From ea693833c8d33228d7f32296d9076d96452acccb Mon Sep 17 00:00:00 2001 From: Quan Tian Date: Tue, 24 Dec 2019 15:20:22 +0800 Subject: [PATCH] Validate Except of IPBlock for NetworkPolicy spec This patch enhances the validation of Except field that the values will be rejected if they are not strictly within the CIDR range. --- pkg/apis/networking/validation/validation.go | 6 ++++-- .../networking/validation/validation_test.go | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/pkg/apis/networking/validation/validation.go b/pkg/apis/networking/validation/validation.go index 11663045dc1..50a202cde56 100644 --- a/pkg/apis/networking/validation/validation.go +++ b/pkg/apis/networking/validation/validation.go @@ -165,8 +165,10 @@ func ValidateIPBlock(ipb *networking.IPBlock, fldPath *field.Path) field.ErrorLi allErrs = append(allErrs, field.Invalid(exceptPath, exceptIP, "not a valid CIDR")) return allErrs } - if !cidrIPNet.Contains(exceptCIDR.IP) { - allErrs = append(allErrs, field.Invalid(exceptPath, exceptCIDR.IP, "not within CIDR range")) + cidrMaskLen, _ := cidrIPNet.Mask.Size() + exceptMaskLen, _ := exceptCIDR.Mask.Size() + if !cidrIPNet.Contains(exceptCIDR.IP) || cidrMaskLen >= exceptMaskLen { + allErrs = append(allErrs, field.Invalid(exceptPath, exceptIP, "must be a strict subset of `cidr`")) } } return allErrs diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go index 619a035ae60..888e78f8a56 100644 --- a/pkg/apis/networking/validation/validation_test.go +++ b/pkg/apis/networking/validation/validation_test.go @@ -715,6 +715,26 @@ func TestValidateNetworkPolicy(t *testing.T) { }, }, }, + "except IP is not strictly within CIDR range": { + ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{ + MatchLabels: map[string]string{"a": "b"}, + }, + Ingress: []networking.NetworkPolicyIngressRule{ + { + From: []networking.NetworkPolicyPeer{ + { + IPBlock: &networking.IPBlock{ + CIDR: "192.168.0.0/24", + Except: []string{"192.168.0.0/24"}, + }, + }, + }, + }, + }, + }, + }, "except IPv6 is outside of CIDR range": { ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"}, Spec: networking.NetworkPolicySpec{