Validate AntreaIPAM IP ranges #2995
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2995 +/- ##
==========================================
- Coverage 60.89% 54.79% -6.11%
==========================================
Files 268 374 +106
Lines 26753 51398 +24645
==========================================
+ Hits 16292 28162 +11870
- Misses 8655 20786 +12131
- Partials 1806 2450 +644
Flags with carried forward coverage won't be shown. Click here to find out more.
|
ksamoray
force-pushed
the
ipam-validate
branch
3 times, most recently
from
9126a38
to
560ec3f
Compare
pkg/controller/ipam/validate.go
Outdated
| return validationResult(false, msg) | ||
| } | ||
|
|
||
| if allowed { |
There was a problem hiding this comment.
Can allowed be false at this stage?
There was a problem hiding this comment.
It's redundant, I'll remove.
ksamoray
force-pushed
the
ipam-validate
branch
3 times, most recently
from
d08ef44
to
87b2e3f
Compare
pkg/controller/ipam/validate.go
Outdated
| _, cidr, _ := net.ParseCIDR(r.CIDR) | ||
| if !cidr.Contains(gateway) { | ||
| return false, fmt.Sprintf( | ||
| "Range is invalid. Gateway %s is unreachable from CIDR %s", r.Gateway, r.CIDR) |
There was a problem hiding this comment.
In my understanding, as the feature requires the Pod CIDR is in the same subnet of Node IP addresses. The CIDR will be a subset of the underlay subnet and the gateway will not be within the CIDR. For example, the underlay subnet is 192.168.0.0/22, the Node CIDR is 192.168.0.0/24, the Pod CIDR is 192.168.1.0/24, but the gateway 192.168.0.1 is not within 192.168.1.0/24.
I think it should check PodCIDR/r.PrefixLength contains the gateway IP.
@GraysonWu @annakhm could you confirm?
There was a problem hiding this comment.
I think it should be checked.
@annakhm Do you think we need to check it here?
There was a problem hiding this comment.
@gran-vmv is my understanding correct? We should check whether PodCIDR/PrefixLength contains the gateway IP, instead of the provided PodCIDR itself, right?
There was a problem hiding this comment.
I believe we should check that subnet CIDR defined by SubnetInfo.Gateway/SubnetInfo.PrefixLength should contain the CIDR/range that we are validating.
ksamoray
force-pushed
the
ipam-validate
branch
2 times, most recently
from
8811652
to
85ab7f9
Compare
pkg/controller/ipam/validate_test.go
Outdated
| }, | ||
| }, | ||
| { | ||
| name: "CREATE operation with CIDR overlap with IP range should not be allowed", |
There was a problem hiding this comment.
what's the difference between the above one and this one?
There was a problem hiding this comment.
1st one intersect while the 2nd one is contained. I added the latter as your review comment above was that the latter case is not covered by the validation. If you think that one of these is redundant, I can remove it.
There was a problem hiding this comment.
The two cases look good to me. I just didn't tell the difference from the name of the cases. Could we make the name a bit more explict to explain the difference?
|
|
||
| func validateIPRange(r crdv1alpha2.SubnetIPRange, poolIPVersion int) (bool, string) { | ||
| // Validate the integrity of IPs within the IP range | ||
| gateway := net.ParseIP(r.Gateway) |
There was a problem hiding this comment.
Just to save 4 lines of code, can we validate GW IP version here and rely on further checks to fail if IP version differs for other attributes?
ksamoray
force-pushed
the
ipam-validate
branch
from
85ab7f9
to
5c82de5
Compare
pkg/controller/ipam/validate_test.go
Outdated
| }, | ||
| }, | ||
| { | ||
| name: "CREATE operation with CIDR overlap with IP range should not be allowed", |
There was a problem hiding this comment.
The two cases look good to me. I just didn't tell the difference from the name of the cases. Could we make the name a bit more explict to explain the difference?
ksamoray
force-pushed
the
ipam-validate
branch
2 times, most recently
from
9800a09
to
9560fd8
Compare
|
/test-all |
|
/test-all |
ksamoray
force-pushed
the
ipam-validate
branch
2 times, most recently
from
9dc67b0
to
5394ae2
Compare
|
LGTM |
|
/test-all |
ksamoray
force-pushed
the
ipam-validate
branch
from
5394ae2
to
18fa854
Compare
|
Sorry, wait too long to merge this PR. Will merge it once CI is recovered. |
Verify that: - There are no overlaps between an IPPool ranges while creating and updating pools. - Validate that the gateway IP belongs to the same subnet as the IP range addresses. Signed-off-by: Kobi Samoray <[email protected]>
ksamoray
force-pushed
the
ipam-validate
branch
from
18fa854
to
cb5b3b6
Compare
|
@tnqn this has been sitting for a while, mind having a look again (no changes whatsoever, I've just rebased it). |
tnqn
added
the
action/release-note
Verify that: - There are no overlaps between an IPPool ranges while creating and updating pools. - Validate that the gateway IP belongs to the same subnet as the IP range addresses. Signed-off-by: Kobi Samoray <[email protected]>
Verify that:
updating pools.
range addresses.
Signed-off-by: Kobi Samoray [email protected]