Add validation for bridge config to webhook

Signed-off-by: Yury Kulazhenkov <[email protected]>
k8snetworkplumbingwg · Apr 30, 2024 · 2491bb4 · 2491bb4
1 parent b98cbff
commit 2491bb4
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 0 deletions.
diff --git a/pkg/webhook/validate.go b/pkg/webhook/validate.go
@@ -217,6 +217,11 @@ func staticValidateSriovNetworkNodePolicy(cr *sriovnetworkv1.SriovNetworkNodePol
 		return false, fmt.Errorf("'linkType: ib or IB' requires 'isRdma: true'; Set 'isRdma' to (bool)'true'")
 	}
 
+	// switchdev mode can be used only with ethernet links
+	if cr.Spec.LinkType != "" && !strings.EqualFold(cr.Spec.LinkType, consts.LinkTypeETH) && cr.Spec.EswitchMode == sriovnetworkv1.ESwithModeSwitchDev {
+		return false, fmt.Errorf("'eSwitchMode: switchdev' can be used only with ethernet links")
+	}
+
 	// vdpa: deviceType must be set to 'netdevice'
 	if cr.Spec.DeviceType != consts.DeviceTypeNetDevice && (cr.Spec.VdpaType == consts.VdpaTypeVirtio || cr.Spec.VdpaType == consts.VdpaTypeVhost) {
 		return false, fmt.Errorf("'deviceType: %s' conflicts with '%s'; Set 'deviceType' to (string)'netdevice' Or Remove 'vdpaType'", cr.Spec.DeviceType, cr.Spec.VdpaType)
@@ -225,6 +230,14 @@ func staticValidateSriovNetworkNodePolicy(cr *sriovnetworkv1.SriovNetworkNodePol
 	if (cr.Spec.VdpaType == consts.VdpaTypeVirtio || cr.Spec.VdpaType == consts.VdpaTypeVhost) && cr.Spec.EswitchMode != sriovnetworkv1.ESwithModeSwitchDev {
 		return false, fmt.Errorf("vdpa requires the device to be configured in switchdev mode")
 	}
+	// software bridge management: device must be configured in switchdev mode
+	if !cr.Spec.Bridge.IsEmpty() && cr.Spec.EswitchMode != sriovnetworkv1.ESwithModeSwitchDev {
+		return false, fmt.Errorf("software bridge management requires the device to be configured in switchdev mode")
+	}
+	// software bridge management: device can't be externally managed
+	if !cr.Spec.Bridge.IsEmpty() && cr.Spec.ExternallyManaged {
+		return false, fmt.Errorf("software bridge management can't be used when the device externally managed")
+	}
 	return true, nil
 }
 

diff --git a/pkg/webhook/validate_test.go b/pkg/webhook/validate_test.go
@@ -1107,6 +1107,70 @@ func TestStaticValidateSriovNetworkNodePolicyWithInvalidNicSelector(t *testing.T
 	g.Expect(ok).To(Equal(false))
 }
 
+func TestStaticValidateSriovNetworkNodePolicyWithInvalidLinkTypeForSwitchdev(t *testing.T) {
+	policy := &SriovNetworkNodePolicy{
+		Spec: SriovNetworkNodePolicySpec{
+			DeviceType:  "netdevice",
+			LinkType:    "ib",
+			IsRdma:      true,
+			EswitchMode: "switchdev",
+			NicSelector: SriovNetworkNicSelector{
+				PfNames: []string{"ens803f1"},
+			},
+			NodeSelector: map[string]string{
+				"feature.node.kubernetes.io/network-sriov.capable": "true",
+			},
+			ResourceName: "p0",
+		},
+	}
+	g := NewGomegaWithT(t)
+	ok, err := staticValidateSriovNetworkNodePolicy(policy)
+	g.Expect(err).To(HaveOccurred())
+	g.Expect(ok).To(Equal(false))
+}
+
+func TestStaticValidateSriovNetworkNodePolicyWithBridgeConfigWithoutSwitchdev(t *testing.T) {
+	policy := &SriovNetworkNodePolicy{
+		Spec: SriovNetworkNodePolicySpec{
+			DeviceType: "netdevice",
+			Bridge:     Bridge{OVS: &OVSConfig{}},
+			NicSelector: SriovNetworkNicSelector{
+				PfNames: []string{"ens803f1"},
+			},
+			NodeSelector: map[string]string{
+				"feature.node.kubernetes.io/network-sriov.capable": "true",
+			},
+			ResourceName: "p0",
+		},
+	}
+	g := NewGomegaWithT(t)
+	ok, err := staticValidateSriovNetworkNodePolicy(policy)
+	g.Expect(err).To(HaveOccurred())
+	g.Expect(ok).To(Equal(false))
+}
+
+func TestStaticValidateSriovNetworkNodePolicyWithBridgeConfigWithExternallyManaged(t *testing.T) {
+	policy := &SriovNetworkNodePolicy{
+		Spec: SriovNetworkNodePolicySpec{
+			DeviceType:        "netdevice",
+			Bridge:            Bridge{OVS: &OVSConfig{}},
+			EswitchMode:       "switchdev",
+			ExternallyManaged: true,
+			NicSelector: SriovNetworkNicSelector{
+				PfNames: []string{"ens803f1"},
+			},
+			NodeSelector: map[string]string{
+				"feature.node.kubernetes.io/network-sriov.capable": "true",
+			},
+			ResourceName: "p0",
+		},
+	}
+	g := NewGomegaWithT(t)
+	ok, err := staticValidateSriovNetworkNodePolicy(policy)
+	g.Expect(err).To(HaveOccurred())
+	g.Expect(ok).To(Equal(false))
+}
+
 func TestValidatePolicyForNodeStateWithValidNetFilter(t *testing.T) {
 	interfaceSelected = false
 	state := newNodeState()