terraform-provider-kubernetes: Name validation regex is invalid

Terraform Version

Terraform v0.11.10
+ provider.kubernetes v1.3.0

Affected Resource(s)

  • kubernetes_cluster_role_binding

Terraform Configuration Files

resource "kubernetes_cluster_role_binding" "example" {
  metadata {
    name = "foo:bar"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  }

  subject {
    kind      = "Group"
    name      = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}

Expected Behavior

I expect the provider to be able to create the resource. The colon is allowed in all RBAC resources as far as I’m aware but I cannot find any relevant documentation.

Actual Behavior

$ terraform plan

Error: kubernetes_cluster_role_binding.example: metadata.0.name a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

Steps to Reproduce

  1. terraform plan

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 6
  • Comments: 17 (7 by maintainers)

Most upvoted comments

https://github.com/terraform-providers/terraform-provider-kubernetes/pull/583 just merged which addresses the remaining issue.

+8
alexsomesan on Aug 14, 2019

@alkar That’s a very interesting find. Thanks for pointing it out.

In developing the provider, we use the API types exposed by the kubernetes/client-go libraries our reference, which do explicitly document that ClusterRoleBinding uses the same metav1.ObjectMeta type for it’s metadata and points to the naming convention doc I originally linked.

As you’ve pointed out, this doesn’t hold true on the API side. I will get in touch with K8S API SIG and get to the bottom of this.

In the mean time, I’ll reopen this issue for tracking the conversation.

+7
alexsomesan on Nov 15, 2018

Hi! Do you have any idea when there will be a release with this fix?

+5
lucasvianna on Aug 15, 2019

Any news? @alexsomesan

+5
thunderball1 on Mar 12, 2019

Yes, that’s right. The type itself doesn’t validate anything and the Name struct attribute is just a string. I was only referring to the documentation comment attached to it, which as you noticed is generally describing the format as lower case alphanumeric characters, dashes and dots with potentially additional restrictions, but NOT relaxations. Hence the confusion. Let me see what the API folks have to say about this validation double standard.

+3
alexsomesan on Nov 15, 2018

Hi, to add more information to this issue i think that the restriction is enforced only for object that is used to generate a dns entry in Kubernetes, of course namespace, and service. There is also service account that have this limitation.

+2
Aadryn on Feb 21, 2019

I will get in touch with K8S API SIG and get to the bottom of this.

@alexsomesan Would love to hear how you went talking with the API SIG on this!

+1
tdmalone on Jul 1, 2019

Any news on this issue? I have role bindings in the form of foo:bar which I would like to import into the terraform state. Any chance to see a support for this? Thanks

+1
chrw on Feb 19, 2019
Read more comments on GitHub
← terraform-provider-kubernetes: kubernetes_secret produces inconsistent final plan
terraform-provider-kubernetes: Secret type service-account-token cannot be created →