Bug 1774419 - [sriov] sriov webhook should validate the resourcename in SriovNetworkNodePolicy
Summary: [sriov] sriov webhook should validate the resourcename in SriovNetworkNodePolicy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.3.0
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: 4.4.0
Assignee: Peng Liu
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks: 1776914
TreeView+ depends on / blocked
 
Reported: 2019-11-20 09:46 UTC by zhaozhanqi
Modified: 2020-05-04 11:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1776914 (view as bug list)
Environment:
Last Closed: 2020-05-04 11:16:09 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift sriov-network-operator pull 126 0 'None' closed Bug 1774419: Webhook Add validation for resourceName 2020-05-06 02:20:59 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:16:42 UTC

Description zhaozhanqi 2019-11-20 09:46:40 UTC
Description of problem:
When creating cr SriovNetworkNodePolicy with "resourceName: intel-rhel".  the device-plugin pod creashed with error: 

oc logs sriov-device-plugin-klb2t
I1120 09:36:40.274970      20 manager.go:70] Using Kubelet Plugin Registry Mode
I1120 09:36:40.275183      20 main.go:44] resource manager reading configs
I1120 09:36:40.275746      20 manager.go:98] ResourceList: [{ResourceName:intelnetdevice-rhel IsRdma:false Selectors:{Vendors:[8086] Devices:[] Drivers:[iavf mlx5_core i40evf ixgbevf] PfNames:[p1p1] LinkTypes:[]}}]
E1120 09:36:40.275876      20 manager.go:161] resource name "intelnetdevice-rhel" contains invalid characters
F1120 09:36:40.275901      20 main.go:57] Exiting.. one or more invalid configuration(s) given

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Assume the sriov operator is installed
2. Create one CR with:
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: intel-netdevice-rhel
  namespace: openshift-sriov-network-operator
spec:
  deviceType: netdevice
  mtu: 1500
  nicSelector:
    pfNames:
      - p1p1
    rootDevices:
      - '0000:3b:00.0'
    vendor: '8086'
  nodeSelector:
    feature.node.kubernetes.io/sriov-capable-rhel: 'true'
  numVfs: 5
  priority: 99
  resourceName: intel-rhel
3. oc get pod
4. 

Actual results:

oc logs sriov-device-plugin-klb2t
I1120 09:36:40.274970      20 manager.go:70] Using Kubelet Plugin Registry Mode
I1120 09:36:40.275183      20 main.go:44] resource manager reading configs
I1120 09:36:40.275746      20 manager.go:98] ResourceList: [{ResourceName:intelnetdevice-rhel IsRdma:false Selectors:{Vendors:[8086] Devices:[] Drivers:[iavf mlx5_core i40evf ixgbevf] PfNames:[p1p1] LinkTypes:[]}}]
E1120 09:36:40.275876      20 manager.go:161] resource name "intelnetdevice-rhel" contains invalid characters
F1120 09:36:40.275901      20 main.go:57] Exiting.. one or more invalid configuration(s) given

Expected results:

Webhook should add validation for resourceName.

Additional info:

Comment 1 Peng Liu 2019-11-25 09:32:59 UTC
The sriov-network-device-plugin only allows the resourceNames which follow '^[a-zA-Z0-9-]+$'. I guess the intention is to follow rfc952. However, in rfc952, '-' is a valid character. The sriov-network-device-plugin code may also need to be fixed.

Comment 3 zhaozhanqi 2019-12-20 03:20:15 UTC
Verified this bug on 4.3.0-201912190717

# oc create -f wrong.yaml 
Error from server (resource name "intel-rhel" contains invalid characters): error when creating "wrong.yaml": admission webhook "operator-webhook.sriovnetwork.openshift.io" denied the request: resource name "intel-rhel" contains invalid characters

Comment 5 errata-xmlrpc 2020-05-04 11:16:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.