Kube Play limits annotations value length to 63 while it is actually 256K

[ygalblum]

Issue Description

The length of the value of an annotation can be up to 256K. However, podman kube play limits it to 63 characters. It seems that there was a misunderstanding of the specification when this limitation enforcement was added. The correct limitations on annotations are:

Key May have two parts prefix and name separated by /: The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. See https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set

Value For some reason the maximal length is not specified in the documentation. However, according to this the limit is 256K.

Steps to reproduce the issue

Steps to reproduce the issue

1. Create the following Pod YAML file: /tmp/fedora.yml. Notice the length of the value of the annotation foo is 120 characters

   apiVersion: v1
   kind: Pod
   metadata:
   name: fedora
   annotations:
   "foo": "abcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefgh"
   spec:
   containers:
   - name: fedora
   image: registry.fedoraproject.org/fedora:38
   # Just spin & wait forever
   command: [ "/bin/bash", "-c", "--" ]
   args: [ "while true; do sleep 30; done;" ]

2. Run `podman kube play /tmp/fedora.yml

Describe the results you received

Error: annotation "foo"="abcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefgh" value length exceeds Kubernetes max 63

Describe the results you expected

The operation should have been successful.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc38.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 94.87
    systemPercent: 1.21
    userPercent: 3.91
  cpus: 12
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "38"
  eventLogger: journald
  freeLocks: 2037
  hostname: fedora
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.7.3-100.fc38.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2119733248
  memTotal: 33393029120
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.9.0-1.fc38.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.9.0
    package: netavark-1.9.0-1.fc38.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.9.0
  ociRuntime:
    name: crun
    package: crun-1.12-1.fc38.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231230.gf091893-1.fc38.x86_64
    version: |
      pasta 0^20231230.gf091893-1.fc38.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc38.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 4984201216
  swapTotal: 8589930496
  uptime: 88h 30m 43.00s (Approximately 3.67 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/ygal/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 2
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/ygal/.local/share/containers/storage
  graphRootAllocated: 510389125120
  graphRootUsed: 421892141056
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 124
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/ygal/.local/share/containers/storage/volumes
version:
  APIVersion: 4.8.3
  Built: 1704291091
  BuiltTime: Wed Jan  3 16:11:31 2024
  GitCommit: ""
  GoVersion: go1.20.12
  Os: linux
  OsArch: linux/amd64
  Version: 4.8.3

Podman in a container

Yes

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Running kubectl apply -f /tmp/fedora.yml works fine and does not truncate the value

podman kube play provides a mechanism to override the length enforcement by setting --no-trunc. However, since the limitation is false, I think it's still important to fix the limitations. This is even more important in podman generate kube since by default it will truncate the value (again, unless --no-trunc is set.

[Luap99]

Duplicate of #21663