Merge pull request kubernetes#128786 from danwinship/bad-ip-warnings

warn on bad IPs in objects

Author: k8s-ci-robot

pkg/api/pod/warnings.go

@@ -24,6 +24,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	nodeapi "k8s.io/kubernetes/pkg/api/node"
 	pvcutil "k8s.io/kubernetes/pkg/api/persistentvolumeclaim"
@@ -351,6 +352,16 @@ func warningsForPodSpecAndMeta(fieldPath *field.Path, podSpec *api.PodSpec, meta
 		}
 	}
 
+	// Deprecated IP address formats
+	if podSpec.DNSConfig != nil {
+		for i, ns := range podSpec.DNSConfig.Nameservers {
+			warnings = append(warnings, validation.GetWarningsForIP(fieldPath.Child("spec", "dnsConfig", "nameservers").Index(i), ns)...)
+		}
+	}
+	for i, hostAlias := range podSpec.HostAliases {
+		warnings = append(warnings, validation.GetWarningsForIP(fieldPath.Child("spec", "hostAliases").Index(i).Child("ip"), hostAlias.IP)...)
+	}
+
 	return warnings
 }
 

pkg/api/pod/warnings_test.go

@@ -1767,6 +1767,21 @@ func TestWarnings(t *testing.T) {
 				`spec.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].preference.matchExpressions[0].values[0]: -1 is invalid, a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')`,
 			},
 		},
+		{
+			name: "dubious IP address formats",
+			template: &api.PodTemplateSpec{Spec: api.PodSpec{
+				DNSConfig: &api.PodDNSConfig{
+					Nameservers: []string{"1.2.3.4", "05.06.07.08"},
+				},
+				HostAliases: []api.HostAlias{
+					{IP: "::ffff:1.2.3.4"},
+				},
+			}},
+			expected: []string{
+				`spec.dnsConfig.nameservers[1]: non-standard IP address "05.06.07.08" will be considered invalid in a future Kubernetes release: use "5.6.7.8"`,
+				`spec.hostAliases[0].ip: non-standard IP address "::ffff:1.2.3.4" will be considered invalid in a future Kubernetes release: use "1.2.3.4"`,
+			},
+		},
 	}
 
 	for _, tc := range testcases {

pkg/api/service/warnings.go

@@ -18,8 +18,8 @@ package service
 
 import (
 	"fmt"
-	"net/netip"
 
+	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/helper"
@@ -37,20 +37,20 @@ func GetWarningsForService(service, oldService *api.Service) []string {
 
 	if helper.IsServiceIPSet(service) {
 		for i, clusterIP := range service.Spec.ClusterIPs {
-			warnings = append(warnings, getWarningsForIP(field.NewPath("spec").Child("clusterIPs").Index(i), clusterIP)...)
+			warnings = append(warnings, utilvalidation.GetWarningsForIP(field.NewPath("spec").Child("clusterIPs").Index(i), clusterIP)...)
 		}
 	}
 
 	for i, externalIP := range service.Spec.ExternalIPs {
-		warnings = append(warnings, getWarningsForIP(field.NewPath("spec").Child("externalIPs").Index(i), externalIP)...)
+		warnings = append(warnings, utilvalidation.GetWarningsForIP(field.NewPath("spec").Child("externalIPs").Index(i), externalIP)...)
 	}
 
 	if len(service.Spec.LoadBalancerIP) > 0 {
-		warnings = append(warnings, getWarningsForIP(field.NewPath("spec").Child("loadBalancerIP"), service.Spec.LoadBalancerIP)...)
+		warnings = append(warnings, utilvalidation.GetWarningsForIP(field.NewPath("spec").Child("loadBalancerIP"), service.Spec.LoadBalancerIP)...)
 	}
 
 	for i, cidr := range service.Spec.LoadBalancerSourceRanges {
-		warnings = append(warnings, getWarningsForCIDR(field.NewPath("spec").Child("loadBalancerSourceRanges").Index(i), cidr)...)
+		warnings = append(warnings, utilvalidation.GetWarningsForCIDR(field.NewPath("spec").Child("loadBalancerSourceRanges").Index(i), cidr)...)
 	}
 
