Merge pull request #88657 from chendotjs/validate-ipvs-timeout

validate configuration of kube-proxy IPVS tcp,tcpfin,udp timeout
2025-07-22 19:31:44 +00:00 · 2020-03-02 14:50:16 -08:00 · 2020-03-02 14:50:16 -08:00 · 01593144e6
commit 01593144e6
parent d115206309 e79f49ebba
2 changed files with 66 additions and 0 deletions
--- a/pkg/proxy/apis/config/validation/validation.go
+++ b/pkg/proxy/apis/config/validation/validation.go
@ -147,6 +147,7 @@ func validateKubeProxyIPVSConfiguration(config kubeproxyconfig.KubeProxyIPVSConf
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("SyncPeriod"), config.MinSyncPeriod, fmt.Sprintf("must be greater than or equal to %s", fldPath.Child("MinSyncPeriod").String())))
 	}

+	allErrs = append(allErrs, validateIPVSTimeout(config, fldPath)...)
 	allErrs = append(allErrs, validateIPVSSchedulerMethod(kubeproxyconfig.IPVSSchedulerMethod(config.Scheduler), fldPath.Child("Scheduler"))...)
 	allErrs = append(allErrs, validateIPVSExcludeCIDRs(config.ExcludeCIDRs, fldPath.Child("ExcludeCidrs"))...)

@ -283,6 +284,24 @@ func validateKubeProxyNodePortAddress(nodePortAddresses []string, fldPath *field
 	return allErrs
 }

+func validateIPVSTimeout(config kubeproxyconfig.KubeProxyIPVSConfiguration, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if config.TCPTimeout.Duration < 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("TCPTimeout"), config.TCPTimeout, "must be greater than or equal to 0"))
+	}
+
+	if config.TCPFinTimeout.Duration < 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("TCPFinTimeout"), config.TCPFinTimeout, "must be greater than or equal to 0"))
+	}
+
+	if config.UDPTimeout.Duration < 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("UDPTimeout"), config.UDPTimeout, "must be greater than or equal to 0"))
+	}
+
+	return allErrs
+}
+
 func validateIPVSExcludeCIDRs(excludeCIDRs []string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}

--- a/pkg/proxy/apis/config/validation/validation_test.go
+++ b/pkg/proxy/apis/config/validation/validation_test.go
@ -597,6 +597,53 @@ func TestValidateKubeProxyIPVSConfiguration(t *testing.T) {
 			},
 			expectErr: false,
 		},
+		// IPVS Timeout can be 0
+		{
+			config: kubeproxyconfig.KubeProxyIPVSConfiguration{
+				SyncPeriod:    metav1.Duration{Duration: 5 * time.Second},
+				TCPTimeout:    metav1.Duration{Duration: 0 * time.Second},
+				TCPFinTimeout: metav1.Duration{Duration: 0 * time.Second},
+				UDPTimeout:    metav1.Duration{Duration: 0 * time.Second},
+			},
+			expectErr: false,
+		},
+		// IPVS Timeout > 0
+		{
+			config: kubeproxyconfig.KubeProxyIPVSConfiguration{
+				SyncPeriod:    metav1.Duration{Duration: 5 * time.Second},
+				TCPTimeout:    metav1.Duration{Duration: 1 * time.Second},
+				TCPFinTimeout: metav1.Duration{Duration: 2 * time.Second},
+				UDPTimeout:    metav1.Duration{Duration: 3 * time.Second},
+			},
+			expectErr: false,
+		},
+		// TCPTimeout Timeout < 0
+		{
+			config: kubeproxyconfig.KubeProxyIPVSConfiguration{
+				SyncPeriod: metav1.Duration{Duration: 5 * time.Second},
+				TCPTimeout: metav1.Duration{Duration: -1 * time.Second},
+			},
+			expectErr: true,
+			reason:    "TCPTimeout must be greater than or equal to 0",
+		},
+		// TCPFinTimeout Timeout < 0
+		{
+			config: kubeproxyconfig.KubeProxyIPVSConfiguration{
+				SyncPeriod:    metav1.Duration{Duration: 5 * time.Second},
+				TCPFinTimeout: metav1.Duration{Duration: -1 * time.Second},
+			},
+			expectErr: true,
+			reason:    "TCPFinTimeout must be greater than or equal to 0",
+		},
+		// UDPTimeout Timeout < 0
+		{
+			config: kubeproxyconfig.KubeProxyIPVSConfiguration{
+				SyncPeriod: metav1.Duration{Duration: 5 * time.Second},
+				UDPTimeout: metav1.Duration{Duration: -1 * time.Second},
+			},
+			expectErr: true,
+			reason:    "UDPTimeout must be greater than or equal to 0",
+		},
 	}

 	for _, test := range testCases {