From a0c2ed37f297b1e98ba58046ba5fb6ca42fa78ec Mon Sep 17 00:00:00 2001 From: Fabio Graetz Date: Fri, 8 Mar 2024 10:45:41 +0000 Subject: [PATCH 1/2] Fix: Sanitize user identity before injecting into task pod as K8s label Signed-off-by: Fabio Graetz --- .../nodes/task/k8s/task_exec_context.go | 4 +++- .../nodes/task/k8s/task_exec_context_test.go | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go index 17bbce5398..99ab515e96 100644 --- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go +++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go @@ -5,6 +5,7 @@ import ( pluginsCore "github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/core" "github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/utils" "github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/utils/secrets" + k8sUtils "github.com/flyteorg/flyte/flytepropeller/pkg/utils" ) const executionIdentityVariable = "execution-identity" @@ -60,7 +61,8 @@ func newTaskExecutionMetadata(tCtx pluginsCore.TaskExecutionMetadata, taskTmpl * id := tCtx.GetSecurityContext().RunAs.ExecutionIdentity if len(id) > 0 { - injectLabels[executionIdentityVariable] = id + sanitizedId := k8sUtils.SanitizeLabelValue(id) + injectLabels[executionIdentityVariable] = sanitizedId } return TaskExecutionMetadata{ diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go index bf9ca1eadb..e3c6f10ab6 100644 --- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go +++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go @@ -86,6 +86,25 @@ func Test_newTaskExecutionMetadata(t *testing.T) { assert.Equal(t, 2, len(actual.GetLabels())) assert.Equal(t, "test-exec-identity", actual.GetLabels()[executionIdentityVariable]) }) + t.Run("Inject exec identity K8s label sanitation", func(t *testing.T) { + + existingMetadata := &mocks.TaskExecutionMetadata{} + existingAnnotations := map[string]string{} + existingMetadata.OnGetAnnotations().Return(existingAnnotations) + + existingMetadata.OnGetSecurityContext().Return(core.SecurityContext{RunAs: &core.Identity{ExecutionIdentity: "name@company.com"}}) + + existingLabels := map[string]string{ + "existingLabel": "existingLabelValue", + } + existingMetadata.OnGetLabels().Return(existingLabels) + + actual, err := newTaskExecutionMetadata(existingMetadata, &core.TaskTemplate{}) + assert.NoError(t, err) + + assert.Equal(t, 2, len(actual.GetLabels())) + assert.Equal(t, "name-company-com", actual.GetLabels()[executionIdentityVariable]) + }) } func Test_newTaskExecutionContext(t *testing.T) { From 343c46c9f76283bafece533fa5191dfe86edaf52 Mon Sep 17 00:00:00 2001 From: Fabio Graetz Date: Fri, 8 Mar 2024 10:58:17 +0000 Subject: [PATCH 2/2] Lint Signed-off-by: Fabio Graetz --- .../pkg/controller/nodes/task/k8s/task_exec_context.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go index 99ab515e96..bb987acbc2 100644 --- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go +++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go @@ -61,8 +61,8 @@ func newTaskExecutionMetadata(tCtx pluginsCore.TaskExecutionMetadata, taskTmpl * id := tCtx.GetSecurityContext().RunAs.ExecutionIdentity if len(id) > 0 { - sanitizedId := k8sUtils.SanitizeLabelValue(id) - injectLabels[executionIdentityVariable] = sanitizedId + sanitizedID := k8sUtils.SanitizeLabelValue(id) + injectLabels[executionIdentityVariable] = sanitizedID } return TaskExecutionMetadata{