 	if service.Spec.Type == api.ServiceTypeExternalName && len(service.Spec.ExternalIPs) > 0 {
@@ -62,45 +62,3 @@ func GetWarningsForService(service, oldService *api.Service) []string {
 
 	return warnings
 }
-
-func getWarningsForIP(fieldPath *field.Path, address string) []string {
-	// IPv4 addresses with leading zeros CVE-2021-29923 are not valid in golang since 1.17
-	// This will also warn about possible future changes on the golang std library
-	// xref: https://issues.k8s.io/108074
-	ip, err := netip.ParseAddr(address)
-	if err != nil {
-		return []string{fmt.Sprintf("%s: IP address was accepted, but will be invalid in a future Kubernetes release: %v", fieldPath, err)}
-	}
-	// A Recommendation for IPv6 Address Text Representation
-	//
-	// "All of the above examples represent the same IPv6 address.  This
-	// flexibility has caused many problems for operators, systems
-	// engineers, and customers.
-	// ..."
-	// https://datatracker.ietf.org/doc/rfc5952/
-	if ip.Is6() && ip.String() != address {
-		return []string{fmt.Sprintf("%s: IPv6 address %q is not in RFC 5952 canonical format (%q), which may cause controller apply-loops", fieldPath, address, ip.String())}
-	}
-	return []string{}
-}
-
-func getWarningsForCIDR(fieldPath *field.Path, cidr string) []string {
-	// IPv4 addresses with leading zeros CVE-2021-29923 are not valid in golang since 1.17
-	// This will also warn about possible future changes on the golang std library
-	// xref: https://issues.k8s.io/108074
-	prefix, err := netip.ParsePrefix(cidr)
-	if err != nil {
-		return []string{fmt.Sprintf("%s: IP prefix was accepted, but will be invalid in a future Kubernetes release: %v", fieldPath, err)}
-	}
-	// A Recommendation for IPv6 Address Text Representation
-	//
-	// "All of the above examples represent the same IPv6 address.  This
-	// flexibility has caused many problems for operators, systems
-	// engineers, and customers.
-	// ..."
-	// https://datatracker.ietf.org/doc/rfc5952/
-	if prefix.Addr().Is6() && prefix.String() != cidr {
-		return []string{fmt.Sprintf("%s: IPv6 prefix %q is not in RFC 5952 canonical format (%q), which may cause controller apply-loops", fieldPath, cidr, prefix.String())}
-	}
-	return []string{}
-}

pkg/api/service/warnings_test.go

@@ -22,7 +22,6 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
 )
 
