-
Notifications
You must be signed in to change notification settings - Fork 39.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating kube-proxy to trim space from loadBalancerSourceRanges #94107
Updating kube-proxy to trim space from loadBalancerSourceRanges #94107
Conversation
Before this fix, a Service with a loadBalancerSourceRange value that included a space would cause kube-proxy to crashloop. This updates kube-proxy to trim any space from that field.
95f4348
to
c382c79
Compare
@bowei I've added another check and test now for better coverage here. Now if syncProxyRules ever runs into an invalid CIDR it simply drops it - this happens after TrimSpace is called so extra spaces do not invalidate a CIDR. I don't think this should ever get hit though. The validation for this field actually trims spaces before running validation. Whether or not that's a good idea I'm not sure, but we were not doing that in kube-proxy as a consumer of the API. Changing the core validation would require a much longer release cycle and would likely be relatively difficult since the actual code that should change is in the utils repo. If you're curious, here's the validation flow: |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bowei, robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
shouldn't we caught this in validation? kubernetes/pkg/apis/core/validation/validation.go Lines 4320 to 4339 in 14a1106
|
@aojea you would think so, but unfortunately not. Outlined the flow in #94107 (comment). Unfortunately |
The validation function is technically wrong -- validation should not be mutating the input before validating. An IP address with extra whitespace is not a valid IP address. |
yeah, didn't mean to ask for changes. I was curious about what will be the "ideal" solution
... , and I was thinking if validation should reject the IP as invalid ...
absolutely agree on this |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest |
…07-upstream-release-1.19 Automated cherry pick of #94107: Updating kube-proxy to trim space from
…07-upstream-release-1.18 Automated cherry pick of #94107: Updating kube-proxy to trim space from
…07-upstream-release-1.17 Automated cherry pick of #94107: Updating kube-proxy to trim space from
Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] kubernetes/kubernetes#94107 Fixes: 3195681 ("k8s: Add and parse LoadBalancerSourceRanges field") Signed-off-by: André Martins <andre@cilium.io>
Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] kubernetes/kubernetes#94107 Fixes: 3195681 ("k8s: Add and parse LoadBalancerSourceRanges field") Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit ada413f ] Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] kubernetes/kubernetes#94107 Fixes: 3195681 ("k8s: Add and parse LoadBalancerSourceRanges field") v1.8 backport: fixed a trivial conflict at pkg/k8s/service.go:117 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
[ upstream commit ada413f ] Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] kubernetes/kubernetes#94107 Fixes: 3195681 ("k8s: Add and parse LoadBalancerSourceRanges field") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
[ upstream commit ada413f ] Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] kubernetes/kubernetes#94107 Fixes: 3195681 ("k8s: Add and parse LoadBalancerSourceRanges field") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
[ upstream commit ada413f ] Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] kubernetes/kubernetes#94107 Fixes: 3195681 ("k8s: Add and parse LoadBalancerSourceRanges field") v1.8 backport: fixed a trivial conflict at pkg/k8s/service.go:117 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
[ upstream commit ada413f ] Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] kubernetes/kubernetes#94107 Fixes: 3195681 ("k8s: Add and parse LoadBalancerSourceRanges field") v1.8 backport: fixed a trivial conflict at pkg/k8s/service.go:117 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
What type of PR is this?
/kind bug
What this PR does / why we need it:
This updates kube-proxy to trim any space from loadBalancerSourceRanges to match validation. A better long term fix will require updating Service validation for future Kubernetes versions to not trim spaces before validation.
Special notes for your reviewer:
This feels like the kind of fix that should be part of 1.19 and potentially backported to older Kubernetes versions.
Does this PR introduce a user-facing change?:
/sig network
/priority critical-urgent
/assign @bowei