From 974d716e4cafa2a0e148f91ebdd441b40b9219eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Sun, 8 Oct 2023 13:46:01 +0800 Subject: [PATCH] webhook: fix ip validation when pod is annotated with an ippool name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 张祖建 --- pkg/webhook/static_ip.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/webhook/static_ip.go b/pkg/webhook/static_ip.go index f12ef899fc5..cadc4c21448 100644 --- a/pkg/webhook/static_ip.go +++ b/pkg/webhook/static_ip.go @@ -12,6 +12,7 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" "k8s.io/klog/v2" ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" @@ -162,14 +163,14 @@ func (v *ValidatingHook) validateIP(ctx context.Context, annotations map[string] if err := v.cache.List(ctx, ipList); err != nil { return ctrlwebhook.Errored(http.StatusBadRequest, err) } - if err := v.validateIPConflict(annotations, name, ipList.Items); err != nil { + if err := v.validateIPConflict(ctx, annotations, name, ipList.Items); err != nil { return ctrlwebhook.Denied(err.Error()) } return ctrlwebhook.Allowed("by pass") } -func (v *ValidatingHook) validateIPConflict(annotations map[string]string, name string, ipList []ovnv1.IP) error { +func (v *ValidatingHook) validateIPConflict(ctx context.Context, annotations map[string]string, name string, ipList []ovnv1.IP) error { annoSubnet := annotations[util.LogicalSwitchAnnotation] if annotations[util.LogicalSwitchAnnotation] == "" { annoSubnet = util.DefaultSubnet @@ -183,7 +184,12 @@ func (v *ValidatingHook) validateIPConflict(annotations map[string]string, name ipPool := annotations[util.IPPoolAnnotation] if ipPool != "" { - if err := v.checkIPConflict(ipPool, annoSubnet, name, ipList); err != nil { + if !strings.ContainsRune(ipPool, ',') && net.ParseIP(ipPool) == nil { + pool := &ovnv1.IPPool{} + if err := v.cache.Get(ctx, types.NamespacedName{Name: ipPool}, pool); err != nil { + return fmt.Errorf("ippool %q not found", ipPool) + } + } else if err := v.checkIPConflict(ipPool, annoSubnet, name, ipList); err != nil { return err } } @@ -198,6 +204,9 @@ func (v *ValidatingHook) checkIPConflict(ipAddress, annoSubnet, name string, ipL } else { ipAddr = net.ParseIP(strings.TrimSpace(ip)) } + if ipAddr == nil { + return fmt.Errorf("invalid static ip/ippool annotation value: %s", ipAddress) + } for _, ipCr := range ipList { if annoSubnet != "" && ipCr.Spec.Subnet != annoSubnet {