Add logic to deal with 0.0.0.0/0 which ipset not support. (#599)
* Add logic to deal with 0.0.0.0/0 which ipset not support. * Add unit test for checking 0.0.0.0/0 ipset entry logic.
This commit is contained in:
shchen
GitHub
Родитель
cf25cd318a
Коммит
ea5c9a7c21
|
|
@ -211,8 +211,19 @@ func createCidrsRule(ingressOrEgress, policyName, ns string, ipsetEntries [][]st
|
|||
log.Printf("Error creating ipset %s", ipCidrSet)
|
||||
}
|
||||
for _, ipCidrEntry := range util.DropEmptyFields(ipCidrSet) {
|
||||
if err := ipsMgr.AddToSet(setName, ipCidrEntry, util.IpsetNetHashFlag); err != nil {
|
||||
log.Printf("Error adding ip cidrs %s into ipset %s", ipCidrEntry, ipCidrSet)
|
||||
// Ipset doesn't allow 0.0.0.0/0 to be added. A general solution is split 0.0.0.0/1 in half which convert to
|
||||
// 1.0.0.0/1 and 128.0.0.0/1
|
||||
if (ipCidrEntry == "0.0.0.0/0") {
|
||||
splitEntry := [2]string{"1.0.0.0/1", "128.0.0.0/1"}
|
||||
for _, entry := range splitEntry {
|
||||
if err := ipsMgr.AddToSet(setName, entry, util.IpsetNetHashFlag); err != nil {
|
||||
log.Printf("Error adding ip cidrs %s into ipset %s", entry, ipCidrSet)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if err := ipsMgr.AddToSet(setName, ipCidrEntry, util.IpsetNetHashFlag); err != nil {
|
||||
log.Printf("Error adding ip cidrs %s into ipset %s", ipCidrEntry, ipCidrSet)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -77,11 +77,18 @@ func TestAddNetworkPolicy(t *testing.T) {
|
|||
Spec: networkingv1.NetworkPolicySpec{
|
||||
Ingress: []networkingv1.NetworkPolicyIngressRule{
|
||||
networkingv1.NetworkPolicyIngressRule{
|
||||
From: []networkingv1.NetworkPolicyPeer{{
|
||||
PodSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{"app": "test"},
|
||||
From: []networkingv1.NetworkPolicyPeer{
|
||||
networkingv1.NetworkPolicyPeer{
|
||||
PodSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{"app": "test"},
|
||||
},
|
||||
},
|
||||
}},
|
||||
networkingv1.NetworkPolicyPeer{
|
||||
IPBlock: &networkingv1.IPBlock{
|
||||
CIDR: "0.0.0.0/0",
|
||||
},
|
||||
},
|
||||
},
|
||||
Ports: []networkingv1.NetworkPolicyPort{{
|
||||
Protocol: &tcp,
|
||||
Port: &port8000,
|
||||
|
|
@ -98,6 +105,17 @@ func TestAddNetworkPolicy(t *testing.T) {
|
|||
}
|
||||
npMgr.Unlock()
|
||||
|
||||
ipsMgr = npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
|
||||
|
||||
// Check whether 0.0.0.0/0 got translated to 1.0.0.0/1 and 128.0.0.0/1
|
||||
if ! ipsMgr.Exists("allow-ingress-in-ns-test-nwpolicy-0in", "1.0.0.0/1", util.IpsetNetHashFlag) {
|
||||
t.Errorf("TestDeleteFromSet failed @ ipsMgr.AddToSet")
|
||||
}
|
||||
|
||||
if ! ipsMgr.Exists("allow-ingress-in-ns-test-nwpolicy-0in", "128.0.0.0/1", util.IpsetNetHashFlag) {
|
||||
t.Errorf("TestDeleteFromSet failed @ ipsMgr.AddToSet")
|
||||
}
|
||||
|
||||
allowEgress := &networkingv1.NetworkPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "allow-egress",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче