Merge pull request #98726 from cpanato/followup-endport

networking/validation: add endport range validation
This commit is contained in:
Kubernetes Prow Robot 2021-02-11 11:53:26 -08:00 committed by GitHub
commit 91e4b9dd7d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 2 deletions

View File

@ -68,8 +68,13 @@ func ValidateNetworkPolicyPort(port *networking.NetworkPolicyPort, portPath *fie
for _, msg := range validation.IsValidPortNum(int(port.Port.IntVal)) {
allErrs = append(allErrs, field.Invalid(portPath.Child("port"), port.Port.IntVal, msg))
}
if port.EndPort != nil && *port.EndPort < port.Port.IntVal {
allErrs = append(allErrs, field.Invalid(portPath.Child("endPort"), port.Port.IntVal, "must be greater than or equal to `port`"))
if port.EndPort != nil {
if *port.EndPort < port.Port.IntVal {
allErrs = append(allErrs, field.Invalid(portPath.Child("endPort"), port.Port.IntVal, "must be greater than or equal to `port`"))
}
for _, msg := range validation.IsValidPortNum(int(*port.EndPort)) {
allErrs = append(allErrs, field.Invalid(portPath.Child("endPort"), *port.EndPort, msg))
}
}
} else {
if port.EndPort != nil {

View File

@ -1018,6 +1018,32 @@ func TestValidateNetworkPolicy(t *testing.T) {
},
},
},
"invalid endport range defined": {
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: networking.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: map[string]string{"a": "b"},
},
Egress: []networking.NetworkPolicyEgressRule{
{
To: []networking.NetworkPolicyPeer{
{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{"c": "d"},
},
},
},
Ports: []networking.NetworkPolicyPort{
{
Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 30000},
EndPort: utilpointer.Int32Ptr(65537),
},
},
},
},
},
},
}
// Error cases are not expected to pass validation.