Openstack null-support for load balancer source

We return an error if the user specifies a non 0.0.0.0/0 load balancer source restriction on OpenStack, where we can't enforce the restriction (currently).
2025-08-05 18:24:07 +00:00 · 2016-02-24 11:10:56 -05:00 · 2016-02-24 11:10:56 -05:00 · 818925cc25
commit 818925cc25
parent 49e1149227
2 changed files with 24 additions and 0 deletions
--- a/pkg/cloudprovider/providers/openstack/openstack.go
+++ b/pkg/cloudprovider/providers/openstack/openstack.go
@ -685,6 +685,15 @@ func (lb *LoadBalancer) EnsureLoadBalancer(name, region string, loadBalancerIP n
 		return nil, fmt.Errorf("unsupported load balancer affinity: %v", affinity)
 	}

+	sourceRanges, err := cloudprovider.GetSourceRangeAnnotations(annotations)
+	if err != nil {
+		return nil, err
+	}
+
+	if !cloudprovider.IsAllowAll(sourceRanges) {
+		return nil, fmt.Errorf("Source range restrictions are not supported for openstack load balancers")
+	}
+
 	glog.V(2).Infof("Checking if openstack load balancer already exists: %s", name)
 	_, exists, err := lb.GetLoadBalancer(name, region)
 	if err != nil {
--- a/pkg/cloudprovider/utils.go
+++ b/pkg/cloudprovider/utils.go
@ -67,6 +67,11 @@ func (l IPNetSet) Equal(r IPNetSet) bool {
 	return true
 }

+// Len returns the size of the set.
+func (s IPNetSet) Len() int {
+	return len(s)
+}
+
 // GetSourceRangeAnnotations verifies and parses the LBAnnotationAllowSourceRange annotation from a service,
 // extracting the source ranges to allow, and if not present returns a default (allow-all) value.
 func GetSourceRangeAnnotations(annotation map[string]string) (IPNetSet, error) {
@ -82,3 +87,13 @@ func GetSourceRangeAnnotations(annotation map[string]string) (IPNetSet, error) {
 	}
 	return ipnets, nil
 }
+
+// IsAllowAll checks whether the IPNetSet contains the default allow-all policy
+func IsAllowAll(ipnets IPNetSet) bool {
+	for _, s := range ipnets.StringSlice() {
+		if s == "0.0.0.0/0" {
+			return true
+		}
+	}
+	return false
+}