Skip to content

Commit 19e7b86

Browse files
tthvotthvo
committed
validations: validate vpc and subnet CIDR
Validation for specified VPC and subnet CIDRs is added for early feedback from the webhook. There are already existing checks for bastion and nodePort CIDRs.
1 parent 30fd6b1 commit 19e7b86

File tree

2 files changed

+150
-4
lines changed

2 files changed

+150
-4
lines changed

api/v1beta2/awscluster_webhook.go

Lines changed: 33 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -301,10 +301,35 @@ func (r *AWSCluster) validateSSHKeyName() field.ErrorList {
301301

302302
func (r *AWSCluster) validateNetwork() field.ErrorList {
303303
var allErrs field.ErrorList
304-
for _, subnet := range r.Spec.NetworkSpec.Subnets {
304+
305+
vpcSpec := r.Spec.NetworkSpec.VPC
306+
vpcField := field.NewPath("spec", "network", "vpc")
307+
if vpcSpec.CidrBlock != "" {
308+
if _, _, err := net.ParseCIDR(vpcSpec.CidrBlock); err != nil {
309+
allErrs = append(allErrs, field.Invalid(vpcField.Child("cidrBlock"), vpcSpec.CidrBlock, "VPC CIDR block is invalid"))
310+
}
311+
}
312+
if vpcSpec.IPv6 != nil && vpcSpec.IPv6.CidrBlock != "" {
313+
if _, _, err := net.ParseCIDR(vpcSpec.IPv6.CidrBlock); err != nil {
314+
allErrs = append(allErrs, field.Invalid(vpcField.Child("ipv6", "cidrBlock"), vpcSpec.IPv6.CidrBlock, "VPC IPv6 CIDR block is invalid"))
315+
}
316+
}
317+
318+
subnetField := field.NewPath("spec", "network", "subnets")
319+
for i, subnet := range r.Spec.NetworkSpec.Subnets {
305320
if subnet.ZoneType != nil && subnet.IsEdge() {
306321
if subnet.ParentZoneName == nil {
307-
allErrs = append(allErrs, field.Invalid(field.NewPath("subnets"), r.Spec.NetworkSpec.Subnets, "ParentZoneName must be set when ZoneType is 'local-zone'."))
322+
allErrs = append(allErrs, field.Invalid(subnetField.Index(i).Child("parentZoneName"), subnet.ParentZoneName, "ParentZoneName must be set when ZoneType is 'local-zone'."))
323+
}
324+
}
325+
if subnet.CidrBlock != "" {
326+
if _, _, err := net.ParseCIDR(subnet.CidrBlock); err != nil {
327+
allErrs = append(allErrs, field.Invalid(subnetField.Index(i).Child("cidrBlock"), subnet.CidrBlock, "subnet CIDR block is invalid"))
328+
}
329+
}
330+
if subnet.IPv6CidrBlock != "" {
331+
if _, _, err := net.ParseCIDR(subnet.IPv6CidrBlock); err != nil {
332+
allErrs = append(allErrs, field.Invalid(subnetField.Index(i).Child("ipv6CidrBlock"), subnet.IPv6CidrBlock, "subnet IPv6 CIDR block is invalid"))
308333
}
309334
}
310335
}
@@ -344,10 +369,15 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
344369

345370
secondaryCidrBlocks := r.Spec.NetworkSpec.VPC.SecondaryCidrBlocks
346371
secondaryCidrBlocksField := field.NewPath("spec", "network", "vpc", "secondaryCidrBlocks")
347-
for _, cidrBlock := range secondaryCidrBlocks {
372+
for i, cidrBlock := range secondaryCidrBlocks {
348373
if r.Spec.NetworkSpec.VPC.CidrBlock != "" && r.Spec.NetworkSpec.VPC.CidrBlock == cidrBlock.IPv4CidrBlock {
349374
allErrs = append(allErrs, field.Invalid(secondaryCidrBlocksField, secondaryCidrBlocks, fmt.Sprintf("AWSCluster.spec.network.vpc.secondaryCidrBlocks must not contain the primary AWSCluster.spec.network.vpc.cidrBlock %v", r.Spec.NetworkSpec.VPC.CidrBlock)))
350375
}
376+
if cidrBlock.IPv4CidrBlock != "" {
377+
if _, _, err := net.ParseCIDR(cidrBlock.IPv4CidrBlock); err != nil {
378+
allErrs = append(allErrs, field.Invalid(secondaryCidrBlocksField.Index(i).Child("ipv4CidrBlock"), cidrBlock.IPv4CidrBlock, "secondary VPC CIDR block is invalid"))
379+
}
380+
}
351381
}
352382

