search

blackducksoftware / perceivers

Kubernetes and openshift image discovery for OpsSight
Apache License 2.0
4 stars 7 forks source link

Pod perceiver: unable to update annotations/labels for pod: fails regex validation #34

Closed mattfenwick closed 6 years ago

mattfenwick commented 6 years ago

time="2018-03-13T15:45:07Z" level=error msg="unable to update annotations/labels for pod default:hi-4qrkz: Pod \"hi-4qrkz\" is invalid: metadata.labels: Invalid value: \"docker-registry.default.svc:5000.default.alp-3.6\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'myvalue', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9])?')"

rrati commented 6 years ago

This looks like it is attempting to label an image in the openshift repository. Have a reproducer?

jlin963 commented 6 years ago

image-perceiver-logs.txt

This is:

mattfenwick commented 6 years ago

time="2018-03-22T17:14:43Z" level=error msg="unable to update annotations/labels for image centos/php-70-centos7@sha256:cdaba352981df86e204ba47129aa64433c888757dde5eea36057996f25e67f26: Image \"sha256:cdaba352981df86e204ba47129aa64433c888757dde5eea36057996f25e67f26\" is invalid: [metadata.labels: Invalid value: \"https://hub-piv01.blackducksoftware.com/api/projects/2b93ac51-3425-486b-8270-a4aa7765a2c8/versions/5ce993fe-e7da-4285-a743-b8ad96ff5ac0/components\": must be no more than 63 characters, metadata.labels: Invalid value: \"https://hub-piv01.blackducksoftware.com/api/projects/2b93ac51-3425-486b-8270-a4aa7765a2c8/versions/5ce993fe-e7da-4285-a743-b8ad96ff5ac0/components\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'myvalue', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9])?')]"

