From f52164d51338cbbcb2b29c9ecfba1dc461ec5f80 Mon Sep 17 00:00:00 2001
From: "Fabio M. Graetz, Ph.D" <fabiograetz@googlemail.com>
Date: Fri, 8 Mar 2024 19:22:37 +0100
Subject: [PATCH] Fix: Sanitize user identity before injecting into task pod as
 K8s label (#5023)

* Fix: Sanitize user identity before injecting into task pod as K8s label

Signed-off-by: Fabio Graetz <fabiograetz@googlemail.com>

* Lint

Signed-off-by: Fabio Graetz <fabiograetz@googlemail.com>

---------

Signed-off-by: Fabio Graetz <fabiograetz@googlemail.com>
---
 .../nodes/task/k8s/task_exec_context.go       |  4 +++-
 .../nodes/task/k8s/task_exec_context_test.go  | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
index 17bbce5398..bb987acbc2 100644
--- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
+++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
@@ -5,6 +5,7 @@ import (
 	pluginsCore "github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/core"
 	"github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/utils"
 	"github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/utils/secrets"
+	k8sUtils "github.com/flyteorg/flyte/flytepropeller/pkg/utils"
 )
 
 const executionIdentityVariable = "execution-identity"
@@ -60,7 +61,8 @@ func newTaskExecutionMetadata(tCtx pluginsCore.TaskExecutionMetadata, taskTmpl *
 
 	id := tCtx.GetSecurityContext().RunAs.ExecutionIdentity
 	if len(id) > 0 {
-		injectLabels[executionIdentityVariable] = id
+		sanitizedID := k8sUtils.SanitizeLabelValue(id)
+		injectLabels[executionIdentityVariable] = sanitizedID
 	}
 
 	return TaskExecutionMetadata{
diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go
index bf9ca1eadb..e3c6f10ab6 100644
--- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go
+++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go
@@ -86,6 +86,25 @@ func Test_newTaskExecutionMetadata(t *testing.T) {
 		assert.Equal(t, 2, len(actual.GetLabels()))
 		assert.Equal(t, "test-exec-identity", actual.GetLabels()[executionIdentityVariable])
 	})
+	t.Run("Inject exec identity K8s label sanitation", func(t *testing.T) {
+
+		existingMetadata := &mocks.TaskExecutionMetadata{}
+		existingAnnotations := map[string]string{}
+		existingMetadata.OnGetAnnotations().Return(existingAnnotations)
+
+		existingMetadata.OnGetSecurityContext().Return(core.SecurityContext{RunAs: &core.Identity{ExecutionIdentity: "name@company.com"}})
+
+		existingLabels := map[string]string{
+			"existingLabel": "existingLabelValue",
+		}
+		existingMetadata.OnGetLabels().Return(existingLabels)
+
+		actual, err := newTaskExecutionMetadata(existingMetadata, &core.TaskTemplate{})
+		assert.NoError(t, err)
+
+		assert.Equal(t, 2, len(actual.GetLabels()))
+		assert.Equal(t, "name-company-com", actual.GetLabels()[executionIdentityVariable])
+	})
 }
 
 func Test_newTaskExecutionContext(t *testing.T) {