Enable CEL validation for subnet overlaps for Layer2 (C)UDN

Enable overlap checks since k8s 1.33 fixes kubernetes/kubernetes#130441.

Signed-off-by: Patryk Diak <[email protected]>

Author: kyrtapz

dist/templates/k8s.ovn.org_clusteruserdefinednetworks.yaml.j2

@@ -298,6 +298,21 @@ spec:
                       rule: '!has(self.infrastructureSubnets) || !has(self.defaultGatewayIPs)
                         || self.defaultGatewayIPs.all(ip, self.infrastructureSubnets.exists(subnet,
                         cidr(subnet).containsIP(ip)))'
+                    - fieldPath: .reservedSubnets
+                      message: reservedSubnets must be subnetworks of the networks
+                        specified in the subnets field
+                      rule: '!has(self.reservedSubnets) || self.reservedSubnets.all(e,
+                        self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))'
+                    - fieldPath: .infrastructureSubnets
+                      message: infrastructureSubnets must be subnetworks of the networks
+                        specified in the subnets field
+                      rule: '!has(self.infrastructureSubnets) || self.infrastructureSubnets.all(e,
+                        self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))'
+                    - message: infrastructureSubnets and reservedSubnets must not
+                        overlap
+                      rule: '!has(self.infrastructureSubnets) || !has(self.reservedSubnets)
+                        || self.infrastructureSubnets.all(infra, !self.reservedSubnets.exists(reserved,
+                        cidr(infra).containsCIDR(reserved) || cidr(reserved).containsCIDR(infra)))'
                   layer3:
                     description: Layer3 is the Layer3 topology configuration.
                     properties:

dist/templates/k8s.ovn.org_userdefinednetworks.yaml.j2

@@ -243,6 +243,20 @@ spec:
                   rule: '!has(self.infrastructureSubnets) || !has(self.defaultGatewayIPs)
                     || self.defaultGatewayIPs.all(ip, self.infrastructureSubnets.exists(subnet,
                     cidr(subnet).containsIP(ip)))'
+                - fieldPath: .reservedSubnets
+                  message: reservedSubnets must be subnetworks of the networks specified
+                    in the subnets field
+                  rule: '!has(self.reservedSubnets) || self.reservedSubnets.all(e,
+                    self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))'
+                - fieldPath: .infrastructureSubnets
+                  message: infrastructureSubnets must be subnetworks of the networks
+                    specified in the subnets field
+                  rule: '!has(self.infrastructureSubnets) || self.infrastructureSubnets.all(e,
+                    self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))'
+                - message: infrastructureSubnets and reservedSubnets must not overlap
+                  rule: '!has(self.infrastructureSubnets) || !has(self.reservedSubnets)
+                    || self.infrastructureSubnets.all(infra, !self.reservedSubnets.exists(reserved,
+                    cidr(infra).containsCIDR(reserved) || cidr(reserved).containsCIDR(infra)))'
               layer3:
                 description: Layer3 is the Layer3 topology configuration.
                 properties:

