Cluster-api: KCP/CABPK should reject known invalid Kubernetes versions
What steps did you take and what happened:
- Try to create a cluster with KCP.spec.kubernetesVersion set to something like
v1.19.1_mycompany.2 - kubeadm bootstrapping fails with this in the output
couldn't parse Kubernetes version "v1.19.1_mycompany.2": could not parse pre-release/metadata (_mycompany.2) in version "v1.19.1_mycompany.2"
What did you expect to happen:
- kubeadm bootstrapping succeeds
Anything else you would like to add:
For this example, a valid/appropriate version would be v1.19.1+mycompany.2.
kubeadm only accepts valid semver values. We should consider adding webhook validations for both KCP and KubeadmConfig.
Environment:
- Cluster-api version: v0.3.x
/kind bug
/area control-plane
/area bootstrap
ncdc
All 16 comments
cc @fabriziopandini
ncdc
on 25 Sep 2020
Seems we're using this regex https://github.com/kubernetes-sigs/cluster-api/blob/b0236f2b3c1d0ee9e6a8dffd1baaa22fd8aee17d/controlplane/kubeadm/api/v1alpha3/kubeadm_control_plane_webhook.go#L51 to validate the KCP.Spec.Version field, and it seems it does allow for underscores 馃
vincepri
on 25 Sep 2020
Compare with https://github.com/kubernetes/kubernetes/blob/ccfdc09f3559f0cb220dd4d921951f1badf15076/cmd/kubeadm/app/util/config/common.go#L100-L102
ncdc
on 25 Sep 2020
cc @CecileRobertMichon as well, given that the regex came in https://github.com/kubernetes-sigs/cluster-api/pull/3147
vincepri
on 25 Sep 2020
@ncdc Not sure if you wanna tackle this in v0.3.x or later, if we do remove the underscore from the regex, it could technically break some controllers out there from patching, that said their clusters would already pretty much be broken at that point
vincepri
on 25 Sep 2020
/milestone v0.4.0
ncdc
on 25 Sep 2020
@vincepri regex actually came from https://github.com/kubernetes-sigs/cluster-api/commit/32e6e61a254c170095c85816fb0ea0f6d575bb89#diff-99f38c7c07bfcc03a528180716bafab5R58, I just reused the same one in webhook validation (couldn't use the one in util because it created a dependency cycle)
CecileRobertMichon
on 25 Sep 2020
Thanks, I wish we added a comment on where that regex came from :/
vincepri
on 25 Sep 2020
We can probably use this issue to align all our validations on Kubernetes versions, and use the exact same code / parsing everywhere
vincepri
on 25 Sep 2020
@fabriziopandini What do you think the best way to proceed here? Are you able to work on this?
vincepri
on 28 Sep 2020
Let me take a look tomorrow and try to get a picture of all the points where we are doing version validation before making an action plan
fabriziopandini
on 28 Sep 2020
@vincepri I have found following field in the API holding a Kubernetes version and the corresponding web hook validation:
Machine.Spec.Version: validated using wrong regex :-(MachineDeployments.Spec.Template.Spec.Version: not validated :-(KubeadmConfig.Spec.ClusterConfiguration.KubernetesVersion: not validated :-(KubeadmConfigTemplate.Spec.Template.Spec.ClusterConfiguration.KubernetesVersion: not validated :-(KubeadmControlPlane.Spec.Version: validated using wrong regex :-(MachinePools.Spec.Template.Spec.Version: not validated :-(
So my plan is to craft a PR that ensures
- all the defaulting web hook adding
vin front of version, if missing. - all the validating web hook are checking version using version.ParseSemantic
fabriziopandini
on 29 Sep 2020
/assign
/lifecycle active
fabriziopandini
on 29 Sep 2020
all the defaulting web hook add adding v in front of version, if missing.
This might be a breaking change and cause a rollout in some cases
vincepri
on 29 Sep 2020
/remove-lifecycle active
TBD an approach that does not trigger rollouts
fabriziopandini
on 6 Oct 2020
/unassing @fabriziopandini
fabriziopandini
on 9 Nov 2020
Related issues
timothysc
路
6Comments
dlipovetsky
路
5Comments
detiber
路
5Comments
fabriziopandini
路
3Comments
bgoareguer
路
5Comments