f6173

How reproducible:

Steps to Reproduce:
1.Create pvc with name containing "." such as "pvc.test" from storage page on web console.
2.Create pvc with name containing "." in cli.
$ cat pvc-one.json 
    "apiVersion": "v1",
    "kind": "PersistentVolumeClaim",
    "metadata": {
        "name": "pvc.test"
    "spec": {
        "accessModes": [ "ReadWriteOnce" ],
        "resources": {
            "requests": {
                "storage": "2Gi"
$ oc create -f pvc-one.json 
persistentvolumeclaim "pvc.test" created
$ oc get pvc
pvc.test   Pending                                      6s


Actual results:
1.Could not create pvc.test on web console.
2.Could create pvc.test in cli successfully.

Expected results:
1,2.Should have consistent validation about pvc name from web console and cli.

Additional info:
Creating other resources have same issue, too. eg: route.

Comment 1 Jessica Forrester 2017-01-19 19:50:51 UTC
Discussed with Jordan and Routes should not be as permissive as they are, they should not be allowing '.' in the name.  This bug is to track just the Route portion of the original bug that was opened.

Comment 2 Ben Bennett 2017-01-19 19:58:24 UTC
Wait... shouldn't the object validator reject them if . is invalid?  Otherwise people can still make bad routes by uploading them to the API endpoint.

And what do we do with any existing routes that have "bad" names?

Comment 3 Jessica Forrester 2017-01-19 20:50:11 UTC
That is why I cloned this bug to you guys :)  the API validator is being too permissive.  Jordan suggested updating it so it prevents '.' during create, but it needs to allow it during update so that existing route objects can still validate.

Comment 4 Eric Paris 2017-01-28 18:32:07 UTC
Why are routes with a . in the name bad? Who cares?

Comment 5 Jordan Liggitt 2017-01-30 14:38:14 UTC
route name is used as a part of one segment of the generated host. in order for the router to be able to have a wildcard cert that is valid for all the default hostnames, the variable parts of the generated host (route and namespace name) cannot contain dots. otherwise, an extra segment is added to the hostname, which a wildcard cert will not match.

Comment 6 Phil Cameron 2017-01-30 21:44:58 UTC
Dumb question: what does this have to do with networking? This is a PVC claim with a bad name.

Comment 7 Eric Paris 2017-01-30 21:50:30 UTC
Phil: https://bugzilla.redhat.com/show_bug.cgi?id=1414956#c3

The original report was about PVC. They decided routes were too permissive as well. I'm not sure I'm convinced. But this is about routes.

Comment 8 Phil Cameron 2017-01-31 14:50:25 UTC

generated route name

route-name can be up to 253 characters
namespace can be up to 253 characters
we insert a "-"

everything before (or between) the "." must not be greater than 63 characters. The suffix must be less than 253 characters (limit of full path name).

What are the rules we need to apply to generate the route name?

seems to suggest that the default <suffix> is:

Setting a custom default routing subdomain (suffix):
This doesn't tell what is used when this is omitted or set to "".
Since the full path name must be 253 characters or less, and the supplied suffix is not limited (at least according to the doc), there may not be 63 characters left for the generated host name.


Comment 9 Ben Bennett 2017-02-07 16:01:46 UTC
Per Clayton: "When we autogenerate a hostname for "foo.bar" we should turn it into "foo-bar"."

So we will continue to allow . in route names.  But we will just make that transformation when we create the hostname.

Comment 10 openshift-github-bot 2017-02-20 18:48:36 UTC
Commit pushed to master at https://github.com/openshift/origin

Change "." to "-" in generated hostnames for routes

if a route is named example.test the default generated hostname is


This changes the default generated hostname to


Bug 1414956

Comment 12 zhaozhanqi 2017-02-24 07:00:56 UTC
Verified this bug on openshift v3.5.0.33


1. oc expose svc service-unsecure -n z1 --name=test1.test
2. oc create route edge edge.test --service=service-unsecure -n z1
3. oc create route passthrough pass.test --service=service-unsecure -n z1
4. oc create route reencrypt reen.test --service=service-unsecure -n z1 --dest-ca-cert=ca.pem

5. oc get route -n z1

# oc get route -n z1
NAME         HOST/PORT                               PATH      SERVICES           PORT      TERMINATION   WILDCARD
edge.test    edge-test-z1.0224-0m7.qe.rhcloud.com              service-unsecure   http      edge          None
pass.test    pass-test-z1.0224-0m7.qe.rhcloud.com              service-unsecure   http      passthrough   None
reen.test    reen-test-z1.0224-0m7.qe.rhcloud.com              service-unsecure   http      reencrypt     None
test1.test   test1-test-z1.0224-0m7.qe.rhcloud.com             service-unsecure   http                    None

Comment 14 errata-xmlrpc 2017-04-12 19:10:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.