go-controller/pkg/crd/userdefinednetwork/v1/shared.go

@@ -99,11 +99,9 @@ type Layer3Subnet struct {
 // +kubebuilder:validation:XValidation:rule="!has(self.infrastructureSubnets) || has(self.subnets)", message="infrastructureSubnets must be unset when subnets is unset"
 // +kubebuilder:validation:XValidation:rule="!has(self.infrastructureSubnets) || has(self.role) && self.role == 'Primary'", message="infrastructureSubnets is only supported for Primary network"
 // +kubebuilder:validation:XValidation:rule="!has(self.infrastructureSubnets) || !has(self.defaultGatewayIPs) || self.defaultGatewayIPs.all(ip, self.infrastructureSubnets.exists(subnet, cidr(subnet).containsIP(ip)))", message="defaultGatewayIPs have to belong to infrastructureSubnets"
-//
-// TODO: Re-enable when CEL validation is supported
-// // +kubebuilder:validation:XValidation:rule="!has(self.reservedSubnets) || self.reservedSubnets.all(e, self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))",message="reservedSubnets must be subnetworks of the networks specified in the subnets field",fieldPath=".reservedSubnets"
-// // +kubebuilder:validation:XValidation:rule="!has(self.infrastructureSubnets) || self.infrastructureSubnets.all(e, self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))",message="infrastructureSubnets must be subnetworks of the networks specified in the subnets field",fieldPath=".infrastructureSubnets"
-// // +kubebuilder:validation:XValidation:rule="!has(self.infrastructureSubnets) || !has(self.reservedSubnets) || self.infrastructureSubnets.all(infra, !self.reservedSubnets.exists(reserved, cidr(infra).containsCIDR(reserved) || cidr(reserved).containsCIDR(infra)))", message="infrastructureSubnets and reservedSubnets must not overlap"
+// +kubebuilder:validation:XValidation:rule="!has(self.reservedSubnets) || self.reservedSubnets.all(e, self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))",message="reservedSubnets must be subnetworks of the networks specified in the subnets field",fieldPath=".reservedSubnets"
+// +kubebuilder:validation:XValidation:rule="!has(self.infrastructureSubnets) || self.infrastructureSubnets.all(e, self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))",message="infrastructureSubnets must be subnetworks of the networks specified in the subnets field",fieldPath=".infrastructureSubnets"
+// +kubebuilder:validation:XValidation:rule="!has(self.infrastructureSubnets) || !has(self.reservedSubnets) || self.infrastructureSubnets.all(infra, !self.reservedSubnets.exists(reserved, cidr(infra).containsCIDR(reserved) || cidr(reserved).containsCIDR(infra)))", message="infrastructureSubnets and reservedSubnets must not overlap"
 type Layer2Config struct {
 	// Role describes the network role in the pod.
 	//

