scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 19:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

DRA API: implement CEL cost limit

Browse Source 
The main purpose is to protect against denial-of-service attacks.  Scheduling
time depends a lot on unpredictable factors and expected scheduling time also
varies, so no attempt is made to limit the overall time spent on evaluating CEL
expressions per claim.
This commit is contained in:
Patrick Ohly
2024-09-30 18:09:33 +02:00
parent ff9ef07370
commit f548fc2264
11 changed files with 178 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/apis/resource/validation/validation.go
View File

@@ -170,10 +170,19 @@ func validateCELSelector(celSelector resource.CELDeviceSelector, fldPath *field.
if stored {
envType = environment.StoredExpressions
}
if len(celSelector.Expression) > resource.CELSelectorExpressionMaxLength {
allErrs = append(allErrs, field.TooLongMaxLength(fldPath.Child("expression"), "<value omitted>", resource.CELSelectorExpressionMaxLength))
// Don't bother compiling too long expressions.
return allErrs
}
result := dracel.GetCompiler().CompileCELExpression(celSelector.Expression, envType)
if result.Error != nil {
allErrs = append(allErrs, convertCELErrorToValidationError(fldPath.Child("expression"), celSelector.Expression, result.Error))
} else if result.MaxCost > resource.CELSelectorExpressionMaxCost {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("expression"), "too complex, exceeds cost limit"))
}
return allErrs
}