Merge pull request #3840 from nawazkh/1-9-improve_DNSServiceIP_validation

[release-1.9] improve dns service ip validation

Author: k8s-ci-robot

api/v1beta1/azuremachine_default_test.go

@@ -521,10 +521,17 @@ func (m mockClient) Get(ctx context.Context, key client.ObjectKey, obj client.Ob
 	case *AzureCluster:
 		obj.Spec.SubscriptionID = "test-subscription-id"
 	case *clusterv1.Cluster:
-		obj.Spec.InfrastructureRef = &corev1.ObjectReference{
-			Kind:      "AzureCluster",
-			Name:      "test-cluster",
-			Namespace: "default",
+		obj.Spec = clusterv1.ClusterSpec{
+			InfrastructureRef: &corev1.ObjectReference{
+				Kind:      "AzureCluster",
+				Name:      "test-cluster",
+				Namespace: "default",
+			},
+			ClusterNetwork: &clusterv1.ClusterNetwork{
+				Services: &clusterv1.NetworkRanges{
+					CIDRBlocks: []string{"192.168.0.0/26"},
+				},
+			},
 		}
 	default:
 		return errors.New("unexpected object type")

api/v1beta1/azuremanagedcontrolplane_webhook.go

@@ -253,7 +253,6 @@ func (m *AzureManagedControlPlane) Validate(cli client.Client) error {
 	validators := []func(client client.Client) error{
 		m.validateName,
 		m.validateVersion,
-		m.validateDNSServiceIP,
 		m.validateSSHKey,
 		m.validateLoadBalancerProfile,
 		m.validateAPIServerAccessProfile,
@@ -271,17 +270,6 @@ func (m *AzureManagedControlPlane) Validate(cli client.Client) error {
 	return kerrors.NewAggregate(errs)
 }
 
-// validateDNSServiceIP validates the DNSServiceIP.
-func (m *AzureManagedControlPlane) validateDNSServiceIP(_ client.Client) error {
-	if m.Spec.DNSServiceIP != nil {
-		if net.ParseIP(*m.Spec.DNSServiceIP) == nil {
-			return errors.New("DNSServiceIP must be a valid IP")
-		}
-	}
-
-	return nil
-}
-
 // validateVersion validates the Kubernetes version.
 func (m *AzureManagedControlPlane) validateVersion(_ client.Client) error {
 	if !kubeSemver.MatchString(m.Spec.Version) {
@@ -421,10 +409,22 @@ func (m *AzureManagedControlPlane) validateManagedClusterNetwork(cli client.Clie
 		if err != nil {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("Cluster", "Spec", "ClusterNetwork", "Services", "CIDRBlocks"), serviceCIDR, fmt.Sprintf("failed to parse cluster service cidr: %v", err)))
 		}
-		ip := net.ParseIP(*m.Spec.DNSServiceIP)
-		if !cidr.Contains(ip) {
+
+		dnsIP := net.ParseIP(*m.Spec.DNSServiceIP)
+		if dnsIP == nil { // dnsIP will be nil if the string is not a valid IP
+			allErrs = append(allErrs, field.Invalid(field.NewPath("Spec", "DNSServiceIP"), *m.Spec.DNSServiceIP, "must be a valid IP address"))
+		}
+
+		if dnsIP != nil && !cidr.Contains(dnsIP) {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("Cluster", "Spec", "ClusterNetwork", "Services", "CIDRBlocks"), serviceCIDR, "DNSServiceIP must reside within the associated cluster serviceCIDR"))
 		}
+
+		// AKS only supports .10 as the last octet for the DNSServiceIP.
+		// Refer to: https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#create-an-aks-cluster-with-system-assigned-managed-identities
+		targetSuffix := ".10"
+		if dnsIP != nil && !strings.HasSuffix(dnsIP.String(), targetSuffix) {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("Spec", "DNSServiceIP"), *m.Spec.DNSServiceIP, fmt.Sprintf("must end with %q", targetSuffix)))
+		}
 	}
 
 	if errs := validatePrivateEndpoints(m.Spec.VirtualNetwork.Subnet.PrivateEndpoints, []string{m.Spec.VirtualNetwork.Subnet.CIDRBlock}, field.NewPath("Spec", "VirtualNetwork.Subnet.PrivateEndpoints")); len(errs) > 0 {