Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add validating webhooks for Egress and ExternalIPPool #2358

Merged
merged 1 commit into from
Jul 9, 2021

Conversation

tnqn
Copy link
Member

@tnqn tnqn commented Jul 7, 2021

The webhook for Egress validates that the EgressIP must be within the IP
ranges of the ExternalIPPool if both are set.

The webhook for ExternalIPPool validates that the ExternalIPPool must
not shrink.

For #2128

Signed-off-by: Quan Tian qtian@vmware.com

@tnqn tnqn added this to the Antrea v1.2 release milestone Jul 7, 2021
@tnqn
Copy link
Member Author

tnqn commented Jul 7, 2021

/test-all

@codecov-commenter
Copy link

codecov-commenter commented Jul 7, 2021

Codecov Report

Merging #2358 (ad4a3fe) into main (5313dd7) will increase coverage by 4.57%.
The diff coverage is 71.15%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2358      +/-   ##
==========================================
+ Coverage   59.79%   64.37%   +4.57%     
==========================================
  Files         283      284       +1     
  Lines       22118    22215      +97     
==========================================
+ Hits        13226    14300    +1074     
+ Misses       7479     6432    -1047     
- Partials     1413     1483      +70     
Flag Coverage Δ
e2e-tests 53.84% <7.69%> (?)
kind-e2e-tests 47.03% <7.69%> (-0.21%) ⬇️
unit-tests 42.06% <69.47%> (+0.15%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/apiserver/handlers/webhook/validation_crd.go 48.78% <33.33%> (-3.86%) ⬇️
pkg/apiserver/apiserver.go 88.00% <66.66%> (-2.00%) ⬇️
pkg/controller/egress/validate.go 73.80% <73.80%> (ø)
pkg/controller/egress/ipallocator/allocator.go 82.97% <80.00%> (-0.17%) ⬇️
pkg/ovs/openflow/ofctrl_bridge.go 50.00% <0.00%> (+0.34%) ⬆️
pkg/agent/openflow/network_policy.go 76.41% <0.00%> (+0.59%) ⬆️
pkg/agent/cniserver/pod_configuration.go 54.68% <0.00%> (+0.78%) ⬆️
pkg/controller/grouping/group_entity_index.go 94.58% <0.00%> (+1.27%) ⬆️
pkg/controller/egress/store/egressgroup.go 1.38% <0.00%> (+1.38%) ⬆️
... and 53 more

pkg/controller/egress/validate.go Outdated Show resolved Hide resolved
pkg/controller/egress/validate.go Show resolved Hide resolved
build/yamls/base/controller.yml Outdated Show resolved Hide resolved
build/yamls/base/controller.yml Outdated Show resolved Hide resolved
Copy link
Member Author

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @abhiraut for reviewing

build/yamls/base/controller.yml Outdated Show resolved Hide resolved
build/yamls/base/controller.yml Outdated Show resolved Hide resolved
pkg/controller/egress/validate.go Outdated Show resolved Hide resolved
pkg/controller/egress/validate.go Show resolved Hide resolved
@tnqn tnqn force-pushed the egress-validating branch from 42e8a6e to 5a5cf8d Compare July 8, 2021 17:14
@tnqn
Copy link
Member Author

tnqn commented Jul 8, 2021

/test-all

@tnqn tnqn requested review from abhiraut, antoninbas and jianjuns July 8, 2021 17:15
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some nits, otherwise LGTM

switch review.Request.Operation {
case admv1.Create:
klog.V(2).Info("Validating CREATE request for ExternalIPPool")
// Always allow CREATE request.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe the comment should say that this shouldn't happen with the webhook configuration we include the in Antrea YAML manifests?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

expectedResponse *admv1.AdmissionResponse
}{
{
name: "CREATE: Requesting IP from non-existing ExternalIPPool should not be allowed",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why the weird formatting for these testcase names?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to make names different for CREATE and UPDATE operations when both of them are requesting invalid IPs.
I have updated the UPDATE case to "Updating to ...".

expectedResponse: &admv1.AdmissionResponse{Allowed: true},
},
{
name: "UPDATE: Requesting IP out of range should be allowed",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should not be allowed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks for catching it.

@abhiraut
Copy link
Contributor

abhiraut commented Jul 8, 2021

LGTM. Perhaps you want to resolve Antonin comments

The webhook for Egress validates that the EgressIP must be within the IP
ranges of the ExternalIPPool if both are set.

The webhook for ExternalIPPool validates that the ExternalIPPool must
not shrink.

Signed-off-by: Quan Tian <qtian@vmware.com>
Copy link
Member Author

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@antoninbas @abhiraut thanks for the review. I have addressed all comments, PTAL.

switch review.Request.Operation {
case admv1.Create:
klog.V(2).Info("Validating CREATE request for ExternalIPPool")
// Always allow CREATE request.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

expectedResponse *admv1.AdmissionResponse
}{
{
name: "CREATE: Requesting IP from non-existing ExternalIPPool should not be allowed",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to make names different for CREATE and UPDATE operations when both of them are requesting invalid IPs.
I have updated the UPDATE case to "Updating to ...".

expectedResponse: &admv1.AdmissionResponse{Allowed: true},
},
{
name: "UPDATE: Requesting IP out of range should be allowed",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks for catching it.

@tnqn tnqn force-pushed the egress-validating branch from 5a5cf8d to ad4a3fe Compare July 9, 2021 00:29
expectedResponse *admv1.AdmissionResponse
}{
{
name: "Requesting IP from non-existing ExternalIPPool should not be allowed",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my question was more about the large whitespace between name: and the string, which you don't have above

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get it now but I'm not sure the reason. make fmt does it even I remove the spaces. Maybe it has a rule about in which case keeping align is desired. Perhaps keeping align is not desired when the value is a composite literal.

@tnqn
Copy link
Member Author

tnqn commented Jul 9, 2021

/test-all

@tnqn
Copy link
Member Author

tnqn commented Jul 9, 2021

/test-networkpolicy
/test-e2e

@tnqn tnqn merged commit 652b322 into antrea-io:main Jul 9, 2021
@tnqn tnqn mentioned this pull request Aug 24, 2021
6 tasks
@tnqn tnqn deleted the egress-validating branch August 25, 2021 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants