From df35b3fe86ee8cee6036a4dc0490b90b5e92d90e Mon Sep 17 00:00:00 2001 From: Christoph Barbian Date: Wed, 11 Mar 2026 23:06:11 +0100 Subject: [PATCH] check that label/annotation values are strings in case of unstructured dependents --- internal/kustomize/kustomization.go | 2 +- pkg/reconciler/util.go | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/internal/kustomize/kustomization.go b/internal/kustomize/kustomization.go index ec85c0e..a27d3ab 100644 --- a/internal/kustomize/kustomization.go +++ b/internal/kustomize/kustomization.go @@ -196,7 +196,7 @@ func parseKustomization(fsys fs.FS, kustomizationPath string, options Kustomizat for _, path := range options.IncludedFiles { if filepath.IsAbs(path) { - return nil, fmt.Errorf("include path (%s) must be absolute", path) + return nil, fmt.Errorf("include path (%s) must not be absolute", path) } absolutePath := filepath.Clean(filepath.Join(kustomizationPath, path)) if isSubdirectory(absolutePath, kustomizationPath) { diff --git a/pkg/reconciler/util.go b/pkg/reconciler/util.go index ed188e3..4df1b32 100644 --- a/pkg/reconciler/util.go +++ b/pkg/reconciler/util.go @@ -234,6 +234,15 @@ func normalizeObjects(objects []client.Object, scheme *runtime.Scheme) ([]client if gvk.Version == "" || gvk.Kind == "" { return nil, fmt.Errorf("unstructured object %s is missing type information", types.ObjectKeyToString(object)) } + // explicitly check that metadata.labels and metadata.annotations are map[string]string; + // the same method unstructured.NestedNullCoercingStringMap() is used in GetLabels() and GetAnnotations(), but errors + // are discarded there; this is why we check it here + if _, _, err := unstructured.NestedNullCoercingStringMap(unstructuredObject.Object, "metadata", "labels"); err != nil { + return nil, legacyerrors.Wrapf(err, "unstructured object %s has invalid labels (probably because of non-string label values)", types.ObjectKeyToString(object)) + } + if _, _, err := unstructured.NestedNullCoercingStringMap(unstructuredObject.Object, "metadata", "annotations"); err != nil { + return nil, legacyerrors.Wrapf(err, "unstructured object %s has invalid annotations (probably because of non-string annotation values)", types.ObjectKeyToString(object)) + } if scheme.Recognizes(gvk) { typedObject, err := scheme.New(gvk) if err != nil {