search

digitalocean / digitalocean-cloud-controller-manager

Kubernetes cloud-controller-manager for DigitalOcean (beta)
Apache License 2.0
524 stars 148 forks source link

Wrong validation regex for service.beta.kubernetes.io/do-loadbalancer-allow-rules #622

Closed FabrizioFubelli closed 3 weeks ago

FabrizioFubelli commented 1 year ago

My configuration:

apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    service.beta.kubernetes.io/do-loadbalancer-allow-rules: "cidr:103.21.244.0/22,cidr:103.22.200.0/22,cidr:103.31.4.0/22,cidr:104.16.0.0/13"
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - appProtocol: http
      name: http
      port: 80
      protocol: TCP
      targetPort: http
    - appProtocol: https
      name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer

Output of kubectl apply:

The Service "ingress-nginx-controller" is invalid: 
* metadata.labels: Invalid value: "cidr:103.21.244.0/22,cidr:103.22.200.0/22,cidr:103.31.4.0/22,cidr:104.16.0.0/13": must be no more than 63 characters
* metadata.labels: Invalid value: "cidr:103.21.244.0/22,cidr:103.22.200.0/22,cidr:103.31.4.0/22,cidr:104.16.0.0/13": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

I would like to add all Cloudflare IP Ranges, but it's not possible with these limitations.

collimarco commented 7 months ago

Probably related: https://github.com/digitalocean/digitalocean-cloud-controller-manager/issues/692

Any updates on this?

timoreimann commented 7 months ago

We may need to support specifying the allow list through the canonical Service field which supposedly does not have length limitations.

584 was opened some time ago, which we should get back to.

timoreimann commented 3 weeks ago

CCM now supports the loadBalancerSourceRanges field for specifying allowed IP addresses, which should work better and is not subject to annotation-specific length limitation.

Closing ticket, please reopen a new one if problems are (still / newly) faced on the field.