Skip to content

Commit 692785d

Browse files
danwinshipdanwinship
committed
Add legacy versions of IsValidIP/IsValidCIDR
Add validation.IsValidIPForLegacyField and validation.IsValidCIDRForLegacyField, which validate "legacy" IP/CIDR fields correctly. Use them for all such fields (indirectly, via a wrapper in pkg/apis/core/validation that handles the StrictIPCIDRValidation feature gate correctly). Change IsValidIP and IsValidCIDR to require strict parsing and canonical form, and update the IPAddr, ServiceCIDR, and NetworkDeviceData validation to make use of them.
1 parent ba189de commit 692785d

File tree

11 files changed

+709
-88
lines changed

11 files changed

+709
-88
lines changed

pkg/apis/core/validation/validation.go

Lines changed: 25 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3790,7 +3790,7 @@ func validatePodDNSConfig(dnsConfig *core.PodDNSConfig, dnsPolicy *core.DNSPolic
37903790
allErrs = append(allErrs, field.Invalid(fldPath.Child("nameservers"), dnsConfig.Nameservers, fmt.Sprintf("must not have more than %v nameservers", MaxDNSNameservers)))
37913791
}
37923792
for i, ns := range dnsConfig.Nameservers {
3793-
allErrs = append(allErrs, validation.IsValidIP(fldPath.Child("nameservers").Index(i), ns)...)
3793+
allErrs = append(allErrs, IsValidIPForLegacyField(fldPath.Child("nameservers").Index(i), ns)...)
37943794
}
37953795
// Validate searches.
37963796
if len(dnsConfig.Searches) > MaxDNSSearchPaths {
@@ -3966,7 +3966,7 @@ func validateOnlyDeletedSchedulingGates(newGates, oldGates []core.PodSchedulingG
39663966
func ValidateHostAliases(hostAliases []core.HostAlias, fldPath *field.Path) field.ErrorList {
39673967
allErrs := field.ErrorList{}
39683968
for i, hostAlias := range hostAliases {
3969-
allErrs = append(allErrs, validation.IsValidIP(fldPath.Index(i).Child("ip"), hostAlias.IP)...)
3969+
allErrs = append(allErrs, IsValidIPForLegacyField(fldPath.Index(i).Child("ip"), hostAlias.IP)...)
39703970
for j, hostname := range hostAlias.Hostnames {
39713971
allErrs = append(allErrs, ValidateDNS1123Subdomain(hostname, fldPath.Index(i).Child("hostnames").Index(j))...)
39723972
}
@@ -4115,7 +4115,7 @@ func validatePodIPs(pod *core.Pod) field.ErrorList {
41154115

41164116
// all PodIPs must be valid IPs
41174117
for i, podIP := range pod.Status.PodIPs {
4118-
allErrs = append(allErrs, validation.IsValidIP(podIPsField.Index(i), podIP.IP)...)
4118+
allErrs = append(allErrs, IsValidIPForLegacyField(podIPsField.Index(i), podIP.IP)...)
41194119
}
41204120

41214121
// if we have more than one Pod.PodIP then we must have a dual-stack pair
@@ -4156,7 +4156,7 @@ func validateHostIPs(pod *core.Pod) field.ErrorList {
41564156

41574157
// all HostIPs must be valid IPs
41584158
for i, hostIP := range pod.Status.HostIPs {
4159-
allErrs = append(allErrs, validation.IsValidIP(hostIPsField.Index(i), hostIP.IP)...)
4159+
allErrs = append(allErrs, IsValidIPForLegacyField(hostIPsField.Index(i), hostIP.IP)...)
41604160
}
41614161

41624162
// if we have more than one Pod.HostIP then we must have a dual-stack pair
@@ -5940,7 +5940,7 @@ func ValidateService(service *core.Service) field.ErrorList {
59405940
ipPath := specPath.Child("externalIPs")
59415941
for i, ip := range service.Spec.ExternalIPs {
59425942
idxPath := ipPath.Index(i)
5943-
if errs := validation.IsValidIP(idxPath, ip); len(errs) != 0 {
5943+
if errs := IsValidIPForLegacyField(idxPath, ip); len(errs) != 0 {
59445944
allErrs = append(allErrs, errs...)
59455945
} else {
59465946
// For historical reasons, this uses ValidateEndpointIP even
@@ -6008,7 +6008,7 @@ func ValidateService(service *core.Service) field.ErrorList {
60086008
// Note: due to a historical accident around transition from the
60096009
// annotation value, these values are allowed to be space-padded.
60106010
value = strings.TrimSpace(value)
6011-
allErrs = append(allErrs, validation.IsValidCIDR(fieldPath.Index(idx), value)...)
6011+
allErrs = append(allErrs, IsValidCIDRForLegacyField(fieldPath.Index(idx), value)...)
60126012
}
60136013
} else if val, annotationSet := service.Annotations[core.AnnotationLoadBalancerSourceRangesKey]; annotationSet {
60146014
fieldPath := field.NewPath("metadata", "annotations").Key(core.AnnotationLoadBalancerSourceRangesKey)
@@ -6021,7 +6021,7 @@ func ValidateService(service *core.Service) field.ErrorList {
60216021
cidrs := strings.Split(val, ",")
60226022
for _, value := range cidrs {
60236023
value = strings.TrimSpace(value)
6024-
allErrs = append(allErrs, validation.IsValidCIDR(fieldPath, value)...)
6024+
allErrs = append(allErrs, IsValidCIDRForLegacyField(fieldPath, value)...)
60256025
}
60266026
}
60276027
}
@@ -6405,7 +6405,7 @@ func ValidateNode(node *core.Node) field.ErrorList {
64056405

