diff --git a/pkg/api/validation/validation.go b/pkg/api/validation/validation.go index c2d1040af0d..657f1aae5fd 100644 --- a/pkg/api/validation/validation.go +++ b/pkg/api/validation/validation.go @@ -1835,13 +1835,19 @@ func ValidateNodeUpdate(node, oldNode *api.Node) field.ErrorList { addresses[address] = true } + if len(oldNode.Spec.PodCIDR) == 0 { + // Allow the controller manager to assign a CIDR to a node if it doesn't have one. + oldNode.Spec.PodCIDR = node.Spec.PodCIDR + } else { + if oldNode.Spec.PodCIDR != node.Spec.PodCIDR { + allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "podCIDR"), "node updates may not change podCIDR except from \"\" to valid")) + } + } // TODO: move reset function to its own location // Ignore metadata changes now that they have been tested oldNode.ObjectMeta = node.ObjectMeta // Allow users to update capacity oldNode.Status.Capacity = node.Status.Capacity - // Allow the controller manager to assign a CIDR to a node. - oldNode.Spec.PodCIDR = node.Spec.PodCIDR // Allow users to unschedule node oldNode.Spec.Unschedulable = node.Spec.Unschedulable // Clear status diff --git a/pkg/api/validation/validation_test.go b/pkg/api/validation/validation_test.go index 72c66383d46..62f1c0ac180 100644 --- a/pkg/api/validation/validation_test.go +++ b/pkg/api/validation/validation_test.go @@ -3245,6 +3245,36 @@ func TestValidateNodeUpdate(t *testing.T) { Labels: map[string]string{"foo": "baz"}, }, }, true}, + {api.Node{ + ObjectMeta: api.ObjectMeta{ + Name: "foo", + }, + Spec: api.NodeSpec{ + PodCIDR: "", + }, + }, api.Node{ + ObjectMeta: api.ObjectMeta{ + Name: "foo", + }, + Spec: api.NodeSpec{ + PodCIDR: "192.168.0.0/16", + }, + }, true}, + {api.Node{ + ObjectMeta: api.ObjectMeta{ + Name: "foo", + }, + Spec: api.NodeSpec{ + PodCIDR: "192.123.0.0/16", + }, + }, api.Node{ + ObjectMeta: api.ObjectMeta{ + Name: "foo", + }, + Spec: api.NodeSpec{ + PodCIDR: "192.168.0.0/16", + }, + }, false}, {api.Node{ ObjectMeta: api.ObjectMeta{ Name: "foo",