kustomize: annotationSelector should not use label value validation

Describe the bug

Parsing an “annotation selector” validates annotation values as label values. Annotation values should be less restrictive.

Script that can reproduce the issue

workdir="$(mktemp -d)"

key="cert-manager.io/inject-ca-from"
val="capi-webhook-system/capi-serving-cert"

cat <<EOF > ${workdir}/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    ${key}: ${val}
  name: mydeployment
spec:
  template:
    spec:
      containers:
      - image: myimage
        name: mycontainer
        args: []
EOF

cat <<EOF > ${workdir}/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
patches:
- target:
    kind: Deployment
    annotationSelector: "${key}=${val}"
  patch: |-
    - op: remove
      path: /spec/template/spec/containers/0/args
EOF

kustomize build "${workdir}"

Expected output

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
  name: mydeployment
spec:
  template:
    spec:
      containers:
      - image: myimage
        name: mycontainer

Actual output

Error: unable to parse requirement: invalid label value: "capi-webhook-system/capi-serving-cert": at key: "cert-manager.io/inject-ca-from": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

Kustomize version

{Version:kustomize/v4.1.2 GitCommit:a5914abad89e0b18129eaf1acc784f9fe7d21439 BuildDate:2021-04-15T23:23:03+01:00 GoOs:darwin GoArch:amd64}

Platform

macOS

NOTES

https://github.com/kubernetes-sigs/kustomize/blob/714af0cd66e2fe3e79cb741bfd3d4853c3140bbd/kyaml/yaml/rnode.go#L805

It seems kyaml assumes an “annotation selector” has the same functionality as a “label selector”, which is not a feature I’ve found implemented in other tools, but I could be missing something.

We could either

  • Keep this assumption and basically copy sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels to something that works for annotations

OR

  • Do a simple exact match of annotations without the advanced query features of label selectors. (might break some current users)

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 20 (12 by maintainers)

Most upvoted comments

I like option two

It was probably a mistake to allow selection based on annotation; they’s supposed to be for anything other than object identification. So we should keep it simple.

+2
monopole on May 26, 2021

@bzub help wanted !

+1
monopole on May 26, 2021
Read more comments on GitHub
← kui: Test execution gets interrupted with errors and timeouts
kustomize: api group missing from label transformer config for core resources →