Merge pull request #3397 from chaunceyjiang/path

fix: validate predicate path for imageOverride.

api/openapi-spec/swagger.json

@@ -15473,7 +15473,7 @@
           "default": ""
         },
         "predicate": {
-          "description": "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n  - Pod: spec/containers/\u003cN\u003e/image\n  - ReplicaSet: spec/template/spec/containers/\u003cN\u003e/image\n  - Deployment: spec/template/spec/containers/\u003cN\u003e/image\n  - DaemonSet: spec/template/spec/containers/\u003cN\u003e/image\n  - StatefulSet: spec/template/spec/containers/\u003cN\u003e/image\n  - Job: spec/template/spec/containers/\u003cN\u003e/image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.",
+          "description": "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n  - Pod: /spec/containers/\u003cN\u003e/image\n  - ReplicaSet: /spec/template/spec/containers/\u003cN\u003e/image\n  - Deployment: /spec/template/spec/containers/\u003cN\u003e/image\n  - DaemonSet: /spec/template/spec/containers/\u003cN\u003e/image\n  - StatefulSet: /spec/template/spec/containers/\u003cN\u003e/image\n  - Job: /spec/template/spec/containers/\u003cN\u003e/image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.",
           "$ref": "#/definitions/com.github.karmada-io.karmada.pkg.apis.policy.v1alpha1.ImagePredicate"
         },
         "value": {

charts/karmada/_crds/bases/policy.karmada.io_clusteroverridepolicies.yaml

@@ -176,14 +176,15 @@ spec:
                                   system will automatically detect image fields if
                                   the resource type is Pod, ReplicaSet, Deployment,
                                   StatefulSet, DaemonSet or Job by following rule:
-                                  - Pod: spec/containers/<N>/image - ReplicaSet: spec/template/spec/containers/<N>/image
+                                  - Pod: /spec/containers/<N>/image - ReplicaSet:
-                                  - Deployment: spec/template/spec/containers/<N>/image
+                                  /spec/template/spec/containers/<N>/image - Deployment:
-                                  - DaemonSet: spec/template/spec/containers/<N>/image
+                                  /spec/template/spec/containers/<N>/image - DaemonSet:
-                                  - StatefulSet: spec/template/spec/containers/<N>/image
+                                  /spec/template/spec/containers/<N>/image - StatefulSet:
-                                  - Job: spec/template/spec/containers/<N>/image In
+                                  /spec/template/spec/containers/<N>/image - Job:
-                                  addition, all images will be processed if the resource
+                                  /spec/template/spec/containers/<N>/image In addition,
-                                  object has more than one container. \n If not nil,
+                                  all images will be processed if the resource object
-                                  only images matches the filters will be processed."
+                                  has more than one container. \n If not nil, only
+                                  images matches the filters will be processed."
                                 properties:
                                   path:
                                     description: Path indicates the path of target
@@ -500,12 +501,12 @@ spec:
                             rule. \n Defaults to nil, in that case, the system will
                             automatically detect image fields if the resource type
                             is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet
-                            or Job by following rule: - Pod: spec/containers/<N>/image
+                            or Job by following rule: - Pod: /spec/containers/<N>/image
-                            - ReplicaSet: spec/template/spec/containers/<N>/image
+                            - ReplicaSet: /spec/template/spec/containers/<N>/image
-                            - Deployment: spec/template/spec/containers/<N>/image
+                            - Deployment: /spec/template/spec/containers/<N>/image
-                            - DaemonSet: spec/template/spec/containers/<N>/image -
+                            - DaemonSet: /spec/template/spec/containers/<N>/image
-                            StatefulSet: spec/template/spec/containers/<N>/image -
+                            - StatefulSet: /spec/template/spec/containers/<N>/image
-                            Job: spec/template/spec/containers/<N>/image In addition,
+                            - Job: /spec/template/spec/containers/<N>/image In addition,
                             all images will be processed if the resource object has
                             more than one container. \n If not nil, only images matches
                             the filters will be processed."

