[PR] Fix #6677: restrict affinity.nodeAffinityLabels keys via operator allow list [camel-k]

Thu, 18 Jun 2026 03:16:01 -0700 


HarshMehta112 opened a new pull request, #6687:
URL: https://github.com/apache/camel-k/pull/6687

   ## Summary
   
     Adds an operator-level allow list to restrict which label keys CR authors 
can use in
     `affinity.nodeAffinityLabels`, preventing unauthorized node targeting in 
shared clusters.
   
     **How it works:**
   
     Set `AFFINITY_NODE_LABELS_ALLOWED_KEYS` on the operator deployment to a 
comma-separated
     list of permitted label keys:
   
     
AFFINITY_NODE_LABELS_ALLOWED_KEYS=kubernetes.io/hostname,topology.kubernetes.io/zone
   
     - When unset or empty → all keys accepted (backward compatible, no 
behavior change)
     - When set → each `nodeAffinityLabels` expression is parsed; any 
expression whose label key
       is not in the list is dropped and logged at info level; the rest proceed 
as normal
   
     Malformed expressions are kept as-is so existing error handling in 
`addNodeAffinity` fires
     as before.
   
     ## Changes
   
     - `pkg/platform/env_platform.go` — new `AffinityNodeLabelsAllowList()` 
reads and parses `AFFINITY_NODE_LABELS_ALLOWED_KEYS` (same comma-split/trim 
pattern as `BuilderNodeSelectorAllowList`)
     - `pkg/trait/affinity.go` — `filterNodeAffinityLabels()` iterates 
expressions and delegates per-expression key checking to 
`nodeAffinityLabelAllowed()` (uses `labels.Parse` to extract keys); called at 
the
     top of `addNodeAffinity()`
     - `pkg/platform/env_platform_test.go` — 4 tests: not-set, empty, single 
key, multiple keys with whitespace trimming
     - `pkg/trait/affinity_test.go` — 5 tests: no allow list (pass-through), 
partial filter, all allowed, all dropped, end-to-end through `Apply()`
     - `docs/modules/ROOT/pages/installation/builds.adoc` — 
`AFFINITY_NODE_LABELS_ALLOWED_KEYS` added to build env var table
     - `docs/modules/traits/pages/affinity.adoc` — NOTE block added with xref 
to builds config docs
   
     ## Test plan
   
     - [x] `make test` passes locally
     - [x] `TestAffinityNodeLabelsAllowList_*` (platform) — env var parsing
     - [x] `TestFilterNodeAffinityLabels_*` (trait) — allow list filtering 
including all-dropped case
     - [x] `TestApplyNodeAffinityLabelsWithAllowList` — end-to-end through 
`Apply()`
     - [x] Manual: deploy operator with `AFFINITY_NODE_LABELS_ALLOWED_KEYS` 
set; apply Integration with a disallowed key in `affinity.nodeAffinityLabels`; 
verify expression absent from pod spec and info log
     emitted
   
     Fixes #6677


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to