@@ -108,58 +107,58 @@ func TestGetWarningsForServiceClusterIPs(t *testing.T) {
 			name:    "IPv4 with leading zeros",
 			service: service([]string{"192.012.2.2"}),
 			want: []string{
-				`spec.clusterIPs[0]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("192.012.2.2"): IPv4 field has octet with leading zero`,
+				`spec.clusterIPs[0]: non-standard IP address "192.012.2.2" will be considered invalid in a future Kubernetes release: use "192.12.2.2"`,
 			},
 		},
 		{
 			name:    "Dual Stack IPv4-IPv6 and IPv4 with leading zeros",
 			service: service([]string{"192.012.2.2", "2001:db8::2"}),
 			want: []string{
-				`spec.clusterIPs[0]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("192.012.2.2"): IPv4 field has octet with leading zero`,
+				`spec.clusterIPs[0]: non-standard IP address "192.012.2.2" will be considered invalid in a future Kubernetes release: use "192.12.2.2"`,
 			},
 		},
 		{
 			name:    "Dual Stack IPv6-IPv4 and IPv4 with leading zeros",
 			service: service([]string{"2001:db8::2", "192.012.2.2"}),
 			want: []string{
-				`spec.clusterIPs[1]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("192.012.2.2"): IPv4 field has octet with leading zero`,
+				`spec.clusterIPs[1]: non-standard IP address "192.012.2.2" will be considered invalid in a future Kubernetes release: use "192.12.2.2"`,
 			},
 		},
 		{
 			name:    "IPv6 non canonical format",
 			service: service([]string{"2001:db8:0:0::2"}),
 			want: []string{
-				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" is not in RFC 5952 canonical format ("2001:db8::2"), which may cause controller apply-loops`,
+				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" should be in RFC 5952 canonical format ("2001:db8::2")`,
 			},
 		},
 		{
 			name:    "Dual Stack IPv4-IPv6 and IPv6 non-canonical format",
 			service: service([]string{"192.12.2.2", "2001:db8:0:0::2"}),
 			want: []string{
-				`spec.clusterIPs[1]: IPv6 address "2001:db8:0:0::2" is not in RFC 5952 canonical format ("2001:db8::2"), which may cause controller apply-loops`,
+				`spec.clusterIPs[1]: IPv6 address "2001:db8:0:0::2" should be in RFC 5952 canonical format ("2001:db8::2")`,
 			},
 		},
 		{
 			name:    "Dual Stack IPv6-IPv4 and IPv6 non-canonical formats",
 			service: service([]string{"2001:db8:0:0::2", "192.12.2.2"}),
 			want: []string{
-				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" is not in RFC 5952 canonical format ("2001:db8::2"), which may cause controller apply-loops`,
+				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" should be in RFC 5952 canonical format ("2001:db8::2")`,
 			},
 		},
 		{
 			name:    "Dual Stack IPv4-IPv6 and IPv4 with leading zeros and IPv6 non-canonical format",
 			service: service([]string{"192.012.2.2", "2001:db8:0:0::2"}),
 			want: []string{
-				`spec.clusterIPs[0]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("192.012.2.2"): IPv4 field has octet with leading zero`,
-				`spec.clusterIPs[1]: IPv6 address "2001:db8:0:0::2" is not in RFC 5952 canonical format ("2001:db8::2"), which may cause controller apply-loops`,
+				`spec.clusterIPs[0]: non-standard IP address "192.012.2.2" will be considered invalid in a future Kubernetes release: use "192.12.2.2"`,
+				`spec.clusterIPs[1]: IPv6 address "2001:db8:0:0::2" should be in RFC 5952 canonical format ("2001:db8::2")`,
 			},
 		},
 		{
 			name:    "Dual Stack IPv6-IPv4 and IPv4 with leading zeros and IPv6 non-canonical format",
 			service: service([]string{"2001:db8:0:0::2", "192.012.2.2"}),
 			want: []string{
-				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" is not in RFC 5952 canonical format ("2001:db8::2"), which may cause controller apply-loops`,
-				`spec.clusterIPs[1]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("192.012.2.2"): IPv4 field has octet with leading zero`,
+				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" should be in RFC 5952 canonical format ("2001:db8::2")`,
+				`spec.clusterIPs[1]: non-standard IP address "192.012.2.2" will be considered invalid in a future Kubernetes release: use "192.12.2.2"`,
 			},
 		},
 		{
@@ -179,13 +178,13 @@ func TestGetWarningsForServiceClusterIPs(t *testing.T) {
 				},
 			},
 			want: []string{
-				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" is not in RFC 5952 canonical format ("2001:db8::2"), which may cause controller apply-loops`,
-				`spec.clusterIPs[1]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("192.012.2.2"): IPv4 field has octet with leading zero`,
-				`spec.externalIPs[0]: IPv6 address "2001:db8:1:0::2" is not in RFC 5952 canonical format ("2001:db8:1::2"), which may cause controller apply-loops`,