jlin963 commented 6 years ago

pod-perceiver-logs.txt

mattfenwick commented 6 years ago

time="2018-03-22T17:15:16Z" level=error msg="unable to update annotations/labels for pod bds-perceptor:protoform: Pod \"protoform\" is invalid: [metadata.annotations: Invalid value: \"image0.\": name part must consist of alphanumeric characters, '-', '' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9.])?[A-Za-z0-9]'), spec: Forbidden: pod updates may not change fields other than `spec.containers[].image,spec.initContainers[].image,spec.activeDeadlineSecondsorspec.tolerations` (only additions to existing tolerations)\n{\"Volumes\":[{\"Name\":\"viper-input\",\"HostPath\":null,\"EmptyDir\":null,\"GCEPersistentDisk\":null,\"AWSElasticBlockStore\":null,\"GitRepo\":null,\"Secret\":null,\"NFS\":null,\"ISCSI\":null,\"Glusterfs\":null,\"PersistentVolumeClaim\":null,\"RBD\":null,\"Quobyte\":null,\"FlexVolume\":null,\"Cinder\":null,\"CephFS\":null,\"Flocker\":null,\"DownwardAPI\":null,\"FC\":null,\"AzureFile\":null,\"ConfigMap\":{\"Name\":\"viper-input\",\"Items\":null,\"DefaultMode\":420,\"Optional\":null},\"VsphereVolume\":null,\"AzureDisk\":null,\"PhotonPersistentDisk\":null,\"Projected\":null,\"PortworxVolume\":null,\"ScaleIO\":null,\"StorageOS\":null},{\"Name\":\"protoform-token-bhg5c\",\"HostPath\":null,\"EmptyDir\":null,\"GCEPersistentDisk\":null,\"AWSElasticBlockStore\":null,\"GitRepo\":null,\"Secret\":{\"SecretName\":\"protoform-token-bhg5c\",\"Items\":null,\"DefaultMode\":420,\"Optional\":null},\"NFS\":null,\"ISCSI\":null,\"Glusterfs\":null,\"PersistentVolumeClaim\":null,\"RBD\":null,\"Quobyte\":null,\"FlexVolume\":null,\"Cinder\":null,\"CephFS\":null,\"Flocker\":null,\"DownwardAPI\":null,\"FC\":null,\"AzureFile\":null,\"ConfigMap\":null,\"VsphereVolume\":null,\"AzureDisk\":null,\"PhotonPersistentDisk\":null,\"Projected\":null,\"PortworxVolume\":null,\"ScaleIO\":null,\"StorageOS\":null}],\"InitContainers\":null,\"Containers\":[{\"Name\":\"protoform\",\"Image\":\"gcr.io/gke-verification/blackducksoftware/perceptor-protoform:master\",\"Command\":[\"./protoform\"],\"Args\":null,\"WorkingDir\":\"\",\"Ports\":[{\"Name\":\"\",\"HostPort\":0,\"ContainerPort\":3001,\"Protocol\":\"TCP\",\"HostIP\":\"\"}],\"EnvFrom\":null,\"Env\":null,\"Resources\":{\"Limits\":null,\"Requests\":null},\"VolumeMounts\":[{\"Name\":\"viper-input\",\"ReadOnly\":false,\"MountPath\":\"/etc/protoform/\",\"SubPath\":\"\"},{\"Name\":\"protoform-token-bhg5c\",\"ReadOnly\":true,\"MountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\",\"SubPath\":\"\"}],\"LivenessProbe\":null,\"ReadinessProbe\":null,\"Lifecycle\":null,\"TerminationMessagePath\":\"/dev/termination-log\",\"TerminationMessagePolicy\":\"File\",\"ImagePullPolicy\":\"Always\",\"SecurityContext\":{\"Capabilities\":{\"Add\":null,\"Drop\":[\"\n\nA: KILL\",\"MKNOD\",\"SETGID\",\"SETUID\"]},\"Privileged\":false,\"SELinuxOptions\":{\"User\":\"\",\"Role\":\"\",\"Type\":\"\",\"Level\":\"s0:c8,c7\"},\"RunAsUser\":1000070000,\"RunAsNonRoot\":null,\"ReadOnlyRootFilesystem\":null},\"Stdin\":false,\"StdinOnce\":false,\"TTY\":false}],\"RestartPolicy\":\"Never\",\"TerminationGracePeriodSeconds\":30,\"ActiveDeadlineSeconds\":null,\"DNSPolicy\":\"ClusterFirst\",\"NodeSelector\":null,\"ServiceAccountName\":\"protoform\",\"AutomountServiceAccountToken\":null,\"NodeName\":\"localhost\",\"SecurityContext\":{\"HostNetwork\":false,\"HostPID\":false,\"HostIPC\":false,\"SELinuxOptions\":{\"User\":\"\",\"Role\":\"\",\"Type\":\"\",\"Level\":\"s0:c8,c7\"},\"RunAsUser\":null,\"RunAsNonRoot\":null,\"SupplementalGroups\":[],\"FSGroup\":1000070000},\"ImagePullSecrets\":[{\"Name\":\"protoform-dockercfg-95xhn\"}],\"Hostname\":\"\",\"Subdomain\":\"\",\"Affinity\":null,\"SchedulerName\":\"default-scheduler\",\"Tolerations\":null,\"HostAliases\":null}\n\nB: MKNOD\"]},\"Privileged\":false,\"SELinuxOptions\":{\"User\":\"\",\"Role\":\"\",\"Type\":\"\",\"Level\":\"s0:c8,c7\"},\"RunAsUser\":null,\"RunAsNonRoot\":null,\"ReadOnlyRootFilesystem\":null},\"Stdin\":false,\"StdinOnce\":false,\"TTY\":false}],\"RestartPolicy\":\"Never\",\"TerminationGracePeriodSeconds\":30,\"ActiveDeadlineSeconds\":null,\"DNSPolicy\":\"ClusterFirst\",\"NodeSelector\":null,\"ServiceAccountName\":\"protoform\",\"AutomountServiceAccountToken\":null,\"NodeName\":\"localhost\",\"SecurityContext\":{\"HostNetwork\":false,\"HostPID\":false,\"HostIPC\":false,\"SELinuxOptions\":{\"User\":\"\",\"Role\":\"\",\"Type\":\"\",\"Level\":\"s0:c8,c7\"},\"RunAsUser\":null,\"RunAsNonRoot\":null,\"SupplementalGroups\":null,\"FSGroup\":null},\"ImagePullSecrets\":[{\"Name\":\"protoform-dockercfg-95xhn\"}],\"Hostname\":\"\",\"Subdomain\":\"\",\"Affinity\":null,\"SchedulerName\":\"default-scheduler\",\"Tolerations\":null,\"HostAliases\":null}\n\n]" time="2018-03-22T17:15:16Z" level=info msg="annotations are missing or incorrect on pod bds-perceptor/perceptor-scanner-n8vvc. Expected map[kubernetes.io/created-by:{\"kind\":\"SerializedReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"ReplicationController\",\"namespace\":\"bds-perceptor\",\"name\":\"perceptor-scanner\",\"uid\":\"22216a2f-2dde-11e8-bfa6-eee9e4eb6160\",\"apiVersion\":\"v1\",\"resourceVersion\":\"1421\"}}\n openshift.io/scc:privileged] to contain map[pod.server-version:4.5.0-SNAPSHOT image0.policy-violations:0 image1.overall-status:NOT_IN_VIOLATION image0.vulnerabilities:20 image0.project-endpoint:https://hub-piv01.blackducksoftware.com/api/projects/af7d9c0f-4c9d-4ece-ac23-ab25bcb8af8f/versions/76c322fc-bdce-4684-9fe8-7b0bad0682ba/components image1.policy-violations:0 image1.project-endpoint:https://hub-piv01.blackducksoftware.com/api/projects/5f3d095d-8ee1-45bf-8438-39e696396d52/versions/7face4bd-9e20-4479-a802-2d1fbab39421/components image1.vulnerabilities:20 pod.vulnerabilities:40 image1.:gcr.io.gke-verification.blackducksoftware.perceptor-scanner image0.:gcr.io.gke-verification.blackducksoftware.perceptor-imagefacade image1.server-version:4.5.0-SNAPSHOT image0.overall-status:NOT_IN_VIOLATION image0.server-version:4.5.0-SNAPSHOT image1.scanner-version:4.5.0-SNAPSHOT pod.policy-violations:0 pod.overall-status:NOT_INVIOLATION pod.scanner-version:4.5.0-SNAPSHOT image0.scanner-version:4.5.0-SNAPSHOT]" time="2018-03-22T17:15:16Z" level=error msg="unable to update annotations/labels for pod bds-perceptor:perceptor-scanner-n8vvc: Pod \"perceptor-scanner-n8vvc\" is invalid: [metadata.annotations: Invalid value: \"image0.\": name part must consist of alphanumeric characters, '-', '' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.])?[A-Za-z0-9]'), metadata.annotations: Invalid value: \"image1.\": name part must consist of alphanumeric characters, '-', '' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]')]"

jlin963 commented 6 years ago

Seeing something similar in an OpenShift cluster on AWS + downstream code:

time="2018-04-04T03:00:41Z" level=error msg="unable to update annotations/labels for pod bds-perceptor:pod-perceiver-pdb6m: Pod \"pod-perceiver-pdb6m\" is invalid: metadata.labels: Invalid value: \"docker.io.blackducksoftware.opssight-openshift-pod-perceiver-3.7\": must be no more than 63 characters"

image-perceiver-07s6d.log pod-perceiver-pdb6m.log

rrati commented 6 years ago

Fixed by #52