Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

A username with @ --> Invalid k8s label

See original GitHub issue

A user attempting to create a cluster (JupyterHub authentication) with @ in their username, will experience an error. This is because at some point an invalid Kubernetes resource is being created due to this, the invalid part is a label that has a value with the username, and a Kubernetes label values isn’t allowed to contain @.

How I reproduce the issue

from dask_gateway import Gateway
# jupyterhub auth is configured in /etc/dask/gateway.yaml
# my username is erik@example.com
gateway = Gateway(address="http://api-dask-gateway.dask-gateway:8000")
cluster = gateway.new_cluster()

Logs from deploy/api

[I 2020-04-09 11:03:16.794 DaskGateway] Creating cluster dask-gateway.c8451c67dc094eb1ad9918b8260c527a for user erik@example.com
[E 2020-04-09 11:03:16.813 aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 418, in start
    resp = await task
  File "/opt/conda/lib/python3.7/site-packages/aiohttp/web_app.py", line 458, in _handle
    resp = await handler(request)
  File "/opt/conda/lib/python3.7/site-packages/dask_gateway_server/routes.py", line 13, in inner
    return await handler(request)
  File "/opt/conda/lib/python3.7/site-packages/dask_gateway_server/routes.py", line 47, in inner
    return await auth.authenticate_and_handle(request, handler)
  File "/opt/conda/lib/python3.7/site-packages/dask_gateway_server/auth.py", line 102, in authenticate_and_handle
    response = await handler(request)
  File "/opt/conda/lib/python3.7/site-packages/dask_gateway_server/routes.py", line 124, in create_cluster
    cluster_name = await backend.start_cluster(user, cluster_options)
  File "/opt/conda/lib/python3.7/site-packages/dask_gateway_server/backends/kubernetes/backend.py", line 343, in start_cluster
    "gateway.dask.org", self.crd_version, config.namespace, "daskclusters", obj
  File "/opt/conda/lib/python3.7/site-packages/kubernetes_asyncio/client/api_client.py", line 166, in __call_api
    _request_timeout=_request_timeout)
  File "/opt/conda/lib/python3.7/site-packages/kubernetes_asyncio/client/rest.py", line 230, in POST
    body=body))
  File "/opt/conda/lib/python3.7/site-packages/kubernetes_asyncio/client/rest.py", line 181, in request
    raise ApiException(http_resp=r)
kubernetes_asyncio.client.rest.ApiException: (422)
Reason: Unprocessable Entity
HTTP response headers: <CIMultiDictProxy('Audit-Id': 'd2c5666f-def5-4989-b221-0f40fce9137c', 'Content-Type': 'application/json', 'Date': 'Thu, 09 Apr 2020 11:03:16 GMT', 'Content-Length': '1018')>
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"DaskCluster.gateway.dask.org \"c8451c67dc094eb1ad9918b8260c527a\" is invalid: metadata.labels: Invalid value: \"erik@example.com\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')","reason":"Invalid","details":{"name":"c8451c67dc094eb1ad9918b8260c527a","group":"gateway.dask.org","kind":"DaskCluster","causes":[{"reason":"FieldValueInvalid","message":"Invalid value: \"erik@example.com\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')","field":"metadata.labels"}]},"code":422}

Issue Analytics

State:
Created 3 years ago
Comments:11 (6 by maintainers)

Top GitHub Comments

1reaction

jcristcommented, Apr 16, 2020

I originally used a label because you can use label selectors to filter objects by users (you can’t select by annotation).

Annotations don’t have the same restrictions as limits, perhaps we add an annotation with the username?

On second thought, I think I like not setting this annotation by default, and relying on the user to manage this themselves in the configuration (using e.g. extra_worker_pod_annotations). Internally we track the username as part of the CRD object, no need to duplicate it as an annotation if we don’t need to.

1reaction

gforsythcommented, Apr 16, 2020

For users of kubecost, my understanding (which is very limited on this front) is that it tracks labels and annotations and sticks them into prometheus for tracking usage, etc.
kubecost doesn’t appear to be hugely extensible (this is where my limited knowledge is coming in to play) so for organizations that need to track usage on a per-user basis having the username as a label is helpful.

That said, if it breaks for certain username patterns, then leaving it as a label doesn’t make sense.

I added it back in using extra_worker_pod_labels via a cluster option which works fine on our end – would example configurations for how to set these things up be helpful in the docs?

Top Results From Across the Web

Well-Known Labels, Annotations and Taints - Kubernetes

Kubernetes reserves all labels and annotations in the kubernetes.io and k8s.io ... Example: kubernetes.io/service-account.name: "sa-name".

Kubernetes ImagePullBackOff: Troubleshooting With Examples

What Does an ImagePullBackOff Error Mean? · Image doesn't exist. · Image tag or name is incorrect. · Image is private, and there...

Ask Question - Stack Overflow

In my case, changing apiVersion to v1beta1 in the kube configuration file helped: apiVersion: client.authentication.k8s.io/v1beta1.

Kubernetes Troubleshooting Walkthrough - imagepullbackoff

Troubleshooting: Invalid container image tag. Another variation to this is if the container tag does not exist: $ kubectl describe pod invalid- ...

Running Spark on Kubernetes - Spark 3.3.1 Documentation

bin/docker-image-tool.sh -r <repo> -t my-tag -p ./kubernetes/dockerfiles/spark/bindings/python/Dockerfile build # To build additional SparkR docker image $ ...