charts/karmada/_crds/bases/policy.karmada.io_overridepolicies.yaml

@@ -176,14 +176,15 @@ spec:
                                   system will automatically detect image fields if
                                   the resource type is Pod, ReplicaSet, Deployment,
                                   StatefulSet, DaemonSet or Job by following rule:
-                                  - Pod: spec/containers/<N>/image - ReplicaSet: spec/template/spec/containers/<N>/image
+                                  - Pod: /spec/containers/<N>/image - ReplicaSet:
-                                  - Deployment: spec/template/spec/containers/<N>/image
+                                  /spec/template/spec/containers/<N>/image - Deployment:
-                                  - DaemonSet: spec/template/spec/containers/<N>/image
+                                  /spec/template/spec/containers/<N>/image - DaemonSet:
-                                  - StatefulSet: spec/template/spec/containers/<N>/image
+                                  /spec/template/spec/containers/<N>/image - StatefulSet:
-                                  - Job: spec/template/spec/containers/<N>/image In
+                                  /spec/template/spec/containers/<N>/image - Job:
-                                  addition, all images will be processed if the resource
+                                  /spec/template/spec/containers/<N>/image In addition,
-                                  object has more than one container. \n If not nil,
+                                  all images will be processed if the resource object
-                                  only images matches the filters will be processed."
+                                  has more than one container. \n If not nil, only
+                                  images matches the filters will be processed."
                                 properties:
                                   path:
                                     description: Path indicates the path of target
@@ -500,12 +501,12 @@ spec:
                             rule. \n Defaults to nil, in that case, the system will
                             automatically detect image fields if the resource type
                             is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet
-                            or Job by following rule: - Pod: spec/containers/<N>/image
+                            or Job by following rule: - Pod: /spec/containers/<N>/image
-                            - ReplicaSet: spec/template/spec/containers/<N>/image
+                            - ReplicaSet: /spec/template/spec/containers/<N>/image
-                            - Deployment: spec/template/spec/containers/<N>/image
+                            - Deployment: /spec/template/spec/containers/<N>/image
-                            - DaemonSet: spec/template/spec/containers/<N>/image -
+                            - DaemonSet: /spec/template/spec/containers/<N>/image
-                            StatefulSet: spec/template/spec/containers/<N>/image -
+                            - StatefulSet: /spec/template/spec/containers/<N>/image
-                            Job: spec/template/spec/containers/<N>/image In addition,
+                            - Job: /spec/template/spec/containers/<N>/image In addition,
                             all images will be processed if the resource object has
                             more than one container. \n If not nil, only images matches
                             the filters will be processed."

pkg/apis/policy/v1alpha1/override_types.go

@@ -133,12 +133,12 @@ type ImageOverrider struct {
 	//
 	// Defaults to nil, in that case, the system will automatically detect image fields if the resource type is
 	// Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:
-	//   - Pod: spec/containers/<N>/image
+	//   - Pod: /spec/containers/<N>/image
-	//   - ReplicaSet: spec/template/spec/containers/<N>/image
+	//   - ReplicaSet: /spec/template/spec/containers/<N>/image
-	//   - Deployment: spec/template/spec/containers/<N>/image
+	//   - Deployment: /spec/template/spec/containers/<N>/image
-	//   - DaemonSet: spec/template/spec/containers/<N>/image
+	//   - DaemonSet: /spec/template/spec/containers/<N>/image
-	//   - StatefulSet: spec/template/spec/containers/<N>/image
+	//   - StatefulSet: /spec/template/spec/containers/<N>/image
-	//   - Job: spec/template/spec/containers/<N>/image
+	//   - Job: /spec/template/spec/containers/<N>/image
 	// In addition, all images will be processed if the resource object has more than one container.
 	//
 	// If not nil, only images matches the filters will be processed.

pkg/generated/openapi/zz_generated.openapi.go

@@ -2829,7 +2829,7 @@ func schema_pkg_apis_policy_v1alpha1_ImageOverrider(ref common.ReferenceCallback
 				Properties: map[string]spec.Schema{
 					"predicate": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n  - Pod: spec/containers/<N>/image\n  - ReplicaSet: spec/template/spec/containers/<N>/image\n  - Deployment: spec/template/spec/containers/<N>/image\n  - DaemonSet: spec/template/spec/containers/<N>/image\n  - StatefulSet: spec/template/spec/containers/<N>/image\n  - Job: spec/template/spec/containers/<N>/image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.",
+							Description: "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n  - Pod: /spec/containers/<N>/image\n  - ReplicaSet: /spec/template/spec/containers/<N>/image\n  - Deployment: /spec/template/spec/containers/<N>/image\n  - DaemonSet: /spec/template/spec/containers/<N>/image\n  - StatefulSet: /spec/template/spec/containers/<N>/image\n  - Job: /spec/template/spec/containers/<N>/image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.",
 							Ref:         ref("github.com/karmada-io/karmada/pkg/apis/policy/v1alpha1.ImagePredicate"),
 						},
 					},

pkg/util/validation/validation.go

@@ -2,6 +2,7 @@ package validation
 
 import (
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	apivalidation "k8s.io/apimachinery/pkg/api/validation"
@@ -208,6 +209,14 @@ func ValidateOverrideRules(overrideRules []policyv1alpha1.RuleWithCluster, fldPa
 			allErrs = append(allErrs, metav1validation.ValidateLabels(label.Value, labelPath.Child("value"))...)
 		}
 
+		// validates predicate path.
+		for imageIndex, image := range rule.Overriders.ImageOverrider {
+			imagePath := rulePath.Child("overriders").Child("imageOverrider").Index(imageIndex)
+			if image.Predicate != nil && !strings.HasPrefix(image.Predicate.Path, "/") {
+				allErrs = append(allErrs, field.Invalid(imagePath.Child("predicate").Child("path"), image.Predicate.Path, "path should be start with / character"))
+			}
+		}
+
 		// validates the targetCluster.
 		allErrs = append(allErrs, ValidateClusterAffinity(rule.TargetCluster, rulePath.Child("targetCluster"))...)
 	}