353383
return allErrs

api/v1beta2/awscluster_webhook_test.go

Lines changed: 117 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -324,7 +324,59 @@ func TestAWSClusterValidateCreate(t *testing.T) {
324324
wantErr: false,
325325
},
326326
{
327-
name: "accepts ipv6",
327+
name: "accepts vpc cidr",
328+
cluster: &AWSCluster{
329+
Spec: AWSClusterSpec{
330+
NetworkSpec: NetworkSpec{
331+
VPC: VPCSpec{
332+
CidrBlock: "10.0.0.0/16",
333+
},
334+
},
335+
},
336+
},
337+
wantErr: false,
338+
},
339+
{
340+
name: "rejects invalid vpc cidr",
341+
cluster: &AWSCluster{
342+
Spec: AWSClusterSpec{
343+
NetworkSpec: NetworkSpec{
344+
VPC: VPCSpec{
345+
CidrBlock: "10.0.0.0",
346+
},
347+
},
348+
},
349+
},
350+
wantErr: true,
351+
},
352+
{
353+
name: "accepts vpc secondary cidr",
354+
cluster: &AWSCluster{
355+
Spec: AWSClusterSpec{
356+
NetworkSpec: NetworkSpec{
357+
VPC: VPCSpec{
358+
CidrBlock: "10.0.1.0/24",
359+
},
360+
},
361+
},
362+
},
363+
wantErr: false,
364+
},
365+
{
366+
name: "rejects invalid vpc secondary cidr",
367+
cluster: &AWSCluster{
368+
Spec: AWSClusterSpec{
369+
NetworkSpec: NetworkSpec{
370+
VPC: VPCSpec{
371+
CidrBlock: "10.0.1.0",
372+
},
373+
},
374+
},
375+
},
376+
wantErr: true,
377+
},
378+
{
379+
name: "accepts vpc ipv6 cidr",
328380
cluster: &AWSCluster{
329381
Spec: AWSClusterSpec{
330382
NetworkSpec: NetworkSpec{
@@ -339,6 +391,22 @@ func TestAWSClusterValidateCreate(t *testing.T) {
339391
},
340392
wantErr: false,
341393
},
394+
{
395+
name: "reject invalid vpc ipv6 cidr",
396+
cluster: &AWSCluster{
397+
Spec: AWSClusterSpec{
398+
NetworkSpec: NetworkSpec{
399+
VPC: VPCSpec{
400+
IPv6: &IPv6{
401+
CidrBlock: "2001:2345:5678::",
402+
PoolID: "pool-id",
403+
},
404+
},
405+
},
406+
},
407+
},
408+
wantErr: true,
409+
},
342410
{
343411
name: "accepts ipv6 enabled subnet",
344412
cluster: &AWSCluster{
@@ -358,6 +426,38 @@ func TestAWSClusterValidateCreate(t *testing.T) {
358426
},
359427
wantErr: false,
360428
},
429+
{
430+
name: "accepts cidr block for subnets",
431+
cluster: &AWSCluster{
432+
Spec: AWSClusterSpec{
433+
NetworkSpec: NetworkSpec{
434+
Subnets: []SubnetSpec{
435+
{
436+
ID: "sub-1",
437+
CidrBlock: "10.0.10.0/24",
438+
},
439+
},
440+
},
441+
},
442+
},
443+
wantErr: false,
444+
},
445+
{
446+
name: "rejects invalid cidr block for subnets",
447+
cluster: &AWSCluster{
448+
Spec: AWSClusterSpec{
449+
NetworkSpec: NetworkSpec{
450+
Subnets: []SubnetSpec{
451+
{
452+
ID: "sub-1",
453+
CidrBlock: "10.0.10.0",
454+
},
455+
},
456+
},
457+
},
458+
},
459+
wantErr: true,
460+
},
361461
{
362462
name: "accepts ipv6 cidr block for subnets",
363463
cluster: &AWSCluster{
@@ -374,6 +474,22 @@ func TestAWSClusterValidateCreate(t *testing.T) {
374474
},
375475
wantErr: false,
376476
},
477+
{
478+
name: "rejects invalid ipv6 cidr block for subnets",
479+
cluster: &AWSCluster{
480+
Spec: AWSClusterSpec{
481+
NetworkSpec: NetworkSpec{
482+
Subnets: []SubnetSpec{
483+
{
484+
ID: "sub-1",
485+
IPv6CidrBlock: "2022:1234:5678:9101::",
486+
},
487+
},
488+
},
489+
},
490+
},
491+
wantErr: true,
492+
},
377493
{
378494
name: "rejects ingress rules with cidr block and source security group id",
379495
cluster: &AWSCluster{

0 commit comments

Comments
 (0)