Skip to content

Unbounded CEL estimate on a string field bounded using allOf #134029

New issue
New issue
Open
#134212
Open
Unbounded CEL estimate on a string field bounded using allOf#134029
#134212
Labels
kind/bugCategorizes issue or PR as related to a bug.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@cbandy

Description

@cbandy
cbandy
opened on Sep 12, 2025

What happened?

I added an x-kubernetes-validation rule to a bounded text field and was surprised to find it was rejected for its estimated cost.

I use controller-gen to produce the CRD, and the following schema seemed to confuse the estimator:

allOf:
- maxLength: 10
- maxLength: 20

What did you expect to happen?

I expected a maxLength property to limit the cost of CEL evaluation of string fields.

How can we reproduce it (as minimally and precisely as possible)?

Kubernetes rejects the following CRD due to the cost of its one rule:

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: lengths.example.com
spec:
  group: example.com
  names:
    kind: Length
    listKind: LengthList
    plural: lengths
    singular: length
  scope: Namespaced
  versions:
    - name: v1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            apiVersion:
              type: string
            kind:
              type: string
            metadata:
              type: object
            spec:
              type: object
              properties:
                text:
                  type: string
                  allOf:
                    - maxLength: 10
                    - maxLength: 20
                  x-kubernetes-validations:
                    - rule: true && self.contains(self)
The CustomResourceDefinition "lengths.example.com" is invalid: 
* spec.validation.openAPIV3Schema.properties[spec].properties[text].x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)
* spec.validation.openAPIV3Schema.properties[spec].properties[text].x-kubernetes-validations[0].rule: Forbidden: contributed to estimated rule cost total exceeding cost limit for entire OpenAPIv3 schema
* spec.validation.openAPIV3Schema: Forbidden: x-kubernetes-validations estimated rule cost total for entire OpenAPIv3 schema exceeds budget by factor of more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)

Anything else we need to know?

Adding maxLength: 500 outside the allOf property reduces the cost, making the CRD valid:

                  type: string
                  allOf:
                    - maxLength: 10
                    - maxLength: 20
+                 maxLength: 500
                  x-kubernetes-validations:
                    - rule: true && self.contains(self)
customresourcedefinition.apiextensions.k8s.io/lengths.example.com created

The controller-gen folks recommended reporting this as a bug:

Kubernetes version

$ kubectl version
Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.33.1

Cloud provider

n/a

OS version

n/a

Install tools

minikube

Container runtime (CRI) and version (if applicable)

n/a

Related plugins (CNI, CSI, ...) and versions (if applicable)

n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions