Skip to content

fix(validation): enforce stricter label validation#16852

Open
lobkovilya wants to merge 25 commits into
masterfrom
label-validation-2
Open

fix(validation): enforce stricter label validation#16852
lobkovilya wants to merge 25 commits into
masterfrom
label-validation-2

Conversation

@lobkovilya

@lobkovilya lobkovilya commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Motivation

Label validation on create/update was inconsistent across the K8s
webhook, REST API server, and KDS sync. Users could silently override
CP-computed labels, and kuma.io/origin mismatches were tolerated —
masking resources applied to the wrong control plane.

Implementation information

Introduces a single declarative registry of reserved labels in
pkg/core/resources/labels/ and reroutes every entry point through
it:

  • LabelSpec declares each label's Owner
    (ControlPlane/User/System) and its expected value.
  • Validate returns {Errors, Warnings}: errors reject (format,
    user-owned AllowedValues, strict kuma.io/origin mismatch);
    warnings cover CP-owned labels the user set wrong — accepted, then
    overridden by Compute.
  • Compute is authoritative: it force-sets/deletes CP-owned labels
    from the registry. The webhook defaulter skips it on Privileged
    contexts (KDS sync, GC, storage-version migration).

Supporting documentation

Fix #16049

lobkovilya added 17 commits June 2, 2026 12:48
@lobkovilya
update golden to expected behaviour
461fb89 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
init ai implem
ebde180 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
fixes
75e30de 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
merge resource_labels.Validate and resource_labels.FormatViolations
1c32c24 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
make check
95905f1 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
remove unused fields from LabelSpec
b5765e2 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
update labelValidatioContext to accept the resource
9201182 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
set UnsetNamespace
7c46bb3 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
fix unit tests
3608cfd 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
remove SystemNamespace field
b41b2b1 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
remove rawK8sLabels method and fix input files
5cbe86a 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
use warnings when user sets auto-computed label with incorrect value
7e29dd4 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
require kuma.io/origin on zone
06e8d79 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
make check
ddb3f03 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
remove Sanitized from Result and update Compute to override values
1f5b335 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
fix api-server unit tests
7c6801f 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
strictly enforce kuma.io/origin
11905d7 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

  • Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
  • PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
  • IPv6 is taken into account (.e.g: no string concatenation of host port)
  • Tests (Unit test, E2E tests, manual test on universal and k8s)
    • Don't forget ci/ labels to run additional/fewer tests
  • Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

lobkovilya added 7 commits June 4, 2026 00:36
@lobkovilya
minor fixes
2bef73d 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
update golden files
1b9983b 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
update e2e golden
0ce0dfa 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
pass privileged to compute
030ff91 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
add String() method for violation type
af9b698 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
update e2e golden
58e7fed 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
fix e2e
7795ffc 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya lobkovilya changed the base branch from master to release-2.14 June 8, 2026 10:55
@lobkovilya lobkovilya marked this pull request as ready for review June 8, 2026 11:01
@lobkovilya lobkovilya requested a review from a team as a code owner June 8, 2026 11:01
@lobkovilya lobkovilya requested review from lukidzi and slonka June 8, 2026 11:01
@lobkovilya lobkovilya requested a review from Copilot June 8, 2026 12:41
Copilot AI reviewed Jun 8, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

@lobkovilya
remove stale file
5faac31 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@slonka

slonka commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

@lobkovilya you could try running it on a subset without golden files but that would require you reset some stuff and then re-commit

slonka
slonka reviewed Jun 8, 2026
View reviewed changes

@slonka slonka left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just found this, Ilya will adjust

Comment thread pkg/core/resources/labels/compute.go
// Privileged callers (K8s controllers, etc.) legitimately set
// OwnerSystem labels like kuma.io/managed-by. Drop them only on
// user paths, where any value is impersonation.
if !o.Privileged {

@slonka slonka Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updating an existing generated Workload or MeshService will silently drop labels like kuma.io/managed-by and kuma.io/deletion-grace-period-started-at

@lobkovilya lobkovilya changed the base branch from release-2.14 to master June 11, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slonka slonka slonka left review comments

Copilot code review Copilot Copilot left review comments

@lukidzi lukidzi Awaiting requested review from lukidzi lukidzi is a code owner automatically assigned from kumahq/kuma-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lobkovilya @slonka