64066406
// all PodCIDRs should be valid ones
64076407
for idx, value := range node.Spec.PodCIDRs {
6408-
allErrs = append(allErrs, validation.IsValidCIDR(podCIDRsField.Index(idx), value)...)
6408+
allErrs = append(allErrs, IsValidCIDRForLegacyField(podCIDRsField.Index(idx), value)...)
64096409
}
64106410

64116411
// if more than PodCIDR then it must be a dual-stack pair
@@ -7481,7 +7481,7 @@ func validateEndpointSubsets(subsets []core.EndpointSubset, fldPath *field.Path)
74817481

74827482
func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path) field.ErrorList {
74837483
allErrs := field.ErrorList{}
7484-
allErrs = append(allErrs, validation.IsValidIP(fldPath.Child("ip"), address.IP)...)
7484+
allErrs = append(allErrs, IsValidIPForLegacyField(fldPath.Child("ip"), address.IP)...)
74857485
if len(address.Hostname) > 0 {
74867486
allErrs = append(allErrs, ValidateDNS1123Label(address.Hostname, fldPath.Child("hostname"))...)
74877487
}
@@ -7853,7 +7853,7 @@ func ValidateLoadBalancerStatus(status *core.LoadBalancerStatus, fldPath *field.
78537853
for i, ingress := range status.Ingress {
78547854
idxPath := ingrPath.Index(i)
78557855
if len(ingress.IP) > 0 {
7856-
allErrs = append(allErrs, validation.IsValidIP(idxPath.Child("ip"), ingress.IP)...)
7856+
allErrs = append(allErrs, IsValidIPForLegacyField(idxPath.Child("ip"), ingress.IP)...)
78577857
}
78587858

78597859
if utilfeature.DefaultFeatureGate.Enabled(features.LoadBalancerIPMode) && ingress.IPMode == nil {
@@ -8188,7 +8188,7 @@ func ValidateServiceClusterIPsRelatedFields(service *core.Service) field.ErrorLi
81888188
}
81898189

81908190
// is it valid ip?
8191-
errorMessages := validation.IsValidIP(clusterIPsField.Index(i), clusterIP)
8191+
errorMessages := IsValidIPForLegacyField(clusterIPsField.Index(i), clusterIP)
81928192
hasInvalidIPs = (len(errorMessages) != 0) || hasInvalidIPs
81938193
allErrs = append(allErrs, errorMessages...)
81948194
}
@@ -8703,3 +8703,17 @@ func isRestartableInitContainer(initContainer *core.Container) bool {
87038703
}
87048704
return *initContainer.RestartPolicy == core.ContainerRestartPolicyAlways
87058705
}
8706+
8707+
// IsValidIPForLegacyField is a wrapper around validation.IsValidIPForLegacyField that
8708+
// handles setting strictValidation correctly. This is only for fields that use legacy IP
8709+
// address validation; use validation.IsValidIP for new fields.
8710+
func IsValidIPForLegacyField(fldPath *field.Path, value string) field.ErrorList {
8711+
return validation.IsValidIPForLegacyField(fldPath, value, utilfeature.DefaultFeatureGate.Enabled(features.StrictIPCIDRValidation))
8712+
}
8713+
8714+
// IsValidCIDRForLegacyField is a wrapper around validation.IsValidCIDRForLegacyField that
8715+
// handles setting strictValidation correctly. This is only for fields that use legacy CIDR
8716+
// value validation; use validation.IsValidCIDR for new fields.
8717+
func IsValidCIDRForLegacyField(fldPath *field.Path, value string) field.ErrorList {
8718+
return validation.IsValidCIDRForLegacyField(fldPath, value, utilfeature.DefaultFeatureGate.Enabled(features.StrictIPCIDRValidation))
8719+
}

0 commit comments

Comments
 (0)