improve webhook functions for vpc and subnet (#2241)

* 1.add job and cronjob check in webhook 2.fix pod check in webhook * 1. remove debug log * improve webhook functions for vpc and subnet Co-authored-by: yl4811 <yl4811@yealink.com>
kubeovn · Jan 16, 2023 · dc731ef · dc731ef
1 parent dfb1cc2
commit dc731ef
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 0 deletions.
diff --git a/pkg/util/validator.go b/pkg/util/validator.go
@@ -65,6 +65,13 @@ func ValidateSubnet(subnet kubeovnv1.Subnet) error {
 		return fmt.Errorf("%s is not a valid gateway type", gwType)
 	}
 
+	protocol := subnet.Spec.Protocol
+	if protocol != "" && protocol != kubeovnv1.ProtocolIPv4 &&
+		protocol != kubeovnv1.ProtocolIPv6 &&
+		protocol != kubeovnv1.ProtocolDual {
+		return fmt.Errorf("%s is not a valid protocol type", protocol)
+	}
+
 	if subnet.Spec.Vpc == DefaultVpc {
 		k8sApiServer := os.Getenv("KUBERNETES_SERVICE_HOST")
 		if k8sApiServer != "" && CIDRContainIP(subnet.Spec.CIDRBlock, k8sApiServer) {
@@ -206,3 +213,45 @@ func ValidateCidrConflict(subnet kubeovnv1.Subnet, subnetList []kubeovnv1.Subnet
 	}
 	return nil
 }
+
+func ValidateVpc(vpc *kubeovnv1.Vpc) error {
+	for _, item := range vpc.Spec.StaticRoutes {
+		if item.Policy != "" && item.Policy != kubeovnv1.PolicyDst && item.Policy != kubeovnv1.PolicySrc {
+			return fmt.Errorf("unknown policy type: %s", item.Policy)
+		}
+
+		if strings.Contains(item.CIDR, "/") {
+			if _, _, err := net.ParseCIDR(item.CIDR); err != nil {
+				return fmt.Errorf("invalid cidr %s: %w", item.CIDR, err)
+			}
+		} else if ip := net.ParseIP(item.CIDR); ip == nil {
+			return fmt.Errorf("invalid IP %s", item.CIDR)
+		}
+
+		if ip := net.ParseIP(item.NextHopIP); ip == nil {
+			return fmt.Errorf("invalid next hop IP %s", item.NextHopIP)
+		}
+	}
+
+	for _, item := range vpc.Spec.PolicyRoutes {
+		if item.Action != kubeovnv1.PolicyRouteActionReroute &&
+			item.Action != kubeovnv1.PolicyRouteActionAllow &&
+			item.Action != kubeovnv1.PolicyRouteActionDrop {
+			return fmt.Errorf("unknown policy action: %s", item.Action)
+		}
+
+		if item.Action == kubeovnv1.PolicyRouteActionReroute {
+			if ip := net.ParseIP(item.NextHopIP); ip == nil {
+				return fmt.Errorf("bad next hop ip: %s", item.NextHopIP)
+			}
+		}
+	}
+
+	for _, item := range vpc.Spec.VpcPeerings {
+		if err := CheckCidrs(item.LocalConnectIP); err != nil {
+			return fmt.Errorf("invalid cidr %s", item.LocalConnectIP)
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/webhook/subnet.go b/pkg/webhook/subnet.go
@@ -30,6 +30,17 @@ func (v *ValidatingHook) SubnetCreateHook(ctx context.Context, req admission.Req
 		return ctrlwebhook.Denied(err.Error())
 	}
 
+	vpcList := &ovnv1.VpcList{}
+	if err := v.cache.List(ctx, vpcList); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	for _, item := range vpcList.Items {
+		if item.Name == o.Name {
+			err := fmt.Errorf("vpc and subnet cannot have the same name")
+			return ctrlwebhook.Errored(http.StatusBadRequest, err)
+		}
+	}
+
 	return ctrlwebhook.Allowed("by pass")
 }
 

diff --git a/pkg/webhook/vpc.go b/pkg/webhook/vpc.go
@@ -3,6 +3,7 @@ package webhook
 import (
 	"context"
 	"fmt"
+	"github.com/kubeovn/kube-ovn/pkg/util"
 	"net/http"
 
 	ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -11,6 +12,43 @@ import (
 	ovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
 )
 
+func (v *ValidatingHook) VpcCreateHook(ctx context.Context, req admission.Request) admission.Response {
+	vpc := ovnv1.Vpc{}
+	if err := v.decoder.DecodeRaw(req.Object, &vpc); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	subnetList := &ovnv1.SubnetList{}
+	if err := v.cache.List(ctx, subnetList); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+	for _, item := range subnetList.Items {
+		if item.Name == vpc.Name {
+			err := fmt.Errorf("vpc and subnet cannot have the same name")
+			return ctrlwebhook.Errored(http.StatusBadRequest, err)
+		}
+	}
+
+	if err := util.ValidateVpc(&vpc); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	return ctrlwebhook.Allowed("by pass")
+}
+
+func (v *ValidatingHook) VpcUpdateHook(ctx context.Context, req admission.Request) admission.Response {
+	vpc := ovnv1.Vpc{}
+	if err := v.decoder.DecodeRaw(req.Object, &vpc); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	if err := util.ValidateVpc(&vpc); err != nil {
+		return ctrlwebhook.Errored(http.StatusBadRequest, err)
+	}
+
+	return ctrlwebhook.Allowed("by pass")
+}
+
 func (v *ValidatingHook) VpcDeleteHook(ctx context.Context, req admission.Request) admission.Response {
 	vpc := ovnv1.Vpc{}
 	if err := v.decoder.DecodeRaw(req.OldObject, &vpc); err != nil {

diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -50,6 +50,8 @@ func NewValidatingHook(c cache.Cache) (*ValidatingHook, error) {
 	updateHooks[subnetGVK] = v.SubnetUpdateHook
 	deleteHooks[subnetGVK] = v.SubnetDeleteHook
 
+	createHooks[vpcGVK] = v.VpcCreateHook
+	updateHooks[vpcGVK] = v.VpcUpdateHook
 	deleteHooks[vpcGVK] = v.VpcDeleteHook
 
 	return v, nil