Skip to content

Require canonicalization of NetworkDeviceData IPs #129219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 21, 2025
Merged

Require canonicalization of NetworkDeviceData IPs #129219

merged 1 commit into from
Feb 21, 2025

Conversation

@danwinship
Copy link
Contributor

@danwinship danwinship commented Dec 14, 2024

What this PR does / why we need it:

Validates NetworkDeviceData more strictly. There's no reason to allow non-standard or non-canonical IP values in new APIs.

Which issue(s) this PR fixes:

None, but related to KEP-4858 (kubernetes/enhancements#4899) and #128786

Does this PR introduce a user-facing change?

When using the Alpha DRAResourceClaimDeviceStatus feature, IP address values
in the NetworkDeviceData are now validated more strictly.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/issues/4858

/kind bug
/sig network
/cc @aojea
/assign @LionelJouin

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 14, 2024
@k8s-ci-robot k8s-ci-robot requested a review from aojea December 14, 2024 14:21
@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. wg/device-management Categorizes an issue or PR as relevant to WG Device Management. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 14, 2024
aojea
aojea reviewed Dec 14, 2024
View reviewed changes
pkg/apis/resource/validation/validation.go
allErrs = append(allErrs, field.TooLong(fldPath.Child("hardwareAddress"), "" /* unused */, hardwareAddressMaxLength))
}

allErrs = append(allErrs, validateSet(networkDeviceData.IPs, maxIPs,
Copy link
Member

@aojea aojea Dec 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note , but I find this helpers very difficult to reason about

Copy link
Member

@aojea aojea Dec 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, I got it now, the first function validats, the second function checsk for dupes

aojea
aojea reviewed Dec 14, 2024
View reviewed changes
pkg/apis/resource/validation/validation.go
if err != nil {
return "", "" // will fail at IsValidCIDR
// must fail
return validation.IsValidCIDR(fldPath, address)
Copy link
Member

@aojea aojea Dec 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note to self, this just do the same , parse the cidr, but throws the expected Errorlist

kubernetes/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go

Lines 402 to 409 in 21525f3

func IsValidCIDR(fldPath *field.Path, value string) field.ErrorList {
var allErrors field.ErrorList
_, _, err := netutils.ParseCIDRSloppy(value)
if err != nil {
allErrors = append(allErrors, field.Invalid(fldPath, value, "must be a valid CIDR value, (e.g. 10.9.8.0/24 or 2001:db8::/64)"))
}
return allErrors
}

@aojea
Copy link
Member

aojea commented Dec 14, 2024

/lgtm
/approve

good catch

/assign @thockin

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 14, 2024
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 14, 2024

LGTM label has been added.

Git tree hash: b27063b6d83674146d8c27ad57c5d1f47937e1e6

@aojea
Copy link
Member

aojea commented Dec 14, 2024

/approve

can I?

@danwinship danwinship mentioned this pull request Feb 17, 2025
Open
12 tasks
@thockin thockin added this to the v1.33 milestone Feb 18, 2025
@pohly
Copy link
Contributor

pohly commented Feb 19, 2025

/label api-review
/priority important-soon
/triage accepted

This blocks promotion to beta in 1.33.

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. api-review Categorizes an issue or PR as actively needing an API review. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 19, 2025
thockin
thockin reviewed Feb 20, 2025
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yongruilin @aaron-prindle another one :)

@danwinship
Require canonicalization of NetworkDeviceData IPs
2636aa3 
There's no reason to allow non-standard or non-canonical IP values in
new APIs.
@danwinship danwinship force-pushed the networkdevicedata-validation branch from 9315731 to 2636aa3 Compare February 20, 2025 17:49
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 20, 2025
@aojea
Copy link
Member

aojea commented Feb 20, 2025

Kubernetes e2e suite: [It] [sig-cli] Kubectl client Simple pod should return command exit codes should handle in-cluster config expand_more

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 20, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 20, 2025

LGTM label has been added.

Git tree hash: 032dd381c867f92ac4b0f3712c0b0e0ee9ea5e14

@aojea
Copy link
Member

aojea commented Feb 20, 2025

/test pull-kubernetes-e2e-gce

failed test is unrelated

@thockin
Copy link
Member

thockin commented Feb 20, 2025

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, danwinship, LionelJouin, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 20, 2025
@k8s-ci-robot k8s-ci-robot merged commit 9bf60d0 into kubernetes:master Feb 21, 2025
13 checks passed
@danwinship danwinship deleted the networkdevicedata-validation branch February 21, 2025 02:33
@liggitt liggitt moved this to API review completed, 1.33 in API Reviews Feb 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aojea aojea Awaiting requested review from aojea

@LionelJouin LionelJouin Awaiting requested review from LionelJouin

@thockin thockin Awaiting requested review from thockin

Assignees

@LionelJouin LionelJouin

@thockin thockin

@aojea aojea

Labels

api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on. wg/device-management Categorizes an issue or PR as relevant to WG Device Management.

Projects

API Reviews
Status: API review completed, 1.33
Dynamic Resource Allocation
Status: Done
[sig-release] Bug Triage
Archived in project

Milestone

v1.33

Development

Successfully merging this pull request may close these issues.

6 participants

@danwinship @aojea @k8s-ci-robot @pohly @thockin @LionelJouin