Add logic to deal with 0.0.0.0/0 which ipset not support. (#599)

* Add logic to deal with 0.0.0.0/0 which ipset not support.

* Add unit test for checking 0.0.0.0/0 ipset entry logic.

Author: csfmomo

npm/nwpolicy.go

@@ -211,8 +211,19 @@ func createCidrsRule(ingressOrEgress, policyName, ns string, ipsetEntries [][]st
 			log.Printf("Error creating ipset %s", ipCidrSet)
 		}
 		for _, ipCidrEntry := range util.DropEmptyFields(ipCidrSet) {
-			if err := ipsMgr.AddToSet(setName, ipCidrEntry, util.IpsetNetHashFlag); err != nil {
-				log.Printf("Error adding ip cidrs %s into ipset %s", ipCidrEntry, ipCidrSet)
+			// Ipset doesn't allow 0.0.0.0/0 to be added. A general solution is split 0.0.0.0/1 in half which convert to 
+			// 1.0.0.0/1 and 128.0.0.0/1
+			if (ipCidrEntry == "0.0.0.0/0") {
+				splitEntry := [2]string{"1.0.0.0/1", "128.0.0.0/1"}
+				for _, entry := range splitEntry {
+					if err := ipsMgr.AddToSet(setName, entry, util.IpsetNetHashFlag); err != nil {
+						log.Printf("Error adding ip cidrs %s into ipset %s", entry, ipCidrSet)
+					}
+				}
+			} else {
+				if err := ipsMgr.AddToSet(setName, ipCidrEntry, util.IpsetNetHashFlag); err != nil {
+					log.Printf("Error adding ip cidrs %s into ipset %s", ipCidrEntry, ipCidrSet)
+				}
 			}
 		}
 	}

npm/nwpolicy_test.go

@@ -77,11 +77,18 @@ func TestAddNetworkPolicy(t *testing.T) {
 		Spec: networkingv1.NetworkPolicySpec{
 			Ingress: []networkingv1.NetworkPolicyIngressRule{
 				networkingv1.NetworkPolicyIngressRule{
-					From: []networkingv1.NetworkPolicyPeer{{
-						PodSelector: &metav1.LabelSelector{
-							MatchLabels: map[string]string{"app": "test"},
+					From: []networkingv1.NetworkPolicyPeer{
+						networkingv1.NetworkPolicyPeer{
+							PodSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{"app": "test"},
+							},
 						},
-					}},
+						networkingv1.NetworkPolicyPeer{
+							IPBlock: &networkingv1.IPBlock{
+								CIDR: "0.0.0.0/0",
+							},
+						},
+					},
 					Ports: []networkingv1.NetworkPolicyPort{{
 						Protocol: &tcp,
 						Port:     &port8000,
@@ -98,6 +105,17 @@ func TestAddNetworkPolicy(t *testing.T) {
 	}
 	npMgr.Unlock()
 
+	ipsMgr = npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
+
+	// Check whether 0.0.0.0/0 got translated to 1.0.0.0/1 and 128.0.0.0/1
+	if ! ipsMgr.Exists("allow-ingress-in-ns-test-nwpolicy-0in", "1.0.0.0/1", util.IpsetNetHashFlag) {
+		t.Errorf("TestDeleteFromSet failed @ ipsMgr.AddToSet")
+	}
+
+	if ! ipsMgr.Exists("allow-ingress-in-ns-test-nwpolicy-0in", "128.0.0.0/1", util.IpsetNetHashFlag) {
+		t.Errorf("TestDeleteFromSet failed @ ipsMgr.AddToSet")
+	}
+
 	allowEgress := &networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "allow-egress",