From 54c917672d40c1b0d8f093a046bc9fe2a5c07907 Mon Sep 17 00:00:00 2001
From: Thomas Guettler <thomas.guettler@syself.com>
Date: Tue, 4 Feb 2025 08:03:27 +0100
Subject: [PATCH] validate group names in webhooks.

---
 pkg/webhook/parser.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pkg/webhook/parser.go b/pkg/webhook/parser.go
index 780294abe..4d87ad0fd 100644
--- a/pkg/webhook/parser.go
+++ b/pkg/webhook/parser.go
@@ -24,6 +24,7 @@ package webhook
 
 import (
 	"fmt"
+	"regexp"
 	"sort"
 	"strings"
 
@@ -448,6 +449,8 @@ func (g Generator) Generate(ctx *genall.GenerationContext) error {
 	var mutatingWebhookCfgs admissionregv1.MutatingWebhookConfiguration
 	var validatingWebhookCfgs admissionregv1.ValidatingWebhookConfiguration
 
+	groupRegex := regexp.MustCompile(`^[a-z][-a-z0-9.]*[a-z0-9]$`)
+
 	for _, root := range ctx.Roots {
 		markerSet, err := markers.PackageMarkers(ctx.Collector, root)
 		if err != nil {
@@ -493,6 +496,14 @@ func (g Generator) Generate(ctx *genall.GenerationContext) error {
 			if err != nil {
 				return err
 			}
+			for _, group := range cfg.Groups {
+				if group == "" { // aka "core"
+					continue
+				}
+				if !groupRegex.MatchString(group) {
+					return fmt.Errorf("invalid group name: %s", group)
+				}
+			}
 			if cfg.Mutating {
 				w, err := cfg.ToMutatingWebhook()
 				if err != nil {