Merge pull request #86578 from tnqn/except-validation

Validate Except of IPBlock for NetworkPolicy spec
2025-08-04 18:00:08 +00:00 · 2020-02-08 14:45:53 -08:00 · 2020-02-08 14:45:53 -08:00 · 0c6470115e
commit 0c6470115e
parent 7c1dfd1b83 ea693833c8
2 changed files with 24 additions and 2 deletions
--- a/pkg/apis/networking/validation/validation.go
+++ b/pkg/apis/networking/validation/validation.go
@ -165,8 +165,10 @@ func ValidateIPBlock(ipb *networking.IPBlock, fldPath *field.Path) field.ErrorLi
 			allErrs = append(allErrs, field.Invalid(exceptPath, exceptIP, "not a valid CIDR"))
 			return allErrs
 		}
-		if !cidrIPNet.Contains(exceptCIDR.IP) {
+		cidrMaskLen, _ := cidrIPNet.Mask.Size()
-			allErrs = append(allErrs, field.Invalid(exceptPath, exceptCIDR.IP, "not within CIDR range"))
+		exceptMaskLen, _ := exceptCIDR.Mask.Size()
 		if !cidrIPNet.Contains(exceptCIDR.IP) || cidrMaskLen >= exceptMaskLen {
 			allErrs = append(allErrs, field.Invalid(exceptPath, exceptIP, "must be a strict subset of `cidr`"))
 		}
 	}
 	return allErrs
--- a/pkg/apis/networking/validation/validation_test.go
+++ b/pkg/apis/networking/validation/validation_test.go
@ -715,6 +715,26 @@ func TestValidateNetworkPolicy(t *testing.T) {
 				},
 			},
 		},
 		"except IP is not strictly within CIDR range": {
 			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
 			Spec: networking.NetworkPolicySpec{
 				PodSelector: metav1.LabelSelector{
 					MatchLabels: map[string]string{"a": "b"},
 				},
 				Ingress: []networking.NetworkPolicyIngressRule{
 					{
 						From: []networking.NetworkPolicyPeer{
 							{
 								IPBlock: &networking.IPBlock{
 									CIDR:   "192.168.0.0/24",
 									Except: []string{"192.168.0.0/24"},
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 		"except IPv6 is outside of CIDR range": {
 			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
 			Spec: networking.NetworkPolicySpec{