frameworks icon indicating copy to clipboard operation
frameworks copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

ConstraintTemplate have no maximum name length

Open maxsmythe opened this issue 4 years ago • 2 comments

Constraint templates do not currently have a maximum name length.

It is necessary to cap the maximum possible constraint template name length to leave room for ConstraintTemplateStatus resources. Constraints have a maximum name length of 63 chars, we can be a bit more generous with Templates, if necessary.

Here is the PR that caps constraint name length, for reference:

https://github.com/open-policy-agent/frameworks/commit/b745ff7e8a941ade965188826050a98b62f151a2#diff-f0ceecee7c4c5529a7457604249a3c7e04bf92c547d1b42bf9af2e710cc4ea07

maxsmythe avatar May 18 '21 00:05 maxsmythe

Would we do this in the ConstraintTemplate CRD, or programmatically in client.AddTemplate? As-is we'd have to modify the generated YAML ConstraintTemplate CRD output for it to be in the CRD. Programmatically this would be simple to do.

How much do ConstraintTemplateStatus resources need to add to the name? If at most 63 characters, then ConstraintTemplateNames can be up to 253-63=190 characters long.

willbeason avatar Apr 05 '22 15:04 willbeason

Probably both? Putting it in the CRD would be most reliable for the K8s API server (not reliant on validation webhook being up), but we'd want it in our code for things like gator test

maxsmythe avatar Apr 05 '22 21:04 maxsmythe