Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance ExternalIPPool validation #5898

Merged
merged 3 commits into from
Jan 31, 2024
Merged

Enhance ExternalIPPool validation #5898

merged 3 commits into from
Jan 31, 2024

Conversation

aroradaman
Copy link
Contributor

@aroradaman aroradaman commented Jan 20, 2024
edited
Loading

  • Validate if IPRange.Start <= IPRange.End
  • Validate if IPRange.Start and IPRange.End belongs to the same IP family
  • Validate if IPRanges don't overlap with each other

Fixes: #5842

@aroradaman
Copy link
Contributor Author

aroradaman commented Jan 20, 2024
edited
Loading

I initially planned to use netip.Addr and netip.Prefix instead of net.IP and net.IPNet as netip.Addr is directly comparable.
In general netip is more efficient than net but it would require to rewriteIPNetContains for netip.Prefix. Maybe in future, we can consider this 🤔

antrea/pkg/util/ip/ip.go

Line 231 in ba57a7f

func IPNetContains(ipNet1, ipNet2 *net.IPNet) bool {

@aroradaman
Copy link
Contributor Author

cc @tnqn

tnqn
tnqn reviewed Jan 22, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 3rd item of the issue originally means "All IPRanges of ExternalIPPools must not overlap", not only IP ranges of a single ExternalIPPool, because the datapath wouldn't be working if it's configured so. I guess it's hard to strictly prevent it because externalIPPoolLister may be not in sync with actual objects in kube-apiserver, but it should be able to prevent most configuration errors and still better than not checking at all, so could you also checking overlap with ranges in ExternalIPPoolController.externalIPPoolLister?

pkg/controller/externalippool/validate.go Outdated Show resolved Hide resolved
pkg/controller/externalippool/validate.go Outdated Show resolved Hide resolved
pkg/controller/externalippool/validate.go Outdated Show resolved Hide resolved
@aroradaman aroradaman requested a review from tnqn January 23, 2024 19:14
@aroradaman aroradaman force-pushed the external-ip-pool-validation branch 2 times, most recently from 8e2f678 to 388639a Compare January 23, 2024 20:04
tnqn
tnqn reviewed Jan 25, 2024
View reviewed changes
pkg/controller/externalippool/validate.go Outdated Show resolved Hide resolved
pkg/controller/externalippool/validate.go Outdated Show resolved Hide resolved
pkg/controller/externalippool/validate.go Outdated Show resolved Hide resolved
pkg/controller/externalippool/validate.go Outdated Show resolved Hide resolved
@aroradaman aroradaman force-pushed the external-ip-pool-validation branch 2 times, most recently from ad31ed5 to f5da8d2 Compare January 28, 2024 19:12
@tnqn
Copy link
Member

tnqn commented Jan 29, 2024

3 e2e tests failed at TestEgress. There seemed to be a panic when calling the changed webhook:
https://github.com/antrea-io/antrea/actions/runs/7687867552/job/20948603505?pr=5898

@aroradaman
pkg/apiserver: use instance of externalIPPoolController for validation
696e1e7 
Presently, when validating ExternalIPPool, attempting to invoke methods
defined on externalIPPoolController results in a nil pointer exception
and eventually triggers a panic. With this commit, the initialized
externalIPPoolController is used to construct the APIServer
configuration,facilitating access to other methods of
externalIPPoolController during the validation of ExternalIPPool.

Signed-off-by: Daman Arora <[email protected]>
@aroradaman
pkg/util/ip: utility function to get start and end address of a prefix
de7fcef 
Signed-off-by: Daman Arora <[email protected]>
@tnqn
Copy link
Member

tnqn commented Jan 29, 2024

3 e2e tests failed at TestEgress. There seemed to be a panic when calling the changed webhook:
https://github.com/antrea-io/antrea/actions/runs/7687867552/job/20948603505?pr=5898

It was because c.externalIPPoolController below is nil. It worked previously because it never relies on any member variables to do the validation. You need to change NewConfig to pass the externalIPPoolController.

antrea/pkg/apiserver/apiserver.go

Line 330 in 025c3f6

s.Handler.NonGoRestfulMux.HandleFunc("/validate/externalippool", webhook.HandlerForValidateFunc(c.externalIPPoolController.ValidateExternalIPPool))

@aroradaman
Copy link
Contributor Author

aroradaman commented Jan 29, 2024
edited
Loading

3 e2e tests failed at TestEgress. There seemed to be a panic when calling the changed webhook:
https://github.com/antrea-io/antrea/actions/runs/7687867552/job/20948603505?pr=5898

It was because c.externalIPPoolController below is nil. It worked previously because it never relies on any member variables to do the validation. You need to change NewConfig to pass the externalIPPoolController.

antrea/pkg/apiserver/apiserver.go

Line 330 in 025c3f6

s.Handler.NonGoRestfulMux.HandleFunc("/validate/externalippool", webhook.HandlerForValidateFunc(c.externalIPPoolController.ValidateExternalIPPool))

yeah, figured that. I was just about to push the commit fixing that.

@aroradaman aroradaman requested a review from tnqn January 29, 2024 11:01
tnqn
tnqn previously approved these changes Jan 29, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @aroradaman

@tnqn tnqn added the action/release-note Indicates a PR that should be included in release notes. label Jan 29, 2024
@tnqn
Copy link
Member

tnqn commented Jan 29, 2024

/skip-all

@tnqn
Copy link
Member

tnqn commented Jan 29, 2024

/test-ipv6-e2e
/test-ipv6-only-e2e

@tnqn
Copy link
Member

tnqn commented Jan 30, 2024

@aroradaman e2e test failed when it tried to update an externalIPPool. The combinedRanges should exclude the existing ip ranges of the pool being update.

@aroradaman
Copy link
Contributor Author

@aroradaman e2e test failed when it tried to update an externalIPPool. The combinedRanges should exclude the existing ip ranges of the pool being update.

I added a unit test to update 10.10.10.0/24 range with 10.10.0.0/16 to check the same but it failed. Right now getIPRangeSet makes a string/set comparison, should I enhance this validation as well?

Assuming an update from 10.10.10.0/24 to 10.10.0.0/16 should be allowed as no range is deleted.

@tnqn
Copy link
Member

tnqn commented Jan 30, 2024

@aroradaman e2e test failed when it tried to update an externalIPPool. The combinedRanges should exclude the existing ip ranges of the pool being update.

I added a unit test to update 10.10.10.0/24 range with 10.10.0.0/16 to check the same but it failed. Right now getIPRangeSet makes a string/set comparison, should I enhance this validation as well?

Assuming an update from 10.10.10.0/24 to 10.10.0.0/16 should be allowed as no range is deleted.

That's another story and may require more changes in ip allocators as well. It's better to focus on the 3 validations in this PR.

@aroradaman
pkg/controller/externalippool: enhance validation
8e7ca2d 
* Validate if any IPRange don't overlap with another IPRange of current or existing pool
* Validate if IPRange.Start <= IPRange.End
* Validate if IPRange.Start and IPRange.End belong to same IP family

Signed-off-by: Daman Arora <[email protected]>
@aroradaman
Copy link
Contributor Author

/test-ipv6-e2e
/test-ipv6-only-e2e

tnqn
tnqn approved these changes Jan 31, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnqn
Copy link
Member

tnqn commented Jan 31, 2024

/skip-all

@tnqn tnqn merged commit 003eb71 into antrea-io:main Jan 31, 2024
52 of 55 checks passed
@aroradaman aroradaman deleted the external-ip-pool-validation branch January 31, 2024 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
action/release-note Indicates a PR that should be included in release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhance ExternalIPPool validation
2 participants
@aroradaman @tnqn