Validate cluster cloud labels

2021-01-17 08:56:08 +01:00 · 2021-01-17 08:56:08 +01:00 · ad36f99dfd
parent a051af8dc0
commit ad36f99dfd
2 changed files with 43 additions and 2 deletions
--- a/pkg/apis/kops/validation/cluster.go
+++ b/pkg/apis/kops/validation/cluster.go
@ -17,6 +17,9 @@ limitations under the License.
 package validation

 import (
+	"fmt"
+	"strings"
+
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi"
@ -51,6 +54,8 @@ func ValidateClusterUpdate(obj *kops.Cluster, status *kops.ClusterStatus, old *k
 		}
 	}

+	allErrs = append(allErrs, validateClusterCloudLabels(obj, field.NewPath("spec", "cloudLabels"))...)
+
 	return allErrs
 }

@ -119,3 +124,39 @@ func validateEtcdMemberUpdate(fp *field.Path, obj kops.EtcdMemberSpec, status *k

 	return allErrs
 }
+
+func validateClusterCloudLabels(cluster *kops.Cluster, fldPath *field.Path) (allErrs field.ErrorList) {
+	labels := cluster.Spec.CloudLabels
+	if labels == nil {
+		return allErrs
+	}
+
+	reservedKeys := []string{
+		"Name",
+		"KubernetesCluster",
+	}
+
+	for _, reservedKey := range reservedKeys {
+		_, hasKey := labels[reservedKey]
+		if hasKey {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child(reservedKey), fmt.Sprintf("%q is a reserved label and cannot be set in the cluster spec", reservedKey)))
+		}
+	}
+
+	reservedPrefixes := []string{
+		"kops.k8s.io/",
+		"k8s.io/",
+		"kubernetes.io/",
+	}
+
+	for _, reservedPrefix := range reservedPrefixes {
+		for label := range labels {
+			if strings.HasPrefix(label, reservedPrefix) {
+				allErrs = append(allErrs, field.Forbidden(fldPath.Child(label), fmt.Sprintf("%q is a reserved label prefix and cannot be set in the cluster spec", reservedPrefix)))
+
+			}
+		}
+	}
+
+	return allErrs
+}
--- a/pkg/apis/kops/validation/instancegroup.go
+++ b/pkg/apis/kops/validation/instancegroup.go
@ -127,7 +127,7 @@ func ValidateInstanceGroup(g *kops.InstanceGroup, cloud fi.Cloud) field.ErrorLis
 	}

 	if g.Spec.CloudLabels != nil {
-		allErrs = append(allErrs, validateCloudLabels(g, field.NewPath("spec", "cloudLabels"))...)
+		allErrs = append(allErrs, validateIGCloudLabels(g, field.NewPath("spec", "cloudLabels"))...)
 	}

 	if cloud != nil && cloud.ProviderID() == kops.CloudProviderAWS {
@ -275,7 +275,7 @@ func validateNodeLabels(labels map[string]string, fldPath *field.Path) (allErrs
 	return allErrs
 }

-func validateCloudLabels(ig *kops.InstanceGroup, fldPath *field.Path) (allErrs field.ErrorList) {
+func validateIGCloudLabels(ig *kops.InstanceGroup, fldPath *field.Path) (allErrs field.ErrorList) {
 	labels := ig.Spec.CloudLabels
 	if labels == nil {
 		return allErrs