digitalocean-cloud-controller-manager icon indicating copy to clipboard operation
digitalocean-cloud-controller-manager copied to clipboard

Published 20 hours ago verified publisher icon digitalocean

Wrong validation regex for service.beta.kubernetes.io/do-loadbalancer-allow-rules

Open FabrizioFubelli opened this issue 1 year ago • 2 comments

My configuration:

apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    service.beta.kubernetes.io/do-loadbalancer-allow-rules: "cidr:103.21.244.0/22,cidr:103.22.200.0/22,cidr:103.31.4.0/22,cidr:104.16.0.0/13"
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - appProtocol: http
      name: http
      port: 80
      protocol: TCP
      targetPort: http
    - appProtocol: https
      name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer

Output of kubectl apply:

The Service "ingress-nginx-controller" is invalid: 
* metadata.labels: Invalid value: "cidr:103.21.244.0/22,cidr:103.22.200.0/22,cidr:103.31.4.0/22,cidr:104.16.0.0/13": must be no more than 63 characters
* metadata.labels: Invalid value: "cidr:103.21.244.0/22,cidr:103.22.200.0/22,cidr:103.31.4.0/22,cidr:104.16.0.0/13": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

I would like to add all Cloudflare IP Ranges, but it's not possible with these limitations.

FabrizioFubelli avatar Apr 28 '23 19:04 FabrizioFubelli

Probably related: https://github.com/digitalocean/digitalocean-cloud-controller-manager/issues/692

Any updates on this?

collimarco avatar Feb 10 '24 19:02 collimarco

We may need to support specifying the allow list through the canonical Service field which supposedly does not have length limitations.

#584 was opened some time ago, which we should get back to.

timoreimann avatar Feb 12 '24 11:02 timoreimann

CCM now supports the loadBalancerSourceRanges field for specifying allowed IP addresses, which should work better and is not subject to annotation-specific length limitation.

Closing ticket, please reopen a new one if problems are (still / newly) faced on the field.

timoreimann avatar Aug 20 '24 17:08 timoreimann