test/e2e/testscenario/cudn/invalid-scenarios-layer2.go

@@ -115,100 +115,98 @@ spec:
         mode: Disabled
 `,
 	},
-	// TODO: enable the below test case once the following issue is resolved https://github.com/kubernetes/kubernetes/issues/130441 and the validation is enabled
-	// 	{
-	// 		Description: "infrastructureSubnets and reservedSubnets must not overlap",
-	// 		ExpectedErr: `infrastructureSubnets and reservedSubnets must not overlap`,
-	// 		Manifest: `
-	// apiVersion: k8s.ovn.org/v1
-	// kind: ClusterUserDefinedNetwork
-	// metadata:
-	//   name: infra-reserved-overlap-fail
-	// spec:
-	//   namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
-	//   network:
-	//     topology: Layer2
-	//     layer2:
-	//       role: Primary
-	//       subnets: ["192.168.1.0/24"]
-	//       infrastructureSubnets: ["192.168.1.0/28"]
-	//       reservedSubnets: ["192.168.1.8/29"]
-	// `,
-	// 	},
-	// 	{
-	// 		Description: "dual-stack infrastructureSubnets and reservedSubnets overlap",
-	// 		ExpectedErr: `infrastructureSubnets and reservedSubnets must not overlap`,
-	// 		Manifest: `
-	// apiVersion: k8s.ovn.org/v1
-	// kind: ClusterUserDefinedNetwork
-	// metadata:
-	//   name: dual-stack-overlap-fail
-	// spec:
-	//   namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
-	//   network:
-	//     topology: Layer2
-	//     layer2:
-	//       role: Primary
-	//       subnets: ["192.168.1.0/24", "2001:db8::/64"]
-	//       infrastructureSubnets: ["192.168.1.0/28", "2001:db8::/80"]
-	//       reservedSubnets: ["192.168.1.8/29", "2001:db8::/80"]
-	// `,
-	// 	},
-	//	{
-	//		Description: "reservedSubnets must be subnetworks of subnets",
-	//		ExpectedErr: `reservedSubnets must be subnetworks of the networks specified in the subnets field`,
-	//		Manifest: `
-	//apiVersion: k8s.ovn.org/v1
-	//kind: ClusterUserDefinedNetwork
-	//metadata:
-	//  name: reserved-subnets-outside-fail
-	//spec:
-	//  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
-	//  network:
-	//    topology: Layer2
-	//    layer2:
-	//      role: Secondary
-	//      subnets: ["192.168.1.0/24"]
-	//      reservedSubnets: ["10.0.0.0/28"]
-	//`,
-	//	},
-	//	{
-	//		Description: "infrastructureSubnets must be subnetworks of subnets",
-	//		ExpectedErr: `infrastructureSubnets must be subnetworks of the networks specified in the subnets field`,
-	//		Manifest: `
-	//apiVersion: k8s.ovn.org/v1
-	//kind: ClusterUserDefinedNetwork
-	//metadata:
-	//  name: infra-subnets-outside-fail
-	//spec:
-	//  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
-	//  network:
-	//    topology: Layer2
-	//    layer2:
-	//      role: Primary
-	//      subnets: ["192.168.1.0/24"]
-	//      infrastructureSubnets: ["10.0.0.0/28"]
-	//`,
-	//	},
-	//	{
-	//		Description: "IPv6 reservedSubnet outside main subnet",
-	//		ExpectedErr: `reservedSubnets must be subnetworks of the networks specified in the subnets field`,
-	//		Manifest: `
-	//apiVersion: k8s.ovn.org/v1
-	//kind: ClusterUserDefinedNetwork
-	//metadata:
-	//  name: ipv6-reserved-subnet-fail
-	//spec:
-	//  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
-	//  network:
-	//    topology: Layer2
-	//    layer2:
-	//      role: Secondary
-	//      subnets: ["2001:db8::/64"]
-	//      reservedSubnets: ["2001:db9::/80"]
-	//`,
-	//	},
-
+	{
+		Description: "infrastructureSubnets and reservedSubnets must not overlap",
+		ExpectedErr: `infrastructureSubnets and reservedSubnets must not overlap`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: infra-reserved-overlap-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Layer2
+    layer2:
+      role: Primary
+      subnets: ["192.168.1.0/24"]
+      infrastructureSubnets: ["192.168.1.0/28"]
+      reservedSubnets: ["192.168.1.8/29"]
+`,
+	},
+	{
+		Description: "dual-stack infrastructureSubnets and reservedSubnets overlap",
+		ExpectedErr: `infrastructureSubnets and reservedSubnets must not overlap`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: dual-stack-overlap-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Layer2
+    layer2:
+      role: Primary
+      subnets: ["192.168.1.0/24", "2001:db8::/64"]
+      infrastructureSubnets: ["192.168.1.0/28", "2001:db8::/80"]
+      reservedSubnets: ["192.168.1.8/29", "2001:db8::/80"]
+`,
+	},
+	{
+		Description: "reservedSubnets must be subnetworks of subnets",
+		ExpectedErr: `reservedSubnets must be subnetworks of the networks specified in the subnets field`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: reserved-subnets-outside-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Layer2
+    layer2:
+      role: Secondary
+      subnets: ["192.168.1.0/24"]
+      reservedSubnets: ["10.0.0.0/28"]
+`,
+	},
+	{
+		Description: "infrastructureSubnets must be subnetworks of subnets",
+		ExpectedErr: `infrastructureSubnets must be subnetworks of the networks specified in the subnets field`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: infra-subnets-outside-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Layer2
+    layer2:
+      role: Primary
+      subnets: ["192.168.1.0/24"]
+      infrastructureSubnets: ["10.0.0.0/28"]
+`,
+	},
+	{
+		Description: "IPv6 reservedSubnet outside main subnet",
+		ExpectedErr: `reservedSubnets must be subnetworks of the networks specified in the subnets field`,
+		Manifest: `
+apiVersion: k8s.ovn.org/v1
+kind: ClusterUserDefinedNetwork
+metadata:
+  name: ipv6-reserved-subnet-fail
+spec:
+  namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: red}}
+  network:
+    topology: Layer2
+    layer2:
+      role: Secondary
+      subnets: ["2001:db8::/64"]
+      reservedSubnets: ["2001:db9::/80"]
+`,
+	},
 	{
 		Description: "IPv6 defaultGatewayIP outside subnet",
 		ExpectedErr: `defaultGatewayIPs must belong to one of the subnets specified in the subnets field`,