-				`spec.externalIPs[1]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("10.012.2.2"): IPv4 field has octet with leading zero`,
-				`spec.loadBalancerIP: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("10.001.1.1"): IPv4 field has octet with leading zero`,
-				`spec.loadBalancerSourceRanges[0]: IPv6 prefix "2001:db8:1:0::/64" is not in RFC 5952 canonical format ("2001:db8:1::/64"), which may cause controller apply-loops`,
-				`spec.loadBalancerSourceRanges[1]: IP prefix was accepted, but will be invalid in a future Kubernetes release: netip.ParsePrefix("10.012.2.0/24"): ParseAddr("10.012.2.0"): IPv4 field has octet with leading zero`,
+				`spec.clusterIPs[0]: IPv6 address "2001:db8:0:0::2" should be in RFC 5952 canonical format ("2001:db8::2")`,
+				`spec.clusterIPs[1]: non-standard IP address "192.012.2.2" will be considered invalid in a future Kubernetes release: use "192.12.2.2"`,
+				`spec.externalIPs[0]: IPv6 address "2001:db8:1:0::2" should be in RFC 5952 canonical format ("2001:db8:1::2")`,
+				`spec.externalIPs[1]: non-standard IP address "10.012.2.2" will be considered invalid in a future Kubernetes release: use "10.12.2.2"`,
+				`spec.loadBalancerIP: non-standard IP address "10.001.1.1" will be considered invalid in a future Kubernetes release: use "10.1.1.1"`,
+				`spec.loadBalancerSourceRanges[0]: IPv6 CIDR value "2001:db8:1:0::/64" should be in RFC 5952 canonical format ("2001:db8:1::/64")`,
+				`spec.loadBalancerSourceRanges[1]: non-standard CIDR value "10.012.2.0/24" will be considered invalid in a future Kubernetes release: use "10.12.2.0/24"`,
 			},
 		},
 	}
@@ -197,93 +196,3 @@ func TestGetWarningsForServiceClusterIPs(t *testing.T) {
 		})
 	}
 }
-
-func Test_getWarningsForIP(t *testing.T) {
-	tests := []struct {
-		name      string
-		fieldPath *field.Path
-		address   string
-		want      []string
-	}{
-		{
-			name:      "IPv4 No failures",
-			address:   "192.12.2.2",
-			fieldPath: field.NewPath("spec").Child("clusterIPs").Index(0),
-			want:      []string{},
-		},
-		{
-			name:      "IPv6 No failures",
-			address:   "2001:db8::2",
-			fieldPath: field.NewPath("spec").Child("clusterIPs").Index(0),
-			want:      []string{},
-		},
-		{
-			name:      "IPv4 with leading zeros",
-			address:   "192.012.2.2",
-			fieldPath: field.NewPath("spec").Child("clusterIPs").Index(0),
-			want: []string{
-				`spec.clusterIPs[0]: IP address was accepted, but will be invalid in a future Kubernetes release: ParseAddr("192.012.2.2"): IPv4 field has octet with leading zero`,
-			},
-		},
-		{
-			name:      "IPv6 non-canonical format",
-			address:   "2001:db8:0:0::2",
-			fieldPath: field.NewPath("spec").Child("loadBalancerIP"),
-			want: []string{
-				`spec.loadBalancerIP: IPv6 address "2001:db8:0:0::2" is not in RFC 5952 canonical format ("2001:db8::2"), which may cause controller apply-loops`,
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := getWarningsForIP(tt.fieldPath, tt.address); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("getWarningsForIP() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func Test_getWarningsForCIDR(t *testing.T) {
-	tests := []struct {
-		name      string
-		fieldPath *field.Path
-		cidr      string
-		want      []string
-	}{
-		{
-			name:      "IPv4 No failures",
-			cidr:      "192.12.2.0/24",
-			fieldPath: field.NewPath("spec").Child("loadBalancerSourceRanges").Index(0),
-			want:      []string{},
-		},
-		{
-			name:      "IPv6 No failures",
-			cidr:      "2001:db8::/64",
-			fieldPath: field.NewPath("spec").Child("loadBalancerSourceRanges").Index(0),
-			want:      []string{},
-		},
-		{
-			name:      "IPv4 with leading zeros",
-			cidr:      "192.012.2.0/24",
-			fieldPath: field.NewPath("spec").Child("loadBalancerSourceRanges").Index(0),
-			want: []string{
-				`spec.loadBalancerSourceRanges[0]: IP prefix was accepted, but will be invalid in a future Kubernetes release: netip.ParsePrefix("192.012.2.0/24"): ParseAddr("192.012.2.0"): IPv4 field has octet with leading zero`,
-			},
-		},
-		{
-			name:      "IPv6 non-canonical format",
-			cidr:      "2001:db8:0:0::/64",
-			fieldPath: field.NewPath("spec").Child("loadBalancerSourceRanges").Index(0),
-			want: []string{
-				`spec.loadBalancerSourceRanges[0]: IPv6 prefix "2001:db8:0:0::/64" is not in RFC 5952 canonical format ("2001:db8::/64"), which may cause controller apply-loops`,
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := getWarningsForCIDR(tt.fieldPath, tt.cidr); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("getWarningsForCIDR() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}