⚠️ Add strict validation for CIDR ranges specified in Clusters

[killianmuldoon]

Signed-off-by: killianmuldoon [email protected]

Add a check in the Cluster webhook to ensure each CIDR block only contains valid CIDR blocks.

/kind bug

Fixes: #7358

[killianmuldoon]

@marvinWolff - it would be great to get your input on this.

[killianmuldoon]

flake?

/retest

[fabriziopandini]

@jayunit100 PTAL if you have some time. We are discussing validation rules for CIDR in ClusterNetwork (ServiceCIDRs and Node/PodsCIDR)

[killianmuldoon]

I've updated the implementation to match that done by kubeadm:

The following is validated in the webhook:

1. No more than two CIDR blocks are specified under Pods or Services
2. If two are specified the blocks need to be from different IP families i.e. one IPv4 and one IPv6
3. The IPFamily for pods and services must be compatible
4. The CIDR ranges are valid CIDR ranges

This is done using the Cluster's GetIPFamily method. This is currently used in CAPI in the topology controller and in CAPD.

This change could be breaking for some providers if they were using these values for something other than passing them directly to Kubernetes e.g. informing an IP pool for some IPAM CNI, so I think we might need to be careful with including this change. That may be the case in #7358

The base problem is that validation on this field is done differently depending on whether or not users are using ClusterClass. If it's better to leave webhook validation as is, then validation should no longer be done when computing variables on the ClusterClass to make it consistent.

[killianmuldoon]

/hold

For more input from providers on the blast radius of this change

[vincepri]

Minor comments, rest lgtm

[vincepri]

We've discussed during the Cluster API office hours meeting on Oct 19th and decided by consensus that we should upgrade this PR to a ⚠️ (breaking change) and go ahead and merge the stricter validations, given that's what ultimately Kubernetes expects.

@killianmuldoon will send an email to the mailing list.

[marvinWolff]

Hello @killianmuldoon,

sorry for the late reply.

This looks good to me. Validating what kubernetes expects is a good idea to prevent creating clusters with a basically invalid configuration like we did.

We also solved our issue in the meantime by specifiying the whole ip-range and using calico ip-pools.

[killianmuldoon]

Thanks @marvinWolff can you share which providers you were using with the original config? Just wondering how the original version you had was working initially.

[killianmuldoon]

I did some digging into how Kubernetes validates these IP ranges (and which components use which) across the core components.

The conclusion is that these ranges are assumed to be either a single entry or dualstack if there are two entries. Supplying more than two CIDR ranges is not supported. With this in mind I think the validation approach in this PR is correct.

Details:

Kube Proxy

ClusterCIDR from flag cluster-cidr. CIDR range of pods in cluster.
Validated so there can not be more than two entries. If there are two entries they must be dualstack.
Ref: https://github.com/kubernetes/kubernetes/blob/7df6c02288833c7be66f425e03c1e858d2343f1f/pkg/proxy/apis/config/validation/validation.go#L73

Kube APIServer

ServiceClusterIPRanges from flag service-cluster-ip-range. CIDR range of services in the cluster.
Validated so there can not be more than two entries. If there are two entries they must be dualstack.
Ref: https://github.com/kubernetes/kubernetes/blob/6dc81c3280996a9a4267bf8ef30d4bda36f8a293/cmd/kube-apiserver/app/options/validation.go#L45

Kube Controller Manager

ClusterCIDR from flag cluster-cidr. CIDR range of pods in cluster. Validates so there can not be more than two entries. If there are two entries they must be dualstack.
Ref: https://github.com/kubernetes/kubernetes/blob/08749750a96fe7f236befa40076a3117e7b36733/staging/src/k8s.io/cloud-provider/app/core.go#L102

ServiceCIDR from flag service-cluster-ip-range. CIDR range for Services in Cluster. Takes the first two values given, but doesn't validate if more than two are given, instead just ignoring additional values. If there are two entries they must be dualstack.

Ref: https://github.com/kubernetes/kubernetes/blob/7b478d15d5838e14b8286c9b541c8cbd626cbe3c/cmd/kube-controller-manager/app/options/nodeipamcontroller.go#L51

Kubelet

PodCIDR from flag pod-cidr string. Only used in standalone mode, not relevant here.

Kube Scheduler

No CIDR related flags.

[killianmuldoon]

/hold

Want to bring this up one more time at office hours today - we can merge after that.

[elmiko]

as discussed in the community meeting on 9 November, we'd like to get more comments on this before merging. please review the defaults as described in #7521 (comment) , these will be encoded by this PR.

if there are no additional comments or objections by 11 November, we will merge this.

[sbueringer]

@killianmuldoon Can you rebase when you have some time?

[sbueringer]

Thank you very much!!

/lgtm

[sbueringer]

/assign @fabriziopandini

[fabriziopandini]

I like the fact that we are not making IpFamily a first-class concern given that it is CAPD specific.
I have one last question on validation to make sure we are not blocking use cases allowed upstream (like the one in the attached issue).

[fabriziopandini]

Is this a Kubernetes limitation that applies both to service and pod cidr?
same for 2

[fabriziopandini]

If not we are not sure I will simply validate all the CIDR are valid, without making assumptions on the combination of them in this first iteration

[sbueringer]

Both

Services: https://github.com/kubernetes/kubernetes/blob/6dc81c3280996a9a4267bf8ef30d4bda36f8a293/cmd/kube-apiserver/app/options/validation.go#L47-L69

Pods: https://github.com/kubernetes/kubernetes/blob/08749750a96fe7f236befa40076a3117e7b36733/staging/src/k8s.io/cloud-provider/app/core.go#L127-L133

(see #7420 (comment))

[killianmuldoon]

/remove-hold

[fabriziopandini]

/lgtm
Thanks for opening the follow-up issue, appreciated

[sbueringer]

one nit, otherwise lgtm

[sbueringer]

Thx!

